~/f/scap-security-guide/RPMS.2017 ~/f/scap-security-guide ~/f/scap-security-guide RPMS.2017/scap-security-guide-0.1.66-0.0.noarch.rpm RPMS/scap-security-guide-0.1.66-0.0.noarch.rpm differ: byte 225, line 1 Comparing scap-security-guide-0.1.66-0.0.noarch.rpm to scap-security-guide-0.1.66-0.0.noarch.rpm comparing the rpm tags of scap-security-guide --- old-rpm-tags +++ new-rpm-tags @@ -240,9 +240,9 @@ -/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html f15ee741ecf661518ad2ca848da7720aa4424518d1482bfb108bd80b98f028b1 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html d87b0b6d7dd4d36e739b310da5a3691d9e7362a41f99df97bdf74ed10192dd5d 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html c6498e1a06e254ccc553076a8302fbb330fbe6cd90fa1738645d8f6cd9386b26 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html 6179bb610263753fc8a7b2de5100c18fc2b4c87fe2874c7d95073648ddae0fa7 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html 9d3bf6abdd4cf88ba2a8e236f74c3f1f43029b884f93fb765ac12c1e441c4ec3 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html b7851764efd60a41c47982d82e2e522bbbad8ed7458da8bd532b2f43c262ee1a 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 4b76bc04dbad83f5e855be6622adbe10f39df25c16fc70a2458cc89f3bb7ee22 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 68ff19d89b8105737a008614f9815370a69465767cfd19ab4b66bf864b55a2cf 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 7cb3153718f9d6deddcb2384da5b69af29a949435ebcf1971508e5a36153699d 2 +/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 484e928a1fdd38f199fc5af604747965b4067c46a00f0ba0640c1ecf865b46e7 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html 6c5a8306175e395afc97e3c5dfae69e214e1c88105085bef3b470f3971e86ccd 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html c69e74c490adbacb128ab8f414b125f3af79b2b049bfb955c5bc94f478d0f6e0 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html 57b198c6ca1ed9127835e56bc501e2f43ad66ca50e5334b8d0aee7aef285e1de 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html 876a618256987b5e2c97f84123dba61b173baa380d19cf79772404d9100ae65e 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html a35a258e8b7fda639b3626bb5c84d1c30cccf5ac704108e4cda2b416b473fa72 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 4e6516aa1d59db5166e61858ca607a5f5f198b28a8e3b7b4b016f25da413404b 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html dc96e8438ee20b60c7123a193d8080d777026fe751ebc55613e7a9084e336f9d 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 40b66e9f53531393e8acf83cdd81d634a6413f3e950f01871730340eceff85b7 2 @@ -250,13 +250,13 @@ -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html 7e48fadaba77a01832ef54687e1c59efd1e48c80e7dcc26b43ec5a8dea62c0eb 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html c709e82991a52d35d72306f67da93509e08ef1e00303906cc58f131b3258ffb2 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 22fd535ff12b5466793e28fabf1bafae5784e10252ff196e506bdb1c1a7c1e03 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2df77a545536fa96f8a0404b5e2d7d680be9c48f0cc226ad9b9cf51aefcdd237 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html 49afd7e7944c97f1088ddd31cc3dd6c62f1727ed2a8e992ffabcb3b4be672f87 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html 7132b41122047a7077c11429555b2e96acd87d053ee814bf601f28ceea53d501 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html c1aefeb45f2d20380d30b3ff1bea20fe3795ecfd4566d6442bd3e5ef9cfc2498 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html f0bb740f3cd177b89cfbf19f440cc9f2dec1c58ef801f952d2f931de8b4b66ce 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 88ee9f014e9fa346d1034799fe737c9364cb71242ea92bc395eb5d3d418ac9af 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 4352c4610d8161fb7f1b7b08aad870e7b32b09a09be1723cd45549d5d056522a 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 9aec52133e6fb7ab1b730278d2799251a4a223fa1e9cb1684fbb77e9fb35da2c 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html b802789fd500372b0cb8f901ffe00e70828c681a299bceff4bf63a360d6bcc7b 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html e67802e4aaa0d1589d5b6310ec13a0e3130b4015be416cc87a16b156dc01f6cf 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html 104e9ce78acdfe0234adb56cbcdfe4a04fde7db2c1d57df4ab9374c95713ab22 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html 4ad6912988851e26abad73e08268d55ff4dfc04bfed8a4db8b52680d7291e84a 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 1d5d3053710f1c0ebb57e992b06d482cbef4641dad4296ba94514245ab151600 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html fb288c07f143f0bb3bd2891594a7eab0155570aaea04ddfda17705b21ce370d7 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html b5cac9d626434e9fc5c24aae6c230d12d68d44bc84dcffea29f4bf8fa633c2fb 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html b24e95fe5a692c5d7cf1b5539d736f26f301013f5c2676231ed2ebe45ad72d16 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html 033c295dfa7577479ba548b4102bb89ddb1bb8f879533a12576a34476a9b5e2c 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html eb55b022971b44635151875be36bca3217f5f01907e8c002dc79b54238b79a59 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 0ed07d18a0b41c44904f2bcd2749fa346fec3be785a18525b961094dfb1ce41e 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html d9864c0ad69b481b5230f04c8de3dfa1c9daeed463dd6c2cae3d7f480e077f51 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 98a7597e1c5e2551b8acfdc547b8af7388b0b6400d386a9fef5957d852ea159e 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 0058fdd39496259e69494ea22d965365870f8782e70a5924185fe18aa8d1c3c4 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html cfd5b3c74936534fbc46495876ec47df237213286bdb114575fca80e10ea73cf 2 @@ -264,6 +264,6 @@ -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html 9ef8c9fa4e2f9471402bd6e837e819af4ca1b36b0c3589802630b9c7269a5fd3 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 2ed39c0c2763619275922758963b3b4ef864e6091f4934e06f261dd36f64035f 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html 42751348631c84f9e5ead015aed93989c5a06291f813748d8eb1e2b57cb2e9bd 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html de2f74a97ceafeb3b0d8560f81924b4b19bd47f3eb8e01e07717da5019c8ab36 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 964fc2c7868bea8621d38e13e0870191891321eab268899a406cf86d9b14af23 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 52112150f47fd5f40d90eb492a75115de5cc9e87838ba9608592791ed9c8f14a 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html 2bb0c2c2f0b2f5bf987806b2100c174892df1cbaa23637b9947a33aee02a5260 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 19cfb93a19c80d9adafc249218214a86cc8b99e6546f8a641a3fff948952e922 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html b5574156b4d3b578d91492739d5285f2edd73897b3af4d14a51c2e5f01992690 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html 8e4b540ff456427571b2fdba8fc204b0a1a01c9eb779315f30c20fa61b2c32e7 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html c509043aa087b85be627f77d06623793a03fd7a8742d41e27fdc1084713d8258 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 6cfbc12abc9ebafd1f01104580dac5c5843b9a1ee0af79e3f2afff910d81cc87 2 @@ -345,3 +345,3 @@ -/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 7685690cc34471b5c1916dbe40ae6c53effad626865e9e4e2c536a2b8975a498 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 96094f1735428ae32edd72d3db25527c9ff9a49df78bc7ce8a9fcea04e070534 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 6754cc51fdaf6c9a23e46024cf6273ae8d4d541cbadd8dde023483892362c608 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 31eb7a093aeb220eee7ed1a0a9c36a6a860500d138caf8c603f8af3e4b14228e 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml ecb16329a3770c9fb4710eb0ccf40bb7a109545908a7966f4dca848bc13b032b 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 35cbd0b51dbb9e40df7827738a0cf3d942f5b720cb910dc91814075a2aaf47de 0 @@ -349 +349 @@ -/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 8867695bafc49853b5e46cec4f7afa9ef1ff45cf2653bcfc1bcb030843dc4f7a 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 665b9fee4cf7f9fb692cbc860684d8ee94dde5af001489471b8dd35a193c6402 0 @@ -352,3 +352,3 @@ -/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 3990208579029d74ed8871f34567f0c1b8b42eb2f80e733b09f0eada337b1bdd 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 38022659f1cbb3a416c6e341cd86d881729007e669efd1c3a595277481b6457c 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 6838bd5f0dc85c665918bef7e9e4be7e5fef87f28c6198adc5fa92bde06d25da 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2f07e57ff52b7e8fa8fe24bf215909b5948b69e2b6e32fd11595dad4db9d70e0 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml b086aa9ae94c75917a124d5be819e2fee3c8a6d8b4e86311261a93184dc36fb7 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml a0b5121ff4b8054c47b4ea99796decf02c2f8e194fac1b3e59a73c196d9dc0b4 0 @@ -356 +356 @@ -/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml c29742d859c28ae044b8aa9fb2ef40230969cd30b5c5012fb1426402291438b6 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml e5a342482769317c47185451470a54f5503e0e34fe81529704c959ae111cec34 0 @@ -359,3 +359,3 @@ -/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 51c98c0cf080c31c980a0ed58b5e86e82a78ca9ccdfc2cee377663f02c4e2700 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml b3a49b0d7aa9c6b97212e95cbe5a16874eb0e902ecf4375fbd01789e0c2469d0 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 04963f6386820e19d618518b11c3984e33c86f5808f80c11328c12b77a318c59 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 83f3d2089f9813f7c50eab3fb33b33d7a9cb5d34d10b6da83088a17baef25c4c 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 91d2af68cdf7b97582df72c7b69b5bc3d9d8756f6920c3ab7d050244b2df2245 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml c13e7a80397416393e3b08f5e1a72ff12f2d2ffd5e63c5039c2445f1a410e3b3 0 @@ -363 +363 @@ -/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 05bcd55ddc4bd8bd7c9521d241670d0e8d1879068053d6bb241955ec3d8fa935 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 3624c4bff9fee624646320fa2c27bcc7dfcdd6eee834c4b4c884f227ca9dad1e 0 comparing rpmtags comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM file checksum differs. Extracting packages /usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 2023-02-06 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 2023-02-06 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for openSUSE
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:opensuse:leap:15.0
  • cpe:/o:opensuse:leap:42.1
  • cpe:/o:opensuse:leap:42.2
  • cpe:/o:opensuse:leap:42.3

Revision History

Current version: 0.1.66

Table of Contents

  1. System Settings
    1. File Permissions and Masks

Checklist

Group   Guide to the Secure Configuration of openSUSE   Group contains 4 groups and 3 rules
Group   @@ -113,7 +113,11 @@ Verify Group Who Owns passwd File   [ref]
To properly set the group owner of /etc/passwd, run the command: 
$ sudo chgrp root /etc/passwd
Rationale:
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Identifiers and References

References:  - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227



Complexity:low
Disruption:low
Strategy:configure

+
+
+chgrp 0 /etc/passwd
+

Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -145,15 +149,15 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

Complexity:low
Disruption:low
Strategy:configure

-
-
-chgrp 0 /etc/passwd

Rule   Verify User Who Owns passwd File   [ref]

To properly set the owner of /etc/passwd, run the command: 
$ sudo chown root /etc/passwd
Rationale:
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Identifiers and References

References:  - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227



Complexity:low
Disruption:low
Strategy:configure

+
+
+chown 0 /etc/passwd
+

Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -185,10 +189,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

Complexity:low
Disruption:low
Strategy:configure

-
-
-chown 0 /etc/passwd

Rule   Verify Permissions on passwd File   [ref]

@@ -197,7 +197,12 @@ world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Identifiers and References

References:  - BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227



Complexity:low
Disruption:low
Strategy:configure

+
+
+
+chmod u-xs,g-xws,o-xwt /etc/passwd
+

Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -229,11 +234,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

Complexity:low
Disruption:low
Strategy:configure

-
-
-
-chmod u-xs,g-xws,o-xwt /etc/passwd
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html 2023-02-06 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html 2023-02-06 00:00:00.000000000 +0000 @@ -77,7 +77,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.66

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 61 groups and 167 rules
Group   @@ -122,11 +122,26 @@ 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83067-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule



Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,21 +158,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -180,7 +180,18 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1



# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -252,17 +263,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
Group   Disk Partitioning   Group contains 10 rules
[ref]   @@ -398,11 +398,26 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installedIdentifiers and References

Identifiers:  CCE-91491-1

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1



+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+
+class install_sudo {
+  package { 'sudo':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -417,21 +432,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
-
-class install_sudo {
-  package { 'sudo':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   [ref]
The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -441,7 +441,27 @@
 in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the
 command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References
Identifiers: 
             CCE-91492-9
References: 
-            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict

+if /usr/sbin/visudo -qcf /etc/sudoers; then
+    cp /etc/sudoers /etc/sudoers.bak
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
+    fi
+    
+    # Check validity of sudoers and cleanup bak
+    if /usr/sbin/visudo -qcf /etc/sudoers; then
+        rm -f /etc/sudoers.bak
+    else
+        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+        mv /etc/sudoers.bak /etc/sudoers
+        false
+    fi
+else
+    echo "Skipping remediation, /etc/sudoers failed to validate"
+    false
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -455,12 +475,21 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Complexity:low
Disruption:low
Strategy:restrict

+
Rule  
+                                Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+                                  [ref]
The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References
Identifiers: 
+            CCE-91493-7
References: 
+            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html	2023-02-06 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_high
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           Group contains 61 groups and 180 rules
Group  
@@ -122,11 +122,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83067-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,21 +158,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -180,7 +180,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-91483-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -252,17 +263,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-91529-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -388,21 +403,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Notification of Post-AIDE Scan Details
                                   [ref]
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -422,7 +422,33 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_scan_notification
Identifiers and References
Identifiers: 
             CCE-83048-9
References: 
-            BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, SI-6d, DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010510, SV-217149r603262_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+var_aide_scan_notification_email='root@localhost'
+
+
+CRONTAB=/etc/crontab
+CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
+
+# NOTE: on some platforms, /etc/crontab may not exist
+if [ -f /etc/crontab ]; then
+	CRONTAB_EXIST=/etc/crontab
+fi
+
+if [ -f /var/spool/cron/root ]; then
+	VARSPOOL=/var/spool/cron/root
+fi
+
+if ! grep -qR '^.*/usr/bin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
+	echo "0 5 * * * root /usr/bin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
   set_fact:
     var_aide_scan_notification_email: !!str root@localhost
   tags:
@@ -466,32 +492,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-var_aide_scan_notification_email='root@localhost'
-
-
-CRONTAB=/etc/crontab
-CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
-
-# NOTE: on some platforms, /etc/crontab may not exist
-if [ -f /etc/crontab ]; then
-	CRONTAB_EXIST=/etc/crontab
-fi
-
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html	2023-02-06 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           Group contains 57 groups and 156 rules
Group  
@@ -122,11 +122,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83067-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,21 +158,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -180,7 +180,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-91483-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -252,17 +263,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains 10 rules
[ref]  
@@ -398,11 +398,26 @@
 is to give as few privileges as possible but still allow system users to
 get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References
Identifiers: 
             CCE-91491-1
References: 
-            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+
+class install_sudo {
+  package { 'sudo':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -417,21 +432,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
-
-class install_sudo {
-  package { 'sudo':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   [ref]
The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -441,7 +441,27 @@
 in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the
 command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References
Identifiers: 
             CCE-91492-9
References: 
-            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict

+if /usr/sbin/visudo -qcf /etc/sudoers; then
+    cp /etc/sudoers /etc/sudoers.bak
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
+    fi
+    
+    # Check validity of sudoers and cleanup bak
+    if /usr/sbin/visudo -qcf /etc/sudoers; then
+        rm -f /etc/sudoers.bak
+    else
+        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+        mv /etc/sudoers.bak /etc/sudoers
+        false
+    fi
+else
+    echo "Skipping remediation, /etc/sudoers failed to validate"
+    false
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -455,12 +475,21 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Complexity:low
Disruption:low
Strategy:restrict

+
Rule  
+                                Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+                                  [ref]
The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References
Identifiers: 
+            CCE-91493-7
References: 
+            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html	2023-02-06 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_minimal
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           Group contains 27 groups and 40 rules
Group  
@@ -109,7 +109,22 @@
 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References
Identifiers: 
             CCE-83013-3
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-12-010110, SV-217112r646686_rule


Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -146,21 +161,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
 
Rule  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
                                   [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -173,7 +173,22 @@
 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
Identifiers: 
             CCE-83012-5
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-12-010110, SV-217112r646686_rule


Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "NOPASSWD" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -210,21 +225,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
 
Group  
                 Updating Software
                           Group contains 9 rules
[ref]  
@@ -244,11 +244,20 @@
 $ sudo zypper install dnf-automatic
Rationale:
dnf-automatic is an alternative command line interface (CLI)
 to dnf upgrade suitable for automatic, regular execution.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed
Identifiers and References
Identifiers: 
             CCE-91476-2
References: 
-            BP28(R8), SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:low
Strategy:enable

+zypper install -y "dnf-automatic"
+


 [[packages]]
 name = "dnf-automatic"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_dnf-automatic
+
+class install_dnf-automatic {
+  package { 'dnf-automatic':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -260,15 +269,6 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-

Complexity:low
Disruption:low
Strategy:enable

-zypper install -y "dnf-automatic"
-

Complexity:low
Disruption:low
Strategy:enable
include install_dnf-automatic
-
-class install_dnf-automatic {
-  package { 'dnf-automatic':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   [ref]
To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.
Rationale:
Installing software updates is a fundamental mitigation against
@@ -279,25 +279,7 @@
 The automated installation of updates ensures that recent security patches
 are applied in a timely manner.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
Identifiers and References
Identifiers: 
             CCE-91474-7
References: 
-            BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080

Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
-  ini_file:
-    dest: /etc/dnf/automatic.conf
-    section: commands
-    option: apply_updates
-    value: 'yes'
-    create: true
-  tags:
-  - CCE-91474-7
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-SI-2(5)
-  - NIST-800-53-SI-2(c)
-  - dnf-automatic_apply_updates
-  - low_complexity
-  - medium_disruption
-  - medium_severity
-  - no_reboot_needed
-  - unknown_strategy
-



 found=false
 
 # set value in all files if they contain section or key
@@ -324,33 +306,33 @@
     mkdir -p "$(dirname "$file")"
     echo -e "[commands]\napply_updates = yes" >> "$file"
 fi
-
Rule  
-                                Configure dnf-automatic to Install Only Security Updates
-                                  [ref]
To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf.
Rationale:
By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability.
Severity: 
low
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
Identifiers and References
Identifiers: 
-            CCE-91478-8
References: 
-            BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080

Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Only Security Updates
+

Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
   ini_file:
     dest: /etc/dnf/automatic.conf
     section: commands
-    option: upgrade_type
-    value: security
+    option: apply_updates
+    value: 'yes'
     create: true
   tags:
-  - CCE-91478-8
+  - CCE-91474-7
   - NIST-800-53-CM-6(a)
   - NIST-800-53-SI-2(5)
   - NIST-800-53-SI-2(c)
-  - dnf-automatic_security_updates_only
+  - dnf-automatic_apply_updates
   - low_complexity
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html	2023-02-06 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           Group contains 111 groups and 338 rules
Group  
@@ -115,11 +115,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83067-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -136,21 +151,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -173,7 +173,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-91483-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -245,17 +256,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-91529-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -381,21 +396,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains 6 rules
[ref]  
@@ -565,7 +565,15 @@
 configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
 which gives confidence that it reflects them.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Identifiers and References
Identifiers: 
             CCE-83182-6
References: 
-            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

Complexity:low
Disruption:medium
- name: Gather the package facts
+            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html	2023-02-06 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis_server_l1
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           Group contains 99 groups and 272 rules
Group  
@@ -115,11 +115,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83067-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -136,21 +151,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -173,7 +173,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-91483-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -245,17 +256,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-91529-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -381,21 +396,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains  1 rule
[ref]  
@@ -515,7 +515,15 @@
 configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
 which gives confidence that it reflects them.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Identifiers and References
Identifiers: 
             CCE-83182-6
References: 
-            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

Complexity:low
Disruption:medium
- name: Gather the package facts
+            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html	2023-02-06 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l1
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. DHCP
    3. DNS Server
    4. FTP Server
    5. Web Server
    6. IMAP and POP3 Server
    7. LDAP
    8. Mail Server Software
    9. NFS and RPC
    10. Network Time Protocol
    11. Obsolete Services
    12. Proxy Server
    13. Samba(SMB) Microsoft Windows File Sharing Server
    14. SNMP Server
    15. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           Group contains 92 groups and 265 rules
Group  
@@ -115,11 +115,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83067-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -136,21 +151,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -173,7 +173,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-91483-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -245,17 +256,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-91529-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -381,21 +396,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains  1 rule
[ref]  
@@ -515,7 +515,15 @@
 configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
 which gives confidence that it reflects them.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Identifiers and References
Identifiers: 
             CCE-83182-6
References: 
-            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

Complexity:low
Disruption:medium
- name: Gather the package facts
+            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html	2023-02-06 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleCIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l2
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           Group contains 108 groups and 334 rules
Group  
@@ -115,11 +115,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83067-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -136,21 +151,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -173,7 +173,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-91483-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -245,17 +256,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-91529-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -381,21 +396,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains 6 rules
[ref]  
@@ -565,7 +565,15 @@
 configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
 which gives confidence that it reflects them.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Identifiers and References
Identifiers: 
             CCE-83182-6
References: 
-            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

Complexity:low
Disruption:medium
- name: Gather the package facts
+            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitlePCI-DSS v4 Control Baseline for SUSE Linux enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_pci-dss-4
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. Web Server
    6. LDAP
    7. NFS and RPC
    8. Network Time Protocol
    9. Obsolete Services
    10. Print Support
    11. Samba(SMB) Microsoft Windows File Sharing Server
    12. SNMP Server
    13. SSH Server
    14. System Security Services Daemon
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           Group contains 90 groups and 216 rules
Group  
@@ -133,7 +133,16 @@
 information given by the RPM database. Executables with erroneous hashes could
 be a sign of nefarious activity on the system.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Identifiers and References
Identifiers: 
             CCE-91632-0
References: 
-            11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227



+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+
+zypper install -f -y $packages_to_reinstall
+

Complexity:high
Disruption:medium
Strategy:restrict
- name: 'Set fact: Package manager reinstall command (dnf)'
   set_fact:
     package_manager_reinstall_cmd: dnf reinstall -y
   when: ansible_distribution == "Fedora"
@@ -286,15 +295,6 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_hashes
-


-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-
-zypper install -f -y $packages_to_reinstall
 
Rule  
                                 Verify and Correct Ownership with RPM
                                   [ref]
The RPM package management system can check file ownership
@@ -340,7 +340,32 @@
 The permissions set by the vendor should be maintained. Any deviations from
 this baseline should be investigated.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Identifiers and References
Identifiers: 
             CCE-91634-6
References: 
-            1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1


Complexity:high
Disruption:medium
Strategy:restrict

+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+        # NOTE: some files maybe controlled by more then one package
+        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
+        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
+        do
+                # Use an associative array to store packages as it's keys, not having to care about duplicates.
+                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+        done
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+	rpm --restore "${RPM_PACKAGE}"
+done
+

Complexity:high
Disruption:medium
Strategy:restrict
- name: Read list of files with incorrect permissions
   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
     --nocaps --nolinkto --nouser --nogroup
   register: files_with_incorrect_permissions
@@ -420,31 +445,6 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_permissions
-

Complexity:high
Disruption:medium
Strategy:restrict

-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
-        # NOTE: some files maybe controlled by more then one package
-        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
-        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
-        do
-                # Use an associative array to store packages as it's keys, not having to care about duplicates.
-                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
-        done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
-	rpm --restore "${RPM_PACKAGE}"
-done
 
Group  
                 Verify Integrity with AIDE
                           Group contains 3 rules
[ref]  
@@ -458,11 +458,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83067-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -479,21 +494,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -516,7 +516,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-91483-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -588,17 +599,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitlePCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_pci-dss
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. System Security Services Daemon
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           Group contains 63 groups and 157 rules
Group  
@@ -133,7 +133,16 @@
 information given by the RPM database. Executables with erroneous hashes could
 be a sign of nefarious activity on the system.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Identifiers and References
Identifiers: 
             CCE-91632-0
References: 
-            11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227



+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+
+zypper install -f -y $packages_to_reinstall
+

Complexity:high
Disruption:medium
Strategy:restrict
- name: 'Set fact: Package manager reinstall command (dnf)'
   set_fact:
     package_manager_reinstall_cmd: dnf reinstall -y
   when: ansible_distribution == "Fedora"
@@ -286,15 +295,6 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_hashes
-


-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-
-zypper install -f -y $packages_to_reinstall
 
Rule  
                                 Verify and Correct Ownership with RPM
                                   [ref]
The RPM package management system can check file ownership
@@ -340,7 +340,32 @@
 The permissions set by the vendor should be maintained. Any deviations from
 this baseline should be investigated.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Identifiers and References
Identifiers: 
             CCE-91634-6
References: 
-            1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1


Complexity:high
Disruption:medium
Strategy:restrict

+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+        # NOTE: some files maybe controlled by more then one package
+        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
+        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
+        do
+                # Use an associative array to store packages as it's keys, not having to care about duplicates.
+                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+        done
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+	rpm --restore "${RPM_PACKAGE}"
+done
+

Complexity:high
Disruption:medium
Strategy:restrict
- name: Read list of files with incorrect permissions
   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
     --nocaps --nolinkto --nouser --nogroup
   register: files_with_incorrect_permissions
@@ -420,31 +445,6 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_permissions
-

Complexity:high
Disruption:medium
Strategy:restrict

-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
-        # NOTE: some files maybe controlled by more then one package
-        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
-        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
-        do
-                # Use an associative array to store packages as it's keys, not having to care about duplicates.
-                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
-        done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
-	rpm --restore "${RPM_PACKAGE}"
-done
 
Group  
                 Verify Integrity with AIDE
                           Group contains 3 rules
[ref]  
@@ -458,11 +458,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83067-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -479,21 +494,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -516,7 +516,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-91483-8
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -588,17 +599,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html	2023-02-06 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleStandard System Security Profile for SUSE Linux Enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_standard
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. File Permissions and Masks
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           Group contains 4 groups and 3 rules
Group  
@@ -114,7 +114,11 @@
                                   [ref]
 To properly set the group owner of /etc/passwd, run the command: 
$ sudo chgrp root /etc/passwd
Rationale:
The /etc/passwd file contains information about the users that are configured on
 the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Identifiers and References
Identifiers: 
             CCE-91627-0
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2


Complexity:low
Disruption:low
Strategy:configure

+
+
+chgrp 0 /etc/passwd
+

Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -148,16 +152,16 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

Complexity:low
Disruption:low
Strategy:configure

-
-
-chgrp 0 /etc/passwd
 
Rule  
                                 Verify User Who Owns passwd File
                                   [ref]
 To properly set the owner of /etc/passwd, run the command: 
$ sudo chown root /etc/passwd 
Rationale:
The /etc/passwd file contains information about the users that are configured on
 the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Identifiers and References
Identifiers: 
             CCE-91666-8
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2


Complexity:low
Disruption:low
Strategy:configure

+
+
+chown 0 /etc/passwd
+

Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -191,10 +195,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

Complexity:low
Disruption:low
Strategy:configure

-
-
-chown 0 /etc/passwd
 
Rule  
                                 Verify Permissions on passwd File
                                   [ref]

@@ -204,7 +204,12 @@
 accounts on the system and associated information, and protection of this file
 is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Identifiers and References
Identifiers: 
             CCE-91452-3
References: 
-            BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2


Complexity:low
Disruption:low
Strategy:configure

+
+
+
+chmod u-xs,g-xws,o-xwt /etc/passwd
+

Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -238,11 +243,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

Complexity:low
Disruption:low
Strategy:configure

-
-
-
-chmod u-xs,g-xws,o-xwt /etc/passwd
 
Red Hat and Red Hat Enterprise Linux are either registered
 trademarks or trademarks of Red Hat, Inc. in the United States and other
 countries. All other names are registered trademarks or trademarks of their
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html	2023-02-06 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleDISA STIG for SUSE Linux Enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_stig
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Base Services
    2. FTP Server
    3. Mail Server Software
    4. NFS and RPC
    5. Network Time Protocol
    6. Obsolete Services
    7. SSH Server
    8. System Security Services Daemon
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           Group contains 83 groups and 238 rules
Group  
@@ -111,11 +111,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83067-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -132,21 +147,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Configure AIDE to Verify the Audit Tools
                                   [ref]
The operating system file integrity tool must be configured to protect the integrity of the audit tools.
Rationale:
Protecting the integrity of the tools used for auditing purposes is a
@@ -169,7 +169,66 @@
 manipulated, or replaced. An example is a checksum hash of the file or
 files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Identifiers and References
Identifiers: 
             CCE-83204-8
References: 
-            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-12-010540, SV-217152r603262_rule

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
+            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-12-010540, SV-217152r603262_rule

Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+
+
+
+
+
+
+
+
+
+if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
   package:
     name: '{{ item }}'
     state: present
@@ -247,65 +306,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-
-
-
-
-
-
-
-
-
-if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Notification of Post-AIDE Scan Details
                                   [ref]
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -325,7 +325,33 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_scan_notification
Identifiers and References
Identifiers: 
             CCE-83048-9
References: 
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html	2023-02-06 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 61 groups and 170 rules
Group  
@@ -122,11 +122,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83289-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,21 +158,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -180,7 +180,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-85787-0
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -252,17 +263,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains 10 rules
[ref]  
@@ -398,11 +398,26 @@
 is to give as few privileges as possible but still allow system users to
 get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References
Identifiers: 
             CCE-91183-4
References: 
-            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+
+class install_sudo {
+  package { 'sudo':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -417,21 +432,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
-
-class install_sudo {
-  package { 'sudo':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   [ref]
The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -441,7 +441,27 @@
 in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the
 command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References
Identifiers: 
             CCE-91184-2
References: 
-            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict

+if /usr/sbin/visudo -qcf /etc/sudoers; then
+    cp /etc/sudoers /etc/sudoers.bak
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
+    fi
+    
+    # Check validity of sudoers and cleanup bak
+    if /usr/sbin/visudo -qcf /etc/sudoers; then
+        rm -f /etc/sudoers.bak
+    else
+        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+        mv /etc/sudoers.bak /etc/sudoers
+        false
+    fi
+else
+    echo "Skipping remediation, /etc/sudoers failed to validate"
+    false
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -455,12 +475,21 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Complexity:low
Disruption:low
Strategy:restrict

+
Rule  
+                                Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+                                  [ref]
The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References
Identifiers: 
+            CCE-91185-9
References: 
+            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html	2023-02-06 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_high
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 61 groups and 183 rules
Group  
@@ -122,11 +122,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83289-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,21 +158,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -180,7 +180,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-85787-0
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -252,17 +263,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-85671-6
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -383,21 +398,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Notification of Post-AIDE Scan Details
                                   [ref]
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -417,7 +417,33 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_scan_notification
Identifiers and References
Identifiers: 
             CCE-91214-7
References: 
-            BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+var_aide_scan_notification_email='root@localhost'
+
+
+CRONTAB=/etc/crontab
+CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
+
+# NOTE: on some platforms, /etc/crontab may not exist
+if [ -f /etc/crontab ]; then
+	CRONTAB_EXIST=/etc/crontab
+fi
+
+if [ -f /var/spool/cron/root ]; then
+	VARSPOOL=/var/spool/cron/root
+fi
+
+if ! grep -qR '^.*/usr/bin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
+	echo "0 5 * * * root /usr/bin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
   set_fact:
     var_aide_scan_notification_email: !!str root@localhost
   tags:
@@ -461,32 +487,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-var_aide_scan_notification_email='root@localhost'
-
-
-CRONTAB=/etc/crontab
-CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
-
-# NOTE: on some platforms, /etc/crontab may not exist
-if [ -f /etc/crontab ]; then
-	CRONTAB_EXIST=/etc/crontab
-fi
-
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html	2023-02-06 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 57 groups and 159 rules
Group  
@@ -122,11 +122,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83289-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,21 +158,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -180,7 +180,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-85787-0
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -252,17 +263,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains 10 rules
[ref]  
@@ -398,11 +398,26 @@
 is to give as few privileges as possible but still allow system users to
 get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References
Identifiers: 
             CCE-91183-4
References: 
-            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+
+class install_sudo {
+  package { 'sudo':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -417,21 +432,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
-
-class install_sudo {
-  package { 'sudo':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   [ref]
The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -441,7 +441,27 @@
 in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the
 command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References
Identifiers: 
             CCE-91184-2
References: 
-            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict

+if /usr/sbin/visudo -qcf /etc/sudoers; then
+    cp /etc/sudoers /etc/sudoers.bak
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
+    fi
+    
+    # Check validity of sudoers and cleanup bak
+    if /usr/sbin/visudo -qcf /etc/sudoers; then
+        rm -f /etc/sudoers.bak
+    else
+        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+        mv /etc/sudoers.bak /etc/sudoers
+        false
+    fi
+else
+    echo "Skipping remediation, /etc/sudoers failed to validate"
+    false
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -455,12 +475,21 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Complexity:low
Disruption:low
Strategy:restrict

+
Rule  
+                                Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+                                  [ref]
The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References
Identifiers: 
+            CCE-91185-9
References: 
+            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html	2023-02-06 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_minimal
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 27 groups and 43 rules
Group  
@@ -109,7 +109,22 @@
 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References
Identifiers: 
             CCE-83291-5
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule


Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -146,21 +161,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
 
Rule  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
                                   [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -173,7 +173,22 @@
 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
Identifiers: 
             CCE-85663-3
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule


Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "NOPASSWD" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -210,21 +225,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
 
Group  
                 Updating Software
                           Group contains 9 rules
[ref]  
@@ -244,11 +244,20 @@
 $ sudo zypper install dnf-automatic
Rationale:
dnf-automatic is an alternative command line interface (CLI)
 to dnf upgrade suitable for automatic, regular execution.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed
Identifiers and References
Identifiers: 
             CCE-91163-6
References: 
-            BP28(R8), SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:low
Strategy:enable

+zypper install -y "dnf-automatic"
+


 [[packages]]
 name = "dnf-automatic"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_dnf-automatic
+
+class install_dnf-automatic {
+  package { 'dnf-automatic':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -260,15 +269,6 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-

Complexity:low
Disruption:low
Strategy:enable

-zypper install -y "dnf-automatic"
-

Complexity:low
Disruption:low
Strategy:enable
include install_dnf-automatic
-
-class install_dnf-automatic {
-  package { 'dnf-automatic':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   [ref]
To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.
Rationale:
Installing software updates is a fundamental mitigation against
@@ -279,25 +279,7 @@
 The automated installation of updates ensures that recent security patches
 are applied in a timely manner.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
Identifiers and References
Identifiers: 
             CCE-91165-1
References: 
-            BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080

Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
-  ini_file:
-    dest: /etc/dnf/automatic.conf
-    section: commands
-    option: apply_updates
-    value: 'yes'
-    create: true
-  tags:
-  - CCE-91165-1
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-SI-2(5)
-  - NIST-800-53-SI-2(c)
-  - dnf-automatic_apply_updates
-  - low_complexity
-  - medium_disruption
-  - medium_severity
-  - no_reboot_needed
-  - unknown_strategy
-



 found=false
 
 # set value in all files if they contain section or key
@@ -324,33 +306,33 @@
     mkdir -p "$(dirname "$file")"
     echo -e "[commands]\napply_updates = yes" >> "$file"
 fi
-
Rule  
-                                Configure dnf-automatic to Install Only Security Updates
-                                  [ref]
To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf.
Rationale:
By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability.
Severity: 
low
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
Identifiers and References
Identifiers: 
-            CCE-91166-9
References: 
-            BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080

Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Only Security Updates
+

Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
   ini_file:
     dest: /etc/dnf/automatic.conf
     section: commands
-    option: upgrade_type
-    value: security
+    option: apply_updates
+    value: 'yes'
     create: true
   tags:
-  - CCE-91166-9
+  - CCE-91165-1
   - NIST-800-53-CM-6(a)
   - NIST-800-53-SI-2(5)
   - NIST-800-53-SI-2(c)
-  - dnf-automatic_security_updates_only
+  - dnf-automatic_apply_updates
   - low_complexity
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html	2023-02-06 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleCIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 115 groups and 345 rules
Group  
@@ -115,11 +115,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83289-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -136,21 +151,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -173,7 +173,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-85787-0
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -245,17 +256,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-85671-6
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -376,21 +391,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains 6 rules
[ref]  
@@ -560,7 +560,15 @@
 configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
 which gives confidence that it reflects them.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Identifiers and References
Identifiers: 
             CCE-83288-1
References: 
-            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

Complexity:low
Disruption:medium
- name: Gather the package facts
+            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html	2023-02-06 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleCIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis_server_l1
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 103 groups and 278 rules
Group  
@@ -115,11 +115,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83289-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -136,21 +151,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -173,7 +173,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-85787-0
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -245,17 +256,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-85671-6
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -376,21 +391,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains  1 rule
[ref]  
@@ -510,7 +510,15 @@
 configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
 which gives confidence that it reflects them.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Identifiers and References
Identifiers: 
             CCE-83288-1
References: 
-            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

Complexity:low
Disruption:medium
- name: Gather the package facts
+            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html	2023-02-06 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleCIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l1
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. DHCP
    3. DNS Server
    4. FTP Server
    5. Web Server
    6. IMAP and POP3 Server
    7. LDAP
    8. Mail Server Software
    9. NFS and RPC
    10. Network Time Protocol
    11. Obsolete Services
    12. Proxy Server
    13. Samba(SMB) Microsoft Windows File Sharing Server
    14. SNMP Server
    15. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 96 groups and 271 rules
Group  
@@ -115,11 +115,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83289-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -136,21 +151,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -173,7 +173,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-85787-0
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -245,17 +256,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-85671-6
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -376,21 +391,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains  1 rule
[ref]  
@@ -510,7 +510,15 @@
 configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
 which gives confidence that it reflects them.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Identifiers and References
Identifiers: 
             CCE-83288-1
References: 
-            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

Complexity:low
Disruption:medium
- name: Gather the package facts
+            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html	2023-02-06 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleCIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l2
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 112 groups and 341 rules
Group  
@@ -115,11 +115,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83289-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -136,21 +151,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -173,7 +173,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-85787-0
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -245,17 +256,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-85671-6
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -376,21 +391,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains 6 rules
[ref]  
@@ -560,7 +560,15 @@
 configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
 which gives confidence that it reflects them.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Identifiers and References
Identifiers: 
             CCE-83288-1
References: 
-            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

Complexity:low
Disruption:medium
- name: Gather the package facts
+            164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html	2023-02-06 00:00:00.000000000 +0000
@@ -73,7 +73,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleHealth Insurance Portability and Accountability Act (HIPAA)
Profile IDxccdf_org.ssgproject.content_profile_hipaa
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. NFS and RPC
    4. Obsolete Services
    5. Network Routing
    6. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 54 groups and 137 rules
Group  
@@ -141,7 +141,16 @@
 information given by the RPM database. Executables with erroneous hashes could
 be a sign of nefarious activity on the system.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Identifiers and References
Identifiers: 
             CCE-85788-8
References: 
-            11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227



+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+
+zypper install -f -y $packages_to_reinstall
+

Complexity:high
Disruption:medium
Strategy:restrict
- name: 'Set fact: Package manager reinstall command (dnf)'
   set_fact:
     package_manager_reinstall_cmd: dnf reinstall -y
   when: ansible_distribution == "Fedora"
@@ -294,15 +303,6 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_hashes
-


-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-
-zypper install -f -y $packages_to_reinstall
 
Rule  
                                 Verify and Correct File Permissions with RPM
                                   [ref]
The RPM package management system can check file access permissions
@@ -328,7 +328,32 @@
 The permissions set by the vendor should be maintained. Any deviations from
 this baseline should be investigated.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Identifiers and References
Identifiers: 
             CCE-85782-1
References: 
-            1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1


Complexity:high
Disruption:medium
Strategy:restrict

+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+        # NOTE: some files maybe controlled by more then one package
+        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
+        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
+        do
+                # Use an associative array to store packages as it's keys, not having to care about duplicates.
+                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+        done
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+	rpm --restore "${RPM_PACKAGE}"
+done
+

Complexity:high
Disruption:medium
Strategy:restrict
- name: Read list of files with incorrect permissions
   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
     --nocaps --nolinkto --nouser --nogroup
   register: files_with_incorrect_permissions
@@ -408,31 +433,6 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_permissions
-

Complexity:high
Disruption:medium
Strategy:restrict

-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
-        # NOTE: some files maybe controlled by more then one package
-        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
-        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
-        do
-                # Use an associative array to store packages as it's keys, not having to care about duplicates.
-                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
-        done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
-	rpm --restore "${RPM_PACKAGE}"
-done
 
Group  
                 System Cryptographic Policies
                           Group contains 2 rules
[ref]  
@@ -475,7 +475,25 @@
 the applications that run on that operating system. Use of weak or untested encryption algorithms
 undermines the purposes of utilizing encryption to protect data.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_configure_crypto_policy
Identifiers and References
Identifiers: 
             CCE-85776-3
References: 
-            164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174



+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+	echo "$stderr_of_call" >&2
+	echo "Make sure that the script is installed on the remediated system." >&2
+	echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+	echo "to see what package to (re)install" >&2
+
+	false  # end with an error code
+elif test "$rc" != 0; then
+	echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+	false  # end with an error code
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str DEFAULT
   tags:
@@ -520,24 +538,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-


-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
-	echo "$stderr_of_call" >&2
-	echo "Make sure that the script is installed on the remediated system." >&2
-	echo "See output of the 'dnf provides update-crypto-policies' command" >&2
-	echo "to see what package to (re)install" >&2
-
-	false  # end with an error code
-elif test "$rc" != 0; then
-	echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
-	false  # end with an error code
-fi
 
Rule  
                                 Configure SSH to use System Crypto Policy
                                   [ref]
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -548,7 +548,11 @@
 in the /etc/sysconfig/sshd.
Rationale:
Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
 and makes system configuration more fragmented.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
Identifiers and References
Identifiers: 
             CCE-85795-3
References: 
-            CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093



+SSH_CONF="/etc/sysconfig/sshd"
+
+sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF
+

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Configure SSH to use System Crypto Policy
   lineinfile:
     dest: /etc/sysconfig/sshd
     state: absent
@@ -567,10 +571,6 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-


-SSH_CONF="/etc/sysconfig/sshd"
-
-sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF
 
Group  
                 Disk Partitioning
                           Group contains  1 rule
[ref]  
@@ -649,7 +649,69 @@
 After the settings have been set, run dconf update.
Rationale:
Username and password prompting is required for remote access. Otherwise, non-authorized
 and nefarious users can access the system freely.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
Identifiers and References
Identifiers: 
             CCE-85777-1
References: 
-            3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)

Complexity:low
Disruption:medium
- name: Gather the package facts
+            3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \
+                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitlePCI-DSS v4 Control Baseline for SUSE Linux enterprise 15
Profile IDxccdf_org.ssgproject.content_profile_pci-dss-4
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. LDAP
    8. Mail Server Software
    9. NFS and RPC
    10. Network Time Protocol
    11. Obsolete Services
    12. Print Support
    13. Samba(SMB) Microsoft Windows File Sharing Server
    14. SNMP Server
    15. SSH Server
    16. System Security Services Daemon
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 102 groups and 258 rules
Group  
@@ -133,7 +133,16 @@
 information given by the RPM database. Executables with erroneous hashes could
 be a sign of nefarious activity on the system.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Identifiers and References
Identifiers: 
             CCE-85788-8
References: 
-            11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227



+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+
+zypper install -f -y $packages_to_reinstall
+

Complexity:high
Disruption:medium
Strategy:restrict
- name: 'Set fact: Package manager reinstall command (dnf)'
   set_fact:
     package_manager_reinstall_cmd: dnf reinstall -y
   when: ansible_distribution == "Fedora"
@@ -286,15 +295,6 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_hashes
-


-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-
-zypper install -f -y $packages_to_reinstall
 
Rule  
                                 Verify and Correct Ownership with RPM
                                   [ref]
The RPM package management system can check file ownership
@@ -340,7 +340,32 @@
 The permissions set by the vendor should be maintained. Any deviations from
 this baseline should be investigated.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Identifiers and References
Identifiers: 
             CCE-85782-1
References: 
-            1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1


Complexity:high
Disruption:medium
Strategy:restrict

+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+        # NOTE: some files maybe controlled by more then one package
+        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
+        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
+        do
+                # Use an associative array to store packages as it's keys, not having to care about duplicates.
+                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+        done
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+	rpm --restore "${RPM_PACKAGE}"
+done
+

Complexity:high
Disruption:medium
Strategy:restrict
- name: Read list of files with incorrect permissions
   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
     --nocaps --nolinkto --nouser --nogroup
   register: files_with_incorrect_permissions
@@ -420,31 +445,6 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_permissions
-

Complexity:high
Disruption:medium
Strategy:restrict

-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
-        # NOTE: some files maybe controlled by more then one package
-        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
-        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
-        do
-                # Use an associative array to store packages as it's keys, not having to care about duplicates.
-                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
-        done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
-	rpm --restore "${RPM_PACKAGE}"
-done
 
Group  
                 Verify Integrity with AIDE
                           Group contains 3 rules
[ref]  
@@ -458,11 +458,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83289-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -479,21 +494,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -516,7 +516,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-85787-0
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -588,17 +599,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitlePCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 15
Profile IDxccdf_org.ssgproject.content_profile_pci-dss
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. System Security Services Daemon
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 65 groups and 162 rules
Group  
@@ -133,7 +133,16 @@
 information given by the RPM database. Executables with erroneous hashes could
 be a sign of nefarious activity on the system.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Identifiers and References
Identifiers: 
             CCE-85788-8
References: 
-            11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227



+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+
+zypper install -f -y $packages_to_reinstall
+

Complexity:high
Disruption:medium
Strategy:restrict
- name: 'Set fact: Package manager reinstall command (dnf)'
   set_fact:
     package_manager_reinstall_cmd: dnf reinstall -y
   when: ansible_distribution == "Fedora"
@@ -286,15 +295,6 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_hashes
-


-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-
-zypper install -f -y $packages_to_reinstall
 
Rule  
                                 Verify and Correct Ownership with RPM
                                   [ref]
The RPM package management system can check file ownership
@@ -340,7 +340,32 @@
 The permissions set by the vendor should be maintained. Any deviations from
 this baseline should be investigated.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Identifiers and References
Identifiers: 
             CCE-85782-1
References: 
-            1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1


Complexity:high
Disruption:medium
Strategy:restrict

+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+        # NOTE: some files maybe controlled by more then one package
+        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
+        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
+        do
+                # Use an associative array to store packages as it's keys, not having to care about duplicates.
+                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+        done
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+	rpm --restore "${RPM_PACKAGE}"
+done
+

Complexity:high
Disruption:medium
Strategy:restrict
- name: Read list of files with incorrect permissions
   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
     --nocaps --nolinkto --nouser --nogroup
   register: files_with_incorrect_permissions
@@ -420,31 +445,6 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_permissions
-

Complexity:high
Disruption:medium
Strategy:restrict

-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
-        # NOTE: some files maybe controlled by more then one package
-        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
-        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
-        do
-                # Use an associative array to store packages as it's keys, not having to care about duplicates.
-                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
-        done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
-	rpm --restore "${RPM_PACKAGE}"
-done
 
Group  
                 Verify Integrity with AIDE
                           Group contains 3 rules
[ref]  
@@ -458,11 +458,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83289-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -479,21 +494,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -516,7 +516,18 @@
 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
Identifiers: 
             CCE-85787-0
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -588,17 +599,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html	2023-02-06 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleHardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES) for SAP Applications 15
Profile IDxccdf_org.ssgproject.content_profile_pcs-hardening-sap
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. Network Time Protocol
    3. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 52 groups and 167 rules
Group  
@@ -113,11 +113,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83289-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -134,21 +149,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Configure AIDE to Verify the Audit Tools
                                   [ref]
The operating system file integrity tool must be configured to protect the integrity of the audit tools.
Rationale:
Protecting the integrity of the tools used for auditing purposes is a
@@ -171,7 +171,66 @@
 manipulated, or replaced. An example is a checksum hash of the file or
 files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Identifiers and References
Identifiers: 
             CCE-85610-4
References: 
-            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
+            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule

Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+
+
+
+
+
+
+
+
+
+if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
   package:
     name: '{{ item }}'
     state: present
@@ -249,65 +308,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-
-
-
-
-
-
-
-
-
-if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -331,7 +331,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-85671-6
References: 
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html	2023-02-06 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitlePublic Cloud Hardening for SUSE Linux Enterprise 15
Profile IDxccdf_org.ssgproject.content_profile_pcs-hardening
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. Network Time Protocol
    3. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 54 groups and 165 rules
Group  
@@ -127,7 +127,66 @@
 manipulated, or replaced. An example is a checksum hash of the file or
 files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Identifiers and References
Identifiers: 
             CCE-85610-4
References: 
-            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
+            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule

Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+
+
+
+
+
+
+
+
+
+if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
   package:
     name: '{{ item }}'
     state: present
@@ -205,65 +264,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-
-
-
-
-
-
-
-
-
-if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -287,7 +287,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-85671-6
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -384,21 +399,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure AIDE to Verify Access Control Lists (ACLs)
                                   [ref]
By default, the acl option is added to the FIPSR ruleset in AIDE.
@@ -413,7 +413,35 @@
 /etc/aide.conf
Rationale:
ACLs can provide permissions beyond those permitted through the file mode and must be
 verified by the file integrity tools.
Severity: 
low
Rule ID:xccdf_org.ssgproject.content_rule_aide_verify_acls
Identifiers and References
Identifiers: 
             CCE-85623-7
References: 
-            BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, SLES-15-040040, SV-234986r622137_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html	2023-02-06 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleStandard System Security Profile for SUSE Linux Enterprise 15
Profile IDxccdf_org.ssgproject.content_profile_standard
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. Deprecated services
    3. Web Server
    4. Network Time Protocol
    5. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 45 groups and 119 rules
Group  
@@ -209,7 +209,10 @@
 users may take advantage of weaknesses in the unpatched software. The
 lack of prompt attention to patching could result in a system compromise.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Identifiers and References
Identifiers: 
             CCE-83261-8
References: 
-            BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, SLES-15-010010, SV-234802r622137_rule


Complexity:low
Disruption:high
Reboot:true
Strategy:patch

+
+zypper patch -g security -y
+

Complexity:low
Disruption:high
Reboot:true
Strategy:patch
- name: Security patches are up to date
   package:
     name: '*'
     state: latest
@@ -228,9 +231,6 @@
   - reboot_required
   - security_patches_up_to_date
   - skip_ansible_lint
-

Complexity:low
Disruption:high
Reboot:true
Strategy:patch

-
-zypper patch -g security -y
 
Group  
                 Account and Access Control
                           Group contains 7 groups and 16 rules
[ref]  
@@ -315,7 +315,114 @@
 user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
 the account.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Identifiers and References
Identifiers: 
             CCE-85842-3
References: 
-            BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050


# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
+
+var_accounts_passwords_pam_faillock_deny='3'
+
+
+if [ -f /usr/bin/authselect ]; then
+    if ! authselect check; then
+echo "
+authselect integrity check failed. Remediation aborted!
+This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+It is not recommended to manually edit the PAM files when authselect tool is available.
+In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+exit 1
+fi
+authselect enable-feature with-faillock
+
+authselect apply-changes -b
+else
+    
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+for pam_file in "${AUTH_FILES[@]}"
+do
+    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
+        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
+        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
+        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
+    fi
+    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
+done
+
+fi
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
+FAILLOCK_CONF="/etc/security/faillock.conf"
+if [ -f $FAILLOCK_CONF ]; then
+    regex="^\s*deny\s*="
+    line="deny = $var_accounts_passwords_pam_faillock_deny"
+    if ! grep -q $regex $FAILLOCK_CONF; then
+        echo $line >> $FAILLOCK_CONF
+    else
+        sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF
+    fi
+    for pam_file in "${AUTH_FILES[@]}"
+    do
+        if [ -e "$pam_file" ] ; then
+            PAM_FILE_PATH="$pam_file"
+            if [ -f /usr/bin/authselect ]; then
+                
+                if ! authselect check; then
+                echo "
+                authselect integrity check failed. Remediation aborted!
+                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+                It is not recommended to manually edit the PAM files when authselect tool is available.
+                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+                exit 1
+                fi
+
+                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+                # If not already in use, a custom profile is created preserving the enabled features.
+                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+                    authselect create-profile hardening -b $CURRENT_PROFILE
+                    CURRENT_PROFILE="custom/hardening"
+                    
+                    authselect apply-changes -b --backup=before-hardening-custom-profile
+                    authselect select $CURRENT_PROFILE
+                    for feature in $ENABLED_FEATURES; do
+                        authselect enable-feature $feature;
+                    done
+                    
+                    authselect apply-changes -b --backup=after-hardening-custom-profile
+                fi
+                PAM_FILE_NAME=$(basename "$pam_file")
+                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+                authselect apply-changes -b
+            fi
+            
+        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+        fi
+            if [ -f /usr/bin/authselect ]; then
+                
+                authselect apply-changes -b
+            fi
+        else
+            echo "$pam_file was not found" >&2
+        fi
+    done
+else
+    for pam_file in "${AUTH_FILES[@]}"
+    do
+        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
+        else
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
+        fi
+    done
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -988,11 +1095,27 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if rpm --quiet -q pam; then
-
-var_accounts_passwords_pam_faillock_deny='3'
+
Rule  
+                                Configure the root Account for Failed Password Attempts
+                                  [ref]
This rule configures the system to lock out the root account after a number of
+incorrect login attempts using pam_faillock.so.
 
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
Warning: 
+                                        If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
+If the system supports the /etc/security/faillock.conf file, the pam_faillock
+parameters should be defined in faillock.conf file.
Rationale:
By limiting the number of failed logon attempts, the risk of unauthorized system access via
+user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
+the account.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
Identifiers and References
Identifiers: 
+            CCE-91171-9
References: 
+            BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005

# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
 
 if [ -f /usr/bin/authselect ]; then
     if ! authselect check; then
@@ -1025,12 +1148,10 @@
 
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
-    regex="^\s*deny\s*="
-    line="deny = $var_accounts_passwords_pam_faillock_deny"
+    regex="^\s*even_deny_root"
+    line="even_deny_root"
     if ! grep -q $regex $FAILLOCK_CONF; then
         echo $line >> $FAILLOCK_CONF
-    else
-        sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF
     fi
     for pam_file in "${AUTH_FILES[@]}"
     do
@@ -1068,8 +1189,8 @@
                 authselect apply-changes -b
             fi
             
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html	2023-02-06 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleDISA STIG for SUSE Linux Enterprise 15
Profile IDxccdf_org.ssgproject.content_profile_stig
CPE Platforms
  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Base Services
    2. FTP Server
    3. Mail Server Software
    4. NFS and RPC
    5. Network Time Protocol
    6. Obsolete Services
    7. SSH Server
    8. System Security Services Daemon
Checklist
Group  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           Group contains 83 groups and 238 rules
Group  
@@ -111,11 +111,26 @@
 
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
Identifiers: 
             CCE-83289-9
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -132,21 +147,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Configure AIDE to Verify the Audit Tools
                                   [ref]
The operating system file integrity tool must be configured to protect the integrity of the audit tools.
Rationale:
Protecting the integrity of the tools used for auditing purposes is a
@@ -169,7 +169,66 @@
 manipulated, or replaced. An example is a checksum hash of the file or
 files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Identifiers and References
Identifiers: 
             CCE-85610-4
References: 
-            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
+            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule

Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+
+
+
+
+
+
+
+
+
+if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
   package:
     name: '{{ item }}'
     state: present
@@ -247,65 +306,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-
-
-
-
-
-
-
-
-
-if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -329,7 +329,22 @@
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
Identifiers: 
             CCE-85671-6
References: 
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml	2023-02-06 00:00:00.000000000 +0000
@@ -108,7 +108,7 @@
   
   
     
-      draft
+      draft
       Guide to the Secure Configuration of openSUSE
       This guide presents a catalog of security-relevant
 configuration settings for openSUSE. It is a rendering of
@@ -151,9 +151,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
       
-        
+        
           
-            
+            
           
         
         
@@ -161,29 +161,29 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -191,34 +191,34 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -226,9 +226,9 @@
             
           
         
-        
+        
           
-            
+            
           
         
       
@@ -1696,20 +1696,6 @@
               BP28(R58)
               Restricting the capability of sudo allowed commands to execute sub-commands
 prevents users from running programs with privileges they wouldn't have otherwise.
-              - name: Ensure noexec is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
-    line: Defaults noexec
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - high_severity
-  - low_complexity
-  - low_disruption
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_noexec
-
               
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -1731,6 +1717,20 @@
     false
 fi
 
+              - name: Ensure noexec is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+    line: Defaults noexec
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - high_severity
+  - low_complexity
+  - low_disruption
+  - no_reboot_needed
+  - restrict_strategy
+  - sudo_add_noexec
+
               
                 
               
@@ -1748,20 +1748,6 @@
               BP28(R58)
               Restricting the use cases in which a user is allowed to execute sudo commands
 reduces the attack surface.
-              - name: Ensure requiretty is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\brequiretty\b.*$
-    line: Defaults requiretty
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_requiretty
-
               
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -1783,6 +1769,20 @@
     false
 fi
 
+              - name: Ensure requiretty is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+    line: Defaults requiretty
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml	2023-02-06 00:00:00.000000000 +0000
@@ -108,7 +108,7 @@
   
   
     
-      draft
+      draft
       Guide to the Secure Configuration of openSUSE
       This guide presents a catalog of security-relevant
 configuration settings for openSUSE. It is a rendering of
@@ -151,9 +151,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
       
-        
+        
           
-            
+            
           
         
         
@@ -161,29 +161,29 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -191,34 +191,34 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -226,9 +226,9 @@
             
           
         
-        
+        
           
-            
+            
           
         
       
@@ -1696,20 +1696,6 @@
               BP28(R58)
               Restricting the capability of sudo allowed commands to execute sub-commands
 prevents users from running programs with privileges they wouldn't have otherwise.
-              - name: Ensure noexec is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
-    line: Defaults noexec
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - high_severity
-  - low_complexity
-  - low_disruption
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_noexec
-
               
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -1731,6 +1717,20 @@
     false
 fi
 
+              - name: Ensure noexec is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+    line: Defaults noexec
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - high_severity
+  - low_complexity
+  - low_disruption
+  - no_reboot_needed
+  - restrict_strategy
+  - sudo_add_noexec
+
               
                 
               
@@ -1748,20 +1748,6 @@
               BP28(R58)
               Restricting the use cases in which a user is allowed to execute sudo commands
 reduces the attack surface.
-              - name: Ensure requiretty is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\brequiretty\b.*$
-    line: Defaults requiretty
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_requiretty
-
               
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -1783,6 +1769,20 @@
     false
 fi
 
+              - name: Ensure requiretty is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+    line: Defaults requiretty
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml	2023-02-06 00:00:00.000000000 +0000
@@ -7,898 +7,898 @@
     2023-02-06T00:00:00
   
   
-    
-      Verify User Who Owns /var/log/messages File
+    
+      Ensure the default plugins for the audit dispatcher are Installed
       
-        ocil:ssg-file_owner_var_log_messages_action:testaction:1
+        ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
       
     
-    
-      Verify that System Executables Have Root Ownership
+    
+      Enable module signature verification
       
-        ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+        ocil:ssg-kernel_config_module_sig_action:testaction:1
       
     
-    
-      Randomize the address of the kernel image (KASLR)
+    
+      Ensure SMEP is not disabled during boot
       
-        ocil:ssg-kernel_config_randomize_base_action:testaction:1
+        ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
       
     
-    
-      Record Events that Modify the System's Network Environment
+    
+      Set hostname as computer node name in audit logs
       
-        ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+        ocil:ssg-auditd_name_format_action:testaction:1
       
     
-    
-      Enforce Spectre v2 mitigation
+    
+      Install the Host Intrusion Prevention System (HIPS) Module
       
-        ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+        ocil:ssg-package_MFEhiplsm_installed_action:testaction:1
       
     
-    
-      Enable syslog-ng Service
+    
+      Verify User Who Owns Backup gshadow File
       
-        ocil:ssg-service_syslogng_enabled_action:testaction:1
+        ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
       
     
-    
-      System Audit Logs Must Be Owned By Root
+    
+      Ensure rsyslog is Installed
       
-        ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+        ocil:ssg-package_rsyslog_installed_action:testaction:1
       
     
-    
-      Record attempts to alter time through settimeofday
+    
+      Enable poison without sanity check
       
-        ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
+        ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
       
     
-    
-      Enable TCP/IP syncookie support
+    
+      Ensure SELinux State is Enforcing
       
-        ocil:ssg-kernel_config_syn_cookies_action:testaction:1
+        ocil:ssg-selinux_state_action:testaction:1
       
     
-    
-      Enable GSSAPI Authentication
+    
+      Verify Permissions on passwd File
       
-        ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1
+        ocil:ssg-file_permissions_etc_passwd_action:testaction:1
       
     
-    
-      Enable rsyslog Service
+    
+      Record Events that Modify the System's Mandatory Access Controls
       
-        ocil:ssg-service_rsyslog_enabled_action:testaction:1
+        ocil:ssg-audit_rules_mac_modification_action:testaction:1
       
     
-    
-      Record Events that Modify the System's Discretionary Access Controls - lsetxattr
+    
+      Disable x86 vsyscall emulation
       
-        ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
+        ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
       
     
-    
-      Set Password Warning Age
+    
+      Disable Host-Based Authentication
       
-        ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1
+        ocil:ssg-disable_host_auth_action:testaction:1
       
     
-    
-      Make the auditd Configuration Immutable
+    
+      Enable Use of Strict Mode Checking
       
-        ocil:ssg-audit_rules_immutable_action:testaction:1
+        ocil:ssg-sshd_enable_strictmodes_action:testaction:1
       
     
-    
-      Verify User Who Owns passwd File
+    
+      Enforce Spectre v2 mitigation
       
-        ocil:ssg-file_owner_etc_passwd_action:testaction:1
+        ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
       
     
-    
-      Disable the 32-bit vDSO
+    
+      Verify Permissions on shadow File
       
-        ocil:ssg-kernel_config_compat_vdso_action:testaction:1
+        ocil:ssg-file_permissions_etc_shadow_action:testaction:1
       
     
-    
-      Remove the OpenSSH Server Package
+    
+      IOMMU configuration directive
       
-        ocil:ssg-package_openssh-server_removed_action:testaction:1
+        ocil:ssg-grub2_enable_iommu_force_action:testaction:1
       
     
-    
-      Ensure /tmp Located On Separate Partition
+    
+      Enable checks on credential management
       
-        ocil:ssg-partition_for_tmp_action:testaction:1
+        ocil:ssg-kernel_config_debug_credentials_action:testaction:1
       
     
-    
-      Ensure the audit Subsystem is Installed
+    
+      Install the ntp service
       
-        ocil:ssg-package_audit_installed_action:testaction:1
+        ocil:ssg-package_ntp_installed_action:testaction:1
       
     
-    
-      Ensure auditd Collects File Deletion Events by User - unlinkat
+    
+      Explicit arguments in sudo specifications
       
-        ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
+        ocil:ssg-sudoers_explicit_command_args_action:testaction:1
       
     
-    
-      Ensure syslog-ng is Installed
+    
+      Disable support for /proc/kkcore
       
-        ocil:ssg-package_syslogng_installed_action:testaction:1
+        ocil:ssg-kernel_config_proc_kcore_action:testaction:1
       
     
-    
-      Ensure No World-Writable Files Exist
+    
+      Add nodev Option to /dev/shm
       
/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml	2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 
 
-  draft
+  draft
   Guide to the Secure Configuration of openSUSE
   This guide presents a catalog of security-relevant
 configuration settings for openSUSE. It is a rendering of
@@ -43,9 +43,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
   
-    
+    
       
-        
+        
       
     
     
@@ -53,29 +53,29 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
     
@@ -83,34 +83,34 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
     
@@ -118,9 +118,9 @@
         
       
     
-    
+    
       
-        
+        
       
     
   
@@ -1588,20 +1588,6 @@
           BP28(R58)
           Restricting the capability of sudo allowed commands to execute sub-commands
 prevents users from running programs with privileges they wouldn't have otherwise.
-          - name: Ensure noexec is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
-    line: Defaults noexec
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - high_severity
-  - low_complexity
-  - low_disruption
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_noexec
-
           
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -1623,6 +1609,20 @@
     false
 fi
 
+          - name: Ensure noexec is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+    line: Defaults noexec
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - high_severity
+  - low_complexity
+  - low_disruption
+  - no_reboot_needed
+  - restrict_strategy
+  - sudo_add_noexec
+
           
             
           
@@ -1640,20 +1640,6 @@
           BP28(R58)
           Restricting the use cases in which a user is allowed to execute sudo commands
 reduces the attack surface.
-          - name: Ensure requiretty is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\brequiretty\b.*$
-    line: Defaults requiretty
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_requiretty
-
           
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -1675,6 +1661,20 @@
     false
 fi
 
+          - name: Ensure requiretty is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+    line: Defaults requiretty
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml	2023-02-06 00:00:00.000000000 +0000
@@ -124,7 +124,7 @@
   
   
     
-      draft
+      draft
       Guide to the Secure Configuration of SUSE Linux Enterprise 12
       This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -167,30 +167,15 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
       
-        
-          
-            
-          
-        
-        
-          
-            
-          
-        
-        
+        
           
-            
+            
+            
           
         
-        
+        
           
-            
-          
-        
-        
-          
-            
-            
+            
           
         
         
@@ -198,20 +183,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
-            
+            
           
         
         
@@ -225,39 +209,39 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -265,14 +249,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
           
         
         
@@ -280,9 +269,20 @@
             
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
+            
+          
+        
+        
+          
+            
           
         
       
@@ -5622,6 +5622,22 @@
               Because the prelinking feature changes binaries, it can interfere with the
 operation of certain software and/or modes such as AIDE, FIPS, etc.
               CCE-92211-2
+              # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+    if grep -q ^PRELINKING /etc/sysconfig/prelink
+    then
+        sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+    else
+        printf '\n' >> /etc/sysconfig/prelink
+        printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+    fi
+
+    # Undo previous prelink changes to binaries if prelink is available.
+    if test -x /usr/sbin/prelink; then
+        /usr/sbin/prelink -ua
+    fi
+fi
+
               - name: Does prelink file exist
   stat:
     path: /etc/sysconfig/prelink
@@ -5660,22 +5676,6 @@
   - no_reboot_needed
/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml	2023-02-06 00:00:00.000000000 +0000
@@ -126,7 +126,7 @@
   
   
     
-      draft
+      draft
       Guide to the Secure Configuration of SUSE Linux Enterprise 12
       This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -169,30 +169,15 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
       
-        
-          
-            
-          
-        
-        
-          
-            
-          
-        
-        
+        
           
-            
+            
+            
           
         
-        
+        
           
-            
-          
-        
-        
-          
-            
-            
+            
           
         
         
@@ -200,20 +185,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
-            
+            
           
         
         
@@ -227,39 +211,39 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -267,14 +251,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
           
         
         
@@ -282,9 +271,20 @@
             
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
+            
+          
+        
+        
+          
+            
           
         
       
@@ -5624,6 +5624,22 @@
               Because the prelinking feature changes binaries, it can interfere with the
 operation of certain software and/or modes such as AIDE, FIPS, etc.
               CCE-92211-2
+              # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+    if grep -q ^PRELINKING /etc/sysconfig/prelink
+    then
+        sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+    else
+        printf '\n' >> /etc/sysconfig/prelink
+        printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+    fi
+
+    # Undo previous prelink changes to binaries if prelink is available.
+    if test -x /usr/sbin/prelink; then
+        /usr/sbin/prelink -ua
+    fi
+fi
+
               - name: Does prelink file exist
   stat:
     path: /etc/sysconfig/prelink
@@ -5662,22 +5678,6 @@
   - no_reboot_needed
/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml	2023-02-06 00:00:00.000000000 +0000
@@ -7,2753 +7,2752 @@
     2023-02-06T00:00:00
   
   
-    
-      Configure Accepting Router Advertisements on All IPv6 Interfaces
+    
+      Disable SCTP Support
       
-        ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
+        ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
       
     
-    
-      Ensure All Groups on the System Have Unique Group Names
+    
+      Ensure the default plugins for the audit dispatcher are Installed
       
-        ocil:ssg-group_unique_name_action:testaction:1
+        ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
       
     
-    
-      Uninstall rsh Package
+    
+      Enable Auditing for Processes Which Start Prior to the Audit Daemon
       
-        ocil:ssg-package_rsh_removed_action:testaction:1
+        ocil:ssg-grub2_audit_argument_action:testaction:1
       
     
-    
-      Verify User Who Owns /var/log/messages File
+    
+      Ensure that /etc/at.deny does not exist
       
-        ocil:ssg-file_owner_var_log_messages_action:testaction:1
+        ocil:ssg-file_at_deny_not_exist_action:testaction:1
       
     
-    
-      Verify that System Executables Have Root Ownership
+    
+      Disable loading and unloading of kernel modules
       
-        ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+        ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
       
     
-    
-      Encrypt Partitions
+    
+      Ensure auditd Collects Information on the Use of Privileged Commands - kmod
       
-        ocil:ssg-encrypt_partitions_action:testaction:1
+        ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
       
     
-    
-      Randomize the address of the kernel image (KASLR)
+    
+      All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User
       
-        ocil:ssg-kernel_config_randomize_base_action:testaction:1
+        ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1
       
     
-    
-      Uninstall CUPS Package
+    
+      Verify Group Who Owns /etc/at.allow file
       
-        ocil:ssg-package_cups_removed_action:testaction:1
+        ocil:ssg-file_groupowner_at_allow_action:testaction:1
       
     
-    
-      Record Events that Modify the System's Network Environment
+    
+      Enable module signature verification
       
-        ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+        ocil:ssg-kernel_config_module_sig_action:testaction:1
       
     
-    
-      Enforce Spectre v2 mitigation
+    
+      Ensure auditd Collects Information on the Use of Privileged Commands - chage
       
-        ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+        ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
       
     
-    
-      Enable syslog-ng Service
+    
+      Ensure SMEP is not disabled during boot
       
-        ocil:ssg-service_syslogng_enabled_action:testaction:1
+        ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
       
     
-    
-      System Audit Logs Must Be Owned By Root
+    
+      Modify the System Login Banner
       
-        ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+        ocil:ssg-banner_etc_issue_action:testaction:1
       
     
-    
-      Verify permissions on Message of the Day Banner
+    
+      Configure the polyinstantiation_enabled SELinux Boolean
       
-        ocil:ssg-file_permissions_etc_motd_action:testaction:1
+        ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1
       
     
-    
-      Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+    
+      Set hostname as computer node name in audit logs
       
-        ocil:ssg-sudo_add_ignore_dot_action:testaction:1
+        ocil:ssg-auditd_name_format_action:testaction:1
       
     
-    
-      Configure a Sufficiently Large Partition for Audit Logs
+    
+      Enable dnf-automatic Timer
       
-        ocil:ssg-auditd_audispd_configure_sufficiently_large_partition_action:testaction:1
+        ocil:ssg-timer_dnf-automatic_enabled_action:testaction:1
       
     
-    
-      Install strongswan Package
+    
+      Verify Group Ownership of System Login Banner for Remote Connections
       
-        ocil:ssg-package_strongswan_installed_action:testaction:1
+        ocil:ssg-file_groupowner_etc_issue_net_action:testaction:1
       
     
-    
-      Record attempts to alter time through settimeofday
+    
+      Enable the pcscd Service
       
-        ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
+        ocil:ssg-service_pcscd_enabled_action:testaction:1
       
     
-    
-      Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
+    
+      Configure SSSD to Expire Offline Credentials
       
-        ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1
+        ocil:ssg-sssd_offline_cred_expiration_action:testaction:1
       
     
-    
-      Enable TCP/IP syncookie support
+    
+      Install the Host Intrusion Prevention System (HIPS) Module
       
-        ocil:ssg-kernel_config_syn_cookies_action:testaction:1
+        ocil:ssg-package_MFEhiplsm_installed_action:testaction:1
       
     
-    
-      Add nodev Option to /home
+    
+      Verify User Who Owns Backup gshadow File
       
-        ocil:ssg-mount_option_home_nodev_action:testaction:1
+        ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
       
     
-    
-      Enable GSSAPI Authentication
+    
+      Ensure rsyslog is Installed
       
-        ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1
+        ocil:ssg-package_rsyslog_installed_action:testaction:1
       
     
-    
-      Enable rsyslog Service
+    
+      Configure Kernel Parameter for Accepting Secure Redirects By Default
       
/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml	2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 
 
-  draft
+  draft
   Guide to the Secure Configuration of SUSE Linux Enterprise 12
   This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -43,30 +43,15 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
   
-    
-      
-        
-      
-    
-    
-      
-        
-      
-    
-    
+    
       
-        
+        
+        
       
     
-    
+    
       
-        
-      
-    
-    
-      
-        
-        
+        
       
     
     
@@ -74,20 +59,19 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
-        
+        
       
     
     
@@ -101,39 +85,39 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
     
@@ -141,14 +125,19 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
+      
+    
+    
+      
+        
       
     
     
@@ -156,9 +145,20 @@
         
       
     
-    
+    
       
-        
+        
+      
+    
+    
+      
+        
+        
+      
+    
+    
+      
+        
       
     
   
@@ -5498,6 +5498,22 @@
           Because the prelinking feature changes binaries, it can interfere with the
 operation of certain software and/or modes such as AIDE, FIPS, etc.
           CCE-92211-2
+          # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+    if grep -q ^PRELINKING /etc/sysconfig/prelink
+    then
+        sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+    else
+        printf '\n' >> /etc/sysconfig/prelink
+        printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+    fi
+
+    # Undo previous prelink changes to binaries if prelink is available.
+    if test -x /usr/sbin/prelink; then
+        /usr/sbin/prelink -ua
+    fi
+fi
+
           - name: Does prelink file exist
   stat:
     path: /etc/sysconfig/prelink
@@ -5536,22 +5552,6 @@
   - no_reboot_needed
   - restrict_strategy
/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml	2023-02-06 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
   
   
     
-      draft
+      draft
       Guide to the Secure Configuration of SUSE Linux Enterprise 15
       This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -171,35 +171,15 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
       
-        
-          
-            
-          
-        
-        
-          
-            
-          
-        
-        
-          
-            
-          
-        
-        
+        
           
-            
+            
+            
           
         
-        
+        
           
-            
-          
-        
-        
-          
-            
-            
+            
           
         
         
@@ -207,20 +187,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
-            
+            
           
         
         
@@ -234,39 +213,44 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
           
         
         
@@ -274,14 +258,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
           
         
         
@@ -289,9 +278,20 @@
             
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
+            
+          
+        
+        
+          
+            
           
         
       
@@ -6904,6 +6904,22 @@
               Because the prelinking feature changes binaries, it can interfere with the
 operation of certain software and/or modes such as AIDE, FIPS, etc.
               CCE-91341-8
+              # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+    if grep -q ^PRELINKING /etc/sysconfig/prelink
+    then
+        sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+    else
+        printf '\n' >> /etc/sysconfig/prelink
+        printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+    fi
+
+    # Undo previous prelink changes to binaries if prelink is available.
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml	2023-02-06 00:00:00.000000000 +0000
@@ -130,7 +130,7 @@
   
   
     
-      draft
+      draft
       Guide to the Secure Configuration of SUSE Linux Enterprise 15
       This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -173,35 +173,15 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
       
-        
-          
-            
-          
-        
-        
-          
-            
-          
-        
-        
-          
-            
-          
-        
-        
+        
           
-            
+            
+            
           
         
-        
+        
           
-            
-          
-        
-        
-          
-            
-            
+            
           
         
         
@@ -209,20 +189,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
-            
+            
           
         
         
@@ -236,39 +215,44 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
           
         
         
@@ -276,14 +260,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
           
         
         
@@ -291,9 +280,20 @@
             
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
+            
+          
+        
+        
+          
+            
           
         
       
@@ -6906,6 +6906,22 @@
               Because the prelinking feature changes binaries, it can interfere with the
 operation of certain software and/or modes such as AIDE, FIPS, etc.
               CCE-91341-8
+              # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+    if grep -q ^PRELINKING /etc/sysconfig/prelink
+    then
+        sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+    else
+        printf '\n' >> /etc/sysconfig/prelink
+        printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+    fi
+
+    # Undo previous prelink changes to binaries if prelink is available.
/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml	2023-02-06 00:00:00.000000000 +0000
@@ -7,610 +7,622 @@
     2023-02-06T00:00:00
   
   
-    
-      Configure Accepting Router Advertisements on All IPv6 Interfaces
+    
+      Disable SCTP Support
       
-        ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
+        ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
       
     
-    
-      Ensure All Groups on the System Have Unique Group Names
+    
+      Ensure the default plugins for the audit dispatcher are Installed
       
-        ocil:ssg-group_unique_name_action:testaction:1
+        ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
       
     
-    
-      Uninstall rsh Package
+    
+      Enable Auditing for Processes Which Start Prior to the Audit Daemon
       
-        ocil:ssg-package_rsh_removed_action:testaction:1
+        ocil:ssg-grub2_audit_argument_action:testaction:1
       
     
-    
-      Verify User Who Owns /var/log/messages File
+    
+      Ensure that /etc/at.deny does not exist
       
-        ocil:ssg-file_owner_var_log_messages_action:testaction:1
+        ocil:ssg-file_at_deny_not_exist_action:testaction:1
       
     
-    
-      Verify that System Executables Have Root Ownership
+    
+      Disable loading and unloading of kernel modules
       
-        ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+        ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
       
     
-    
-      Encrypt Partitions
+    
+      Ensure auditd Collects Information on the Use of Privileged Commands - kmod
       
-        ocil:ssg-encrypt_partitions_action:testaction:1
+        ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
       
     
-    
-      Randomize the address of the kernel image (KASLR)
+    
+      All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User
       
-        ocil:ssg-kernel_config_randomize_base_action:testaction:1
+        ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1
       
     
-    
-      Uninstall CUPS Package
+    
+      Verify Group Who Owns /etc/at.allow file
       
-        ocil:ssg-package_cups_removed_action:testaction:1
+        ocil:ssg-file_groupowner_at_allow_action:testaction:1
       
     
-    
-      Record Events that Modify the System's Network Environment
+    
+      Enable module signature verification
       
-        ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+        ocil:ssg-kernel_config_module_sig_action:testaction:1
       
     
-    
-      Enforce Spectre v2 mitigation
+    
+      Ensure auditd Collects Information on the Use of Privileged Commands - chage
       
-        ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+        ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
       
     
-    
-      Enable syslog-ng Service
+    
+      Ensure SMEP is not disabled during boot
       
-        ocil:ssg-service_syslogng_enabled_action:testaction:1
+        ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
       
     
-    
-      System Audit Logs Must Be Owned By Root
+    
+      Modify the System Login Banner
       
-        ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+        ocil:ssg-banner_etc_issue_action:testaction:1
       
     
-    
-      Verify permissions on Message of the Day Banner
+    
+      Configure the polyinstantiation_enabled SELinux Boolean
       
-        ocil:ssg-file_permissions_etc_motd_action:testaction:1
+        ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1
       
     
-    
-      Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+    
+      Set hostname as computer node name in audit logs
       
-        ocil:ssg-sudo_add_ignore_dot_action:testaction:1
+        ocil:ssg-auditd_name_format_action:testaction:1
       
     
-    
-      Configure a Sufficiently Large Partition for Audit Logs
+    
+      Enable dnf-automatic Timer
       
-        ocil:ssg-auditd_audispd_configure_sufficiently_large_partition_action:testaction:1
+        ocil:ssg-timer_dnf-automatic_enabled_action:testaction:1
       
     
-    
-      Install strongswan Package
+    
+      Verify Group Ownership of System Login Banner for Remote Connections
       
-        ocil:ssg-package_strongswan_installed_action:testaction:1
+        ocil:ssg-file_groupowner_etc_issue_net_action:testaction:1
       
     
-    
-      Record attempts to alter time through settimeofday
+    
+      Enable the pcscd Service
       
-        ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
+        ocil:ssg-service_pcscd_enabled_action:testaction:1
       
     
-    
-      Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
+    
+      Configure SSSD to Expire Offline Credentials
       
-        ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1
+        ocil:ssg-sssd_offline_cred_expiration_action:testaction:1
       
     
-    
-      Enable TCP/IP syncookie support
+    
+      Install the Host Intrusion Prevention System (HIPS) Module
       
-        ocil:ssg-kernel_config_syn_cookies_action:testaction:1
+        ocil:ssg-package_MFEhiplsm_installed_action:testaction:1
       
     
-    
-      Add nodev Option to /home
+    
+      Verify User Who Owns Backup gshadow File
       
-        ocil:ssg-mount_option_home_nodev_action:testaction:1
+        ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
       
     
-    
-      Enable GSSAPI Authentication
+    
+      Ensure rsyslog is Installed
       
-        ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1
+        ocil:ssg-package_rsyslog_installed_action:testaction:1
       
     
-    
-      Enable rsyslog Service
+    
+      Configure Kernel Parameter for Accepting Secure Redirects By Default
       
/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml	2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 
 
-  draft
+  draft
   Guide to the Secure Configuration of SUSE Linux Enterprise 15
   This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -43,35 +43,15 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
   
-    
-      
-        
-      
-    
-    
-      
-        
-      
-    
-    
-      
-        
-      
-    
-    
+    
       
-        
+        
+        
       
     
-    
+    
       
-        
-      
-    
-    
-      
-        
-        
+        
       
     
     
@@ -79,20 +59,19 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
-        
+        
       
     
     
@@ -106,39 +85,44 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
+      
+    
+    
+      
+        
       
     
     
@@ -146,14 +130,19 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
+      
+    
+    
+      
+        
       
     
     
@@ -161,9 +150,20 @@
         
       
     
-    
+    
       
-        
+        
+      
+    
+    
+      
+        
+        
+      
+    
+    
+      
+        
       
     
   
@@ -6776,6 +6776,22 @@
           Because the prelinking feature changes binaries, it can interfere with the
 operation of certain software and/or modes such as AIDE, FIPS, etc.
           CCE-91341-8
+          # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+    if grep -q ^PRELINKING /etc/sysconfig/prelink
+    then
+        sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+    else
+        printf '\n' >> /etc/sysconfig/prelink
+        printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+    fi
+
+    # Undo previous prelink changes to binaries if prelink is available.
+    if test -x /usr/sbin/prelink; then
RPMS.2017/scap-security-guide-debian-0.1.66-0.0.noarch.rpm RPMS/scap-security-guide-debian-0.1.66-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-debian-0.1.66-0.0.noarch.rpm to scap-security-guide-debian-0.1.66-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-debian
--- old-rpm-tags
+++ new-rpm-tags
@@ -150,4 +150,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html cc91c3d64c4db84891fff19e5ff9a5c1b97a95387e27c69ca256752371f455b7 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html cf931a805a3d0c0bd777666afec5288c3f811943710044e607b50ffd9b108cea 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html cb842c36e70f6d136114c37c44a0eab119ef50a80b3f0f5d545c71a412d2f611 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 3a49396249a62fee34d7b0c10ffd33abb1033d7f240c9234b56b09fb6f51226e 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 1ba8de9b54561be7133cb4dc518c85294e5a420452200ff1d220cc77bee4a4ee 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 690288fccb4649b3456daf0f5de36b8802be9c4d8e99c5c9ad165ebaf7dc2e8b 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html e7dfdd125494b90b8dda00a8d64e963d5c897b41d84f41756ebabe979d2ea402 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 173df54eca0f2e52fb8920a2072ef0e6e9af0b0c47ab6f51119489cdb9caa598 2
@@ -155,5 +155,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 7da579d60ecd8409b84c4b5f067b9fdd5a4b0c139d107acdf9f7041a0cd358e2 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 4655310692260532c3a5ed8e8b5cf2a0b27250ed12d8e7c3713f6254fc219bd8 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html a59d48bd62e6c28ec5ab7ca19aa971e8a43c628a2d1cf5387436b7d1da70fc8a 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html e79c35f9d53d375513bcf1656a2f5ec7f8e8768f39e1e3de310c4615fe3f5fe0 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 816eba69188da2699239da87061374eeb3cb1d9553a01fdb84bdceae1c04cda9 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html e91adda33676eab0fd523292789ac3b90e82bbc9aaf8b5ce6f8f757d91a9672a 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 7c60ae441ff6a339f4d62e1ab97e9d97d63d952cfc2b6ec420e0443a329bde25 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 2643c17c2382c26e5507c09709e0f78ae18728a6ed923396d16c7d0b35f95d41 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 980530b44a004c2d7fabfdeb7537c98eff98a6f077d33de4f41fcd1d77b438c9 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 14b0be38584631a6cce18b22d1fd9fd88228af229c0b9240715d2898bdb4321c 2
@@ -161 +161 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html fc90268a47ecabc23bd237ec9b9d0597318c31f95268b8b5808d3305b266a632 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html f007687978896e3932f7b3e1404a475810718de2ea041723383637085aa21524 2
@@ -194,3 +194,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 4065c611761245ed45f9095dee845a47e932726480c3f9c8cc5ce0dca789c8a5 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 8653045961868958b643fed96053f1566f4c06ed5e24b76e379ad498da51fc9d 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 20299c63e659a4bd14220104a28c74e63c891d25f85bda0f3eeb121ea0a4139e 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml fcbb23e1f68626a792d5af1032c3c3b8118048d90f09de7779f9be3ac0fb83e2 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml ca44b62bbbc3e0255b2aac0d3072d56348903031a1b1e18040d476881313751a 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml c9302ea88d1a6079136e081bf8bf87a006f9f3a592830fd9423b227a72a98437 0
@@ -198 +198 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 69e2facf31c0de4d558f4348ce8186d94bf4244bf9105b1dd8f8f5ac65eff0a7 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 354b48a6e717c99a166aa7592411ce5b652fe13aaa1c8a18836da0f7a6b157c1 0
@@ -201,3 +201,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 600d540dc47fda7937e79c7bb5d75638fb1f039fef9b7ef3523fd6cc91689f0a 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 230e0dd75b725e7a5d644cf1792adc53b9fd5feaf12cf9a3c3002294fadc2570 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml ef68fd6c5506992a98e499b6f8e34a18a5bf6cdccf476291de761ec4ab5d30bc 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 458d0591e2ef7b74acffef95140a9576913e58ef0673cdc0c60e5e682f8667a1 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 91a39a624ee738ab9568303252085f02163dd876c73dcc703b27e0712c47af71 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml d50bc26c5f8506f897c0fac8b0ab4ac6fa5b520722a9469a0aebfc24c279d218 0
@@ -205 +205 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 51b0cd61b1ff3403d3d88009f1acac52e79c894a050d9854d59e9e952a6187dc 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 702393fee3ba70b10bd3e19ecedba878e2e5a3f8da542144ab84102fe6deecf4 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleProfile for ANSSI DAT-NT28 Average (Intermediate) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_average
CPE Platforms
  • cpe:/o:debian:debian_linux:10
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of Debian 10
                           Group contains 20 groups and 45 rules
Group  
@@ -165,7 +165,22 @@
 


 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490


Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -198,33 +213,33 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Complexity:low
Disruption:low
Strategy:restrict

+
Rule  
+                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+


+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
+            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490

Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
+      # comment out "NOPASSWD" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-
Rule  
-                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
-                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-


-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -257,21 +272,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
 
Group  
                 Configure Syslog
                           Group contains 3 groups and 8 rules
[ref]  
@@ -387,7 +387,28 @@
 daily
Rationale:
Log files that are not properly rotated run the risk of growing so large
 that they fill up the /var/log partition. Valuable logging information could be lost
 if the /var/log partition becomes full.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
Identifiers and References
References: 
-            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
+            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
   lineinfile:
     create: true
     dest: /etc/logrotate.conf
@@ -446,27 +467,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
-	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
-	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
                           Group contains 2 rules
[ref]  
@@ -487,7 +487,14 @@
 [[packages]]
 name = "syslog-ng"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure syslog-ng is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_syslog-ng
+
+class install_syslog-ng {
+  package { 'syslog-ng':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -500,13 +507,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_syslog-ng
-
-class install_syslog-ng {
-  package { 'syslog-ng':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Enable syslog-ng Service
                                   [ref]
The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -517,7 +517,15 @@
             BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1


 [customizations.services]
 enabled = ["syslog-ng"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Enable service syslog-ng
+

Complexity:low
Disruption:low
Strategy:enable
include enable_syslog-ng
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleProfile for ANSSI DAT-NT28 High (Enforced) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_high
CPE Platforms
  • cpe:/o:debian:debian_linux:10
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of Debian 10
                           Group contains 23 groups and 50 rules
Group  
@@ -165,7 +165,22 @@
 


 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490


Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -198,33 +213,33 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Complexity:low
Disruption:low
Strategy:restrict

+
Rule  
+                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+


+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
+            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490

Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
+      # comment out "NOPASSWD" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-
Rule  
-                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
-                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-


-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -257,21 +272,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
 
Group  
                 System Accounting with auditd
                           Group contains 2 rules
[ref]  
@@ -358,7 +358,14 @@
 [[packages]]
 name = "auditd"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
+
+class install_auditd {
+  package { 'auditd':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -378,13 +385,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
-
-class install_auditd {
-  package { 'auditd':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Enable auditd Service
                                   [ref]
The auditd service is an essential userspace component of
@@ -403,7 +403,15 @@
             1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190


 [customizations.services]
 enabled = ["auditd"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
+

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
+
+class enable_auditd {
+  service {'auditd':
+    enable => true,
+    ensure => 'running',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -467,14 +475,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
-
-class enable_auditd {
-  service {'auditd':
-    enable => true,
-    ensure => 'running',
-  }
-}
 
Group  
                 GRUB2 bootloader configuration
                           Group contains  1 rule
[ref]  
@@ -611,7 +611,28 @@
 daily
Rationale:
Log files that are not properly rotated run the risk of growing so large
 that they fill up the /var/log partition. Valuable logging information could be lost
 if the /var/log partition becomes full.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
Identifiers and References
References: 
-            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
+            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
   lineinfile:
     create: true
     dest: /etc/logrotate.conf
@@ -670,27 +691,6 @@
   - low_disruption
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleProfile for ANSSI DAT-NT28 Minimal Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
CPE Platforms
  • cpe:/o:debian:debian_linux:10
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services
Checklist
Group  
                 Guide to the Secure Configuration of Debian 10
                           Group contains 11 groups and 24 rules
Group  
@@ -96,7 +96,22 @@
 


 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490


Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -129,33 +144,33 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Complexity:low
Disruption:low
Strategy:restrict

+
Rule  
+                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+


+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
+            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490

Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
+      # comment out "NOPASSWD" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-
Rule  
-                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
-                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-


-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -188,21 +203,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
 
Group  
                 Configure Syslog
                           Group contains 1 group and 4 rules
[ref]  
@@ -241,7 +241,14 @@
 [[packages]]
 name = "syslog-ng"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure syslog-ng is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_syslog-ng
+
+class install_syslog-ng {
+  package { 'syslog-ng':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -254,13 +261,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_syslog-ng
-
-class install_syslog-ng {
-  package { 'syslog-ng':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Enable syslog-ng Service
                                   [ref]
The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -271,7 +271,15 @@
             BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1


 [customizations.services]
 enabled = ["syslog-ng"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Enable service syslog-ng
+

Complexity:low
Disruption:low
Strategy:enable
include enable_syslog-ng
+
+class enable_syslog-ng {
+  service {'syslog-ng':
+    enable => true,
+    ensure => 'running',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Enable service syslog-ng
   block:
 
   - name: Gather the package facts
@@ -296,14 +304,6 @@
   - medium_severity
   - no_reboot_needed
   - service_syslogng_enabled
-

Complexity:low
Disruption:low
Strategy:enable
include enable_syslog-ng
-
-class enable_syslog-ng {
-  service {'syslog-ng':
-    enable => true,
-    ensure => 'running',
-  }
-}
 
Rule  
                                 Ensure rsyslog is Installed
                                   [ref]
Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ apt-get install rsyslog
Rationale:
The rsyslog package provides the rsyslog daemon, which provides
@@ -312,7 +312,14 @@
 [[packages]]
 name = "rsyslog"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure rsyslog is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_rsyslog
+
+class install_rsyslog {
+  package { 'rsyslog':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -325,13 +332,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_rsyslog
-
-class install_rsyslog {
-  package { 'rsyslog':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Enable rsyslog Service
                                   [ref]
The rsyslog service provides syslog-style logging by default on Debian 10.
@@ -342,7 +342,15 @@
             BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227


/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleProfile for ANSSI DAT-NT28 Restrictive Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
CPE Platforms
  • cpe:/o:debian:debian_linux:10
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of Debian 10
                           Group contains 22 groups and 49 rules
Group  
@@ -165,7 +165,22 @@
 


 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490


Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -198,33 +213,33 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Complexity:low
Disruption:low
Strategy:restrict

+
Rule  
+                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+


+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
+            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490

Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
+      # comment out "NOPASSWD" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-
Rule  
-                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
-                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-


-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -257,21 +272,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
 
Group  
                 System Accounting with auditd
                           Group contains 2 rules
[ref]  
@@ -358,7 +358,14 @@
 [[packages]]
 name = "auditd"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
+
+class install_auditd {
+  package { 'auditd':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -378,13 +385,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
-
-class install_auditd {
-  package { 'auditd':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Enable auditd Service
                                   [ref]
The auditd service is an essential userspace component of
@@ -403,7 +403,15 @@
             1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190


 [customizations.services]
 enabled = ["auditd"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
+

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
+
+class enable_auditd {
+  service {'auditd':
+    enable => true,
+    ensure => 'running',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -467,14 +475,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
-
-class enable_auditd {
-  service {'auditd':
-    enable => true,
-    ensure => 'running',
-  }
-}
 
Group  
                 Configure Syslog
                           Group contains 3 groups and 8 rules
[ref]  
@@ -590,7 +590,28 @@
 daily
Rationale:
Log files that are not properly rotated run the risk of growing so large
 that they fill up the /var/log partition. Valuable logging information could be lost
 if the /var/log partition becomes full.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
Identifiers and References
References: 
-            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
+            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
   lineinfile:
     create: true
     dest: /etc/logrotate.conf
@@ -649,27 +670,6 @@
   - low_disruption
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html	2023-02-06 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleStandard System Security Profile for Debian 10
Profile IDxccdf_org.ssgproject.content_profile_standard
CPE Platforms
  • cpe:/o:debian:debian_linux:10
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of Debian 10
                           Group contains 19 groups and 44 rules
Group  
@@ -234,7 +234,14 @@
 [[packages]]
 name = "auditd"
 version = "*"
-
Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
+
+class install_auditd {
+  package { 'auditd':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -254,13 +261,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
-
-class install_auditd {
-  package { 'auditd':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Enable auditd Service
                                   [ref]
The auditd service is an essential userspace component of
@@ -279,7 +279,15 @@
             1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190


 [customizations.services]
 enabled = ["auditd"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
+

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
+
+class enable_auditd {
+  service {'auditd':
+    enable => true,
+    ensure => 'running',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -343,14 +351,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
-
-class enable_auditd {
-  service {'auditd':
-    enable => true,
-    ensure => 'running',
-  }
-}
 
Group  
                 Configure Syslog
                           Group contains 2 groups and 6 rules
[ref]  
@@ -466,7 +466,28 @@
 daily
Rationale:
Log files that are not properly rotated run the risk of growing so large
 that they fill up the /var/log partition. Valuable logging information could be lost
 if the /var/log partition becomes full.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
Identifiers and References
References: 
-            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
+            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
   lineinfile:
     create: true
     dest: /etc/logrotate.conf
@@ -525,27 +546,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
-	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
-	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Ensure rsyslog is Installed
                                   [ref]
Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ apt-get install rsyslog
Rationale:
The rsyslog package provides the rsyslog daemon, which provides
@@ -554,7 +554,14 @@
 [[packages]]
 name = "rsyslog"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure rsyslog is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_rsyslog
+
+class install_rsyslog {
+  package { 'rsyslog':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -567,13 +574,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_rsyslog
-
-class install_rsyslog {
-  package { 'rsyslog':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Enable rsyslog Service
                                   [ref]
The rsyslog service provides syslog-style logging by default on Debian 10.
@@ -584,7 +584,15 @@
             BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227


 [customizations.services]
 enabled = ["rsyslog"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Enable service rsyslog
+

Complexity:low
Disruption:low
Strategy:enable
include enable_rsyslog
+
+class enable_rsyslog {
+  service {'rsyslog':
+    enable => true,
+    ensure => 'running',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -609,14 +617,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-

Complexity:low
Disruption:low
Strategy:enable
include enable_rsyslog
-
-class enable_rsyslog {
-  service {'rsyslog':
-    enable => true,
-    ensure => 'running',
-  }
-}
 
Group  
                 File Permissions and Masks
                           Group contains 5 groups and 17 rules
[ref]  
@@ -657,7 +657,11 @@
                                 Verify Group Who Owns group File
                                   [ref]
 To properly set the group owner of /etc/group, run the command: 
$ sudo chgrp root /etc/group
Rationale:
The /etc/group file contains information regarding groups that are configured
 on the system. Protection of this file is important for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_groupowner_etc_group
Identifiers and References
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227


Complexity:low
Disruption:low
Strategy:configure

+
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleProfile for ANSSI DAT-NT28 Average (Intermediate) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_average
CPE Platforms
  • cpe:/o:debian:debian_linux:11
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of Debian 11
                           Group contains 20 groups and 45 rules
Group  
@@ -165,7 +165,22 @@
 


 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490


Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -198,33 +213,33 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Complexity:low
Disruption:low
Strategy:restrict

+
Rule  
+                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+


+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
+            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490

Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
+      # comment out "NOPASSWD" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-
Rule  
-                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
-                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-


-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -257,21 +272,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
 
Group  
                 Configure Syslog
                           Group contains 3 groups and 8 rules
[ref]  
@@ -387,7 +387,28 @@
 daily
Rationale:
Log files that are not properly rotated run the risk of growing so large
 that they fill up the /var/log partition. Valuable logging information could be lost
 if the /var/log partition becomes full.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
Identifiers and References
References: 
-            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
+            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
   lineinfile:
     create: true
     dest: /etc/logrotate.conf
@@ -446,27 +467,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
-	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
-	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
                           Group contains 2 rules
[ref]  
@@ -487,7 +487,14 @@
 [[packages]]
 name = "syslog-ng"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure syslog-ng is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_syslog-ng
+
+class install_syslog-ng {
+  package { 'syslog-ng':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -500,13 +507,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_syslog-ng
-
-class install_syslog-ng {
-  package { 'syslog-ng':
-    ensure => 'installed',
-  }
-}

Rule   Enable syslog-ng Service   [ref]

The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian. @@ -517,7 +517,15 @@ BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1



 [customizations.services]
 enabled = ["syslog-ng"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Enable service syslog-ng
+

Complexity:low
Disruption:low
Strategy:enable
include enable_syslog-ng
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 High (Enforced) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_high

CPE Platforms

  • cpe:/o:debian:debian_linux:11

Revision History

Current version: 0.1.66

  • draft - (as of 2023-02-07) + (as of 2039-03-12)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 11   Group contains 23 groups and 50 rules
Group   @@ -165,7 +165,22 @@

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490



Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -198,33 +213,33 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Complexity:low
Disruption:low
Strategy:restrict

+

Rule   + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD +   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they +do not have authorization. +

+When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

References:  + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490


Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
+      # comment out "NOPASSWD" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-

Rule   - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD -   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they -do not have authorization. -

-When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490


Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -257,21 +272,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
Group   System Accounting with auditd   Group contains 2 rules
[ref]   @@ -358,7 +358,14 @@ [[packages]] name = "auditd" version = "*" -

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
+
+class install_auditd {
+  package { 'auditd':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -378,13 +385,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
-
-class install_auditd {
-  package { 'auditd':
-    ensure => 'installed',
-  }
-}

Rule   Enable auditd Service   [ref]

The auditd service is an essential userspace component of @@ -403,7 +403,15 @@ 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190



 [customizations.services]
 enabled = ["auditd"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
+

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
+
+class enable_auditd {
+  service {'auditd':
+    enable => true,
+    ensure => 'running',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -467,14 +475,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
-
-class enable_auditd {
-  service {'auditd':
-    enable => true,
-    ensure => 'running',
-  }
-}
Group   GRUB2 bootloader configuration   Group contains 1 rule
[ref]   @@ -611,7 +611,28 @@ daily
Rationale:
Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_ensure_logrotate_activatedIdentifiers and References

References:  - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7


Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
+            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
   lineinfile:
     create: true
     dest: /etc/logrotate.conf
@@ -670,27 +691,6 @@
   - low_disruption
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Minimal Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

CPE Platforms

  • cpe:/o:debian:debian_linux:11

Revision History

Current version: 0.1.66

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services

Checklist

Group   Guide to the Secure Configuration of Debian 11   Group contains 11 groups and 24 rules
Group   @@ -96,7 +96,22 @@

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490



Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -129,33 +144,33 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Complexity:low
Disruption:low
Strategy:restrict

+

Rule   + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD +   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they +do not have authorization. +

+When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

References:  + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490


Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
+      # comment out "NOPASSWD" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-

Rule   - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD -   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they -do not have authorization. -

-When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490


Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -188,21 +203,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
Group   Configure Syslog   Group contains 1 group and 4 rules
[ref]   @@ -241,7 +241,14 @@ [[packages]] name = "syslog-ng" version = "*" -

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure syslog-ng is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_syslog-ng
+
+class install_syslog-ng {
+  package { 'syslog-ng':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -254,13 +261,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_syslog-ng
-
-class install_syslog-ng {
-  package { 'syslog-ng':
-    ensure => 'installed',
-  }
-}

Rule   Enable syslog-ng Service   [ref]

The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian. @@ -271,7 +271,15 @@ BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1



 [customizations.services]
 enabled = ["syslog-ng"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Enable service syslog-ng
+

Complexity:low
Disruption:low
Strategy:enable
include enable_syslog-ng
+
+class enable_syslog-ng {
+  service {'syslog-ng':
+    enable => true,
+    ensure => 'running',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Enable service syslog-ng
   block:
 
   - name: Gather the package facts
@@ -296,14 +304,6 @@
   - medium_severity
   - no_reboot_needed
   - service_syslogng_enabled
-

Complexity:low
Disruption:low
Strategy:enable
include enable_syslog-ng
-
-class enable_syslog-ng {
-  service {'syslog-ng':
-    enable => true,
-    ensure => 'running',
-  }
-}

Rule   Ensure rsyslog is Installed   [ref]

Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ apt-get install rsyslog
Rationale:
The rsyslog package provides the rsyslog daemon, which provides @@ -312,7 +312,14 @@ [[packages]] name = "rsyslog" version = "*" -

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure rsyslog is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_rsyslog
+
+class install_rsyslog {
+  package { 'rsyslog':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -325,13 +332,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_rsyslog
-
-class install_rsyslog {
-  package { 'rsyslog':
-    ensure => 'installed',
-  }
-}

Rule   Enable rsyslog Service   [ref]

The rsyslog service provides syslog-style logging by default on Debian 11. @@ -342,7 +342,15 @@ BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227



/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html	2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Restrictive Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

CPE Platforms

  • cpe:/o:debian:debian_linux:11

Revision History

Current version: 0.1.66

  • draft - (as of 2023-02-07) + (as of 2039-03-12)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 11   Group contains 22 groups and 49 rules
Group   @@ -165,7 +165,22 @@

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490



Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -198,33 +213,33 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Complexity:low
Disruption:low
Strategy:restrict

+

Rule   + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD +   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they +do not have authorization. +

+When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

References:  + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490


Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
+      # comment out "NOPASSWD" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-

Rule   - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD -   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they -do not have authorization. -

-When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490


Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -257,21 +272,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
Group   System Accounting with auditd   Group contains 2 rules
[ref]   @@ -358,7 +358,14 @@ [[packages]] name = "auditd" version = "*" -

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
+
+class install_auditd {
+  package { 'auditd':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -378,13 +385,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
-
-class install_auditd {
-  package { 'auditd':
-    ensure => 'installed',
-  }
-}

Rule   Enable auditd Service   [ref]

The auditd service is an essential userspace component of @@ -403,7 +403,15 @@ 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190



 [customizations.services]
 enabled = ["auditd"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
+

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
+
+class enable_auditd {
+  service {'auditd':
+    enable => true,
+    ensure => 'running',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -467,14 +475,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
-
-class enable_auditd {
-  service {'auditd':
-    enable => true,
-    ensure => 'running',
-  }
-}
Group   Configure Syslog   Group contains 3 groups and 8 rules
[ref]   @@ -590,7 +590,28 @@ daily
Rationale:
Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_ensure_logrotate_activatedIdentifiers and References

References:  - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7


Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
+            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
   lineinfile:
     create: true
     dest: /etc/logrotate.conf
@@ -649,27 +670,6 @@
   - low_disruption
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html	2023-02-06 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Debian 11
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:debian:debian_linux:11

Revision History

Current version: 0.1.66

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 11   Group contains 19 groups and 44 rules
Group   @@ -234,7 +234,14 @@ [[packages]] name = "auditd" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
+
+class install_auditd {
+  package { 'auditd':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -254,13 +261,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_auditd
-
-class install_auditd {
-  package { 'auditd':
-    ensure => 'installed',
-  }
-}

Rule   Enable auditd Service   [ref]

The auditd service is an essential userspace component of @@ -279,7 +279,15 @@ 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190



 [customizations.services]
 enabled = ["auditd"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
+

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
+
+class enable_auditd {
+  service {'auditd':
+    enable => true,
+    ensure => 'running',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -343,14 +351,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-

Complexity:low
Disruption:low
Strategy:enable
include enable_auditd
-
-class enable_auditd {
-  service {'auditd':
-    enable => true,
-    ensure => 'running',
-  }
-}
Group   Configure Syslog   Group contains 2 groups and 6 rules
[ref]   @@ -466,7 +466,28 @@ daily
Rationale:
Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_ensure_logrotate_activatedIdentifiers and References

References:  - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7


Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
+            BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
   lineinfile:
     create: true
     dest: /etc/logrotate.conf
@@ -525,27 +546,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
-	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
-	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Ensure rsyslog is Installed
                                   [ref]
Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ apt-get install rsyslog
Rationale:
The rsyslog package provides the rsyslog daemon, which provides
@@ -554,7 +554,14 @@
 [[packages]]
 name = "rsyslog"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure rsyslog is installed
+

Complexity:low
Disruption:low
Strategy:enable
include install_rsyslog
+
+class install_rsyslog {
+  package { 'rsyslog':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -567,13 +574,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-

Complexity:low
Disruption:low
Strategy:enable
include install_rsyslog
-
-class install_rsyslog {
-  package { 'rsyslog':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Enable rsyslog Service
                                   [ref]
The rsyslog service provides syslog-style logging by default on Debian 11.
@@ -584,7 +584,15 @@
             BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227


 [customizations.services]
 enabled = ["rsyslog"]
-

Complexity:low
Disruption:low
Strategy:enable
- name: Enable service rsyslog
+

Complexity:low
Disruption:low
Strategy:enable
include enable_rsyslog
+
+class enable_rsyslog {
+  service {'rsyslog':
+    enable => true,
+    ensure => 'running',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -609,14 +617,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-

Complexity:low
Disruption:low
Strategy:enable
include enable_rsyslog
-
-class enable_rsyslog {
-  service {'rsyslog':
-    enable => true,
-    ensure => 'running',
-  }
-}
 
Group  
                 File Permissions and Masks
                           Group contains 5 groups and 17 rules
[ref]  
@@ -657,7 +657,11 @@
                                 Verify Group Who Owns group File
                                   [ref]
 To properly set the group owner of /etc/group, run the command: 
$ sudo chgrp root /etc/group
Rationale:
The /etc/group file contains information regarding groups that are configured
 on the system. Protection of this file is important for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_groupowner_etc_groupIdentifiers and References
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227

Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/group
+            12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227

Complexity:low
Disruption:low
Strategy:configure

+
/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml	2023-02-06 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
   
   
     
-      draft
+      draft
       Guide to the Secure Configuration of Debian 10
       This guide presents a catalog of security-relevant
 configuration settings for Debian 10. It is a rendering of
@@ -143,9 +143,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
       
-        
+        
           
-            
+            
           
         
         
@@ -153,19 +153,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -173,14 +173,9 @@
             
           
         
-        
-          
-            
-          
-        
-        
+        
           
-            
+            
           
         
         
@@ -188,34 +183,34 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -223,9 +218,14 @@
             
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
           
         
       
@@ -2056,6 +2056,14 @@
 name = "aide"
 version = "*"
 
+                  include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+
                   - name: Ensure aide is installed
   package:
     name: aide
@@ -2072,14 +2080,6 @@
   - no_reboot_needed
   - package_aide_installed
 
-                  include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
-
                   
                     
                   
@@ -3125,20 +3125,6 @@
               BP28(R58)
               Restricting the capability of sudo allowed commands to execute sub-commands
 prevents users from running programs with privileges they wouldn't have otherwise.
-              - name: Ensure noexec is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
-    line: Defaults noexec
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - high_severity
-  - low_complexity
-  - low_disruption
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_noexec
-
               
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -3160,6 +3146,20 @@
     false
 fi
 
+              - name: Ensure noexec is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+    line: Defaults noexec
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - high_severity
+  - low_complexity
+  - low_disruption
+  - no_reboot_needed
+  - restrict_strategy
+  - sudo_add_noexec
+
               
/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml	2023-02-06 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
   
   
     
-      draft
+      draft
       Guide to the Secure Configuration of Debian 10
       This guide presents a catalog of security-relevant
 configuration settings for Debian 10. It is a rendering of
@@ -143,9 +143,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
       
-        
+        
           
-            
+            
           
         
         
@@ -153,19 +153,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -173,14 +173,9 @@
             
           
         
-        
-          
-            
-          
-        
-        
+        
           
-            
+            
           
         
         
@@ -188,34 +183,34 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -223,9 +218,14 @@
             
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
           
         
       
@@ -2056,6 +2056,14 @@
 name = "aide"
 version = "*"
 
+                  include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+
                   - name: Ensure aide is installed
   package:
     name: aide
@@ -2072,14 +2080,6 @@
   - no_reboot_needed
   - package_aide_installed
 
-                  include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
-
                   
                     
                   
@@ -3125,20 +3125,6 @@
               BP28(R58)
               Restricting the capability of sudo allowed commands to execute sub-commands
 prevents users from running programs with privileges they wouldn't have otherwise.
-              - name: Ensure noexec is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
-    line: Defaults noexec
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - high_severity
-  - low_complexity
-  - low_disruption
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_noexec
-
               
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -3160,6 +3146,20 @@
     false
 fi
 
+              - name: Ensure noexec is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+    line: Defaults noexec
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - high_severity
+  - low_complexity
+  - low_disruption
+  - no_reboot_needed
+  - restrict_strategy
+  - sudo_add_noexec
+
               
/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml	2023-02-06 00:00:00.000000000 +0000
@@ -7,178 +7,178 @@
     2023-02-06T00:00:00
   
   
-    
-      Verify User Who Owns /var/log/messages File
+    
+      Ensure the default plugins for the audit dispatcher are Installed
       
-        ocil:ssg-file_owner_var_log_messages_action:testaction:1
+        ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
       
     
-    
-      Verify that System Executables Have Root Ownership
+    
+      Enable module signature verification
       
-        ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+        ocil:ssg-kernel_config_module_sig_action:testaction:1
       
     
-    
-      Randomize the address of the kernel image (KASLR)
+    
+      Ensure SMEP is not disabled during boot
       
-        ocil:ssg-kernel_config_randomize_base_action:testaction:1
+        ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
       
     
-    
-      Record Events that Modify the System's Network Environment
+    
+      Set hostname as computer node name in audit logs
       
-        ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+        ocil:ssg-auditd_name_format_action:testaction:1
       
     
-    
-      Enforce Spectre v2 mitigation
+    
+      Install the Host Intrusion Prevention System (HIPS) Module
       
-        ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+        ocil:ssg-package_MFEhiplsm_installed_action:testaction:1
       
     
-    
-      Enable syslog-ng Service
+    
+      Verify User Who Owns Backup gshadow File
       
-        ocil:ssg-service_syslogng_enabled_action:testaction:1
+        ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
       
     
-    
-      System Audit Logs Must Be Owned By Root
+    
+      Ensure rsyslog is Installed
       
-        ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+        ocil:ssg-package_rsyslog_installed_action:testaction:1
       
     
-    
-      Record attempts to alter time through settimeofday
+    
+      Enable poison without sanity check
       
-        ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
+        ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
       
     
-    
-      Enable TCP/IP syncookie support
+    
+      Ensure SELinux State is Enforcing
       
-        ocil:ssg-kernel_config_syn_cookies_action:testaction:1
+        ocil:ssg-selinux_state_action:testaction:1
       
     
-    
-      Enable GSSAPI Authentication
+    
+      Verify Permissions on passwd File
       
-        ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1
+        ocil:ssg-file_permissions_etc_passwd_action:testaction:1
       
     
-    
-      Enable rsyslog Service
+    
+      Record Events that Modify the System's Mandatory Access Controls
       
-        ocil:ssg-service_rsyslog_enabled_action:testaction:1
+        ocil:ssg-audit_rules_mac_modification_action:testaction:1
       
     
-    
-      Record Events that Modify the System's Discretionary Access Controls - lsetxattr
+    
+      Disable x86 vsyscall emulation
       
-        ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
+        ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
       
     
-    
-      Set Password Warning Age
+    
+      Disable Host-Based Authentication
       
-        ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1
+        ocil:ssg-disable_host_auth_action:testaction:1
       
     
-    
-      Record Unsuccessful Access Attempts to Files - truncate
+    
+      Enable Use of Strict Mode Checking
       
-        ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1
+        ocil:ssg-sshd_enable_strictmodes_action:testaction:1
       
     
-    
-      Make the auditd Configuration Immutable
+    
+      Enforce Spectre v2 mitigation
       
-        ocil:ssg-audit_rules_immutable_action:testaction:1
+        ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
       
     
-    
-      Verify User Who Owns passwd File
+    
+      Verify Permissions on shadow File
       
-        ocil:ssg-file_owner_etc_passwd_action:testaction:1
+        ocil:ssg-file_permissions_etc_shadow_action:testaction:1
       
     
-    
-      Disable the 32-bit vDSO
+    
+      IOMMU configuration directive
       
-        ocil:ssg-kernel_config_compat_vdso_action:testaction:1
+        ocil:ssg-grub2_enable_iommu_force_action:testaction:1
       
     
-    
-      Remove the OpenSSH Server Package
+    
+      Enable checks on credential management
       
-        ocil:ssg-package_openssh-server_removed_action:testaction:1
+        ocil:ssg-kernel_config_debug_credentials_action:testaction:1
       
     
-    
-      Ensure /tmp Located On Separate Partition
+    
+      Install the ntp service
       
-        ocil:ssg-partition_for_tmp_action:testaction:1
+        ocil:ssg-package_ntp_installed_action:testaction:1
       
     
-    
-      Ensure the audit Subsystem is Installed
+    
+      Explicit arguments in sudo specifications
       
-        ocil:ssg-package_audit_installed_action:testaction:1
+        ocil:ssg-sudoers_explicit_command_args_action:testaction:1
       
     
-    
-      Ensure auditd Collects File Deletion Events by User - unlinkat
+    
+      Disable support for /proc/kkcore
       
-        ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
+        ocil:ssg-kernel_config_proc_kcore_action:testaction:1
       
     
-    
-      Ensure syslog-ng is Installed
+    
+      Add nodev Option to /dev/shm
       
/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml	2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 
 
-  draft
+  draft
   Guide to the Secure Configuration of Debian 10
   This guide presents a catalog of security-relevant
 configuration settings for Debian 10. It is a rendering of
@@ -43,9 +43,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
   
-    
+    
       
-        
+        
       
     
     
@@ -53,19 +53,19 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
     
@@ -73,14 +73,9 @@
         
       
     
-    
-      
-        
-      
-    
-    
+    
       
-        
+        
       
     
     
@@ -88,34 +83,34 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
     
@@ -123,9 +118,14 @@
         
       
     
-    
+    
       
-        
+        
+      
+    
+    
+      
+        
       
     
   
@@ -1956,6 +1956,14 @@
 name = "aide"
 version = "*"
 
+              include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+
               - name: Ensure aide is installed
   package:
     name: aide
@@ -1972,14 +1980,6 @@
   - no_reboot_needed
   - package_aide_installed
 
-              include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
-
               
                 
               
@@ -3025,20 +3025,6 @@
           BP28(R58)
           Restricting the capability of sudo allowed commands to execute sub-commands
 prevents users from running programs with privileges they wouldn't have otherwise.
-          - name: Ensure noexec is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
-    line: Defaults noexec
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - high_severity
-  - low_complexity
-  - low_disruption
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_noexec
-
           
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -3060,6 +3046,20 @@
     false
 fi
 
+          - name: Ensure noexec is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+    line: Defaults noexec
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - high_severity
+  - low_complexity
+  - low_disruption
+  - no_reboot_needed
+  - restrict_strategy
+  - sudo_add_noexec
+
           
             
/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml	2023-02-06 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
   
   
     
-      draft
+      draft
       Guide to the Secure Configuration of Debian 11
       This guide presents a catalog of security-relevant
 configuration settings for Debian 11. It is a rendering of
@@ -143,9 +143,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
       
-        
+        
           
-            
+            
           
         
         
@@ -153,19 +153,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -173,14 +173,9 @@
             
           
         
-        
-          
-            
-          
-        
-        
+        
           
-            
+            
           
         
         
@@ -188,34 +183,34 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -223,9 +218,14 @@
             
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
           
         
       
@@ -2056,6 +2056,14 @@
 name = "aide"
 version = "*"
 
+                  include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+
                   - name: Ensure aide is installed
   package:
     name: aide
@@ -2072,14 +2080,6 @@
   - no_reboot_needed
   - package_aide_installed
 
-                  include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
-
                   
                     
                   
@@ -3125,20 +3125,6 @@
               BP28(R58)
               Restricting the capability of sudo allowed commands to execute sub-commands
 prevents users from running programs with privileges they wouldn't have otherwise.
-              - name: Ensure noexec is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
-    line: Defaults noexec
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - high_severity
-  - low_complexity
-  - low_disruption
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_noexec
-
               
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -3160,6 +3146,20 @@
     false
 fi
 
+              - name: Ensure noexec is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+    line: Defaults noexec
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - high_severity
+  - low_complexity
+  - low_disruption
+  - no_reboot_needed
+  - restrict_strategy
+  - sudo_add_noexec
+
               
/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml	2023-02-06 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
   
   
     
-      draft
+      draft
       Guide to the Secure Configuration of Debian 11
       This guide presents a catalog of security-relevant
 configuration settings for Debian 11. It is a rendering of
@@ -143,9 +143,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
       
-        
+        
           
-            
+            
           
         
         
@@ -153,19 +153,19 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -173,14 +173,9 @@
             
           
         
-        
-          
-            
-          
-        
-        
+        
           
-            
+            
           
         
         
@@ -188,34 +183,34 @@
             
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
-        
+        
           
-            
+            
           
         
         
@@ -223,9 +218,14 @@
             
           
         
-        
+        
           
-            
+            
+          
+        
+        
+          
+            
           
         
       
@@ -2056,6 +2056,14 @@
 name = "aide"
 version = "*"
 
+                  include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+
                   - name: Ensure aide is installed
   package:
     name: aide
@@ -2072,14 +2080,6 @@
   - no_reboot_needed
   - package_aide_installed
 
-                  include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
-
                   
                     
                   
@@ -3125,20 +3125,6 @@
               BP28(R58)
               Restricting the capability of sudo allowed commands to execute sub-commands
 prevents users from running programs with privileges they wouldn't have otherwise.
-              - name: Ensure noexec is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
-    line: Defaults noexec
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - high_severity
-  - low_complexity
-  - low_disruption
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_noexec
-
               
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -3160,6 +3146,20 @@
     false
 fi
 
+              - name: Ensure noexec is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+    line: Defaults noexec
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - high_severity
+  - low_complexity
+  - low_disruption
+  - no_reboot_needed
+  - restrict_strategy
+  - sudo_add_noexec
+
               
/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml	2023-02-06 00:00:00.000000000 +0000
@@ -7,178 +7,178 @@
     2023-02-06T00:00:00
   
   
-    
-      Verify User Who Owns /var/log/messages File
+    
+      Ensure the default plugins for the audit dispatcher are Installed
       
-        ocil:ssg-file_owner_var_log_messages_action:testaction:1
+        ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
       
     
-    
-      Verify that System Executables Have Root Ownership
+    
+      Enable module signature verification
       
-        ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+        ocil:ssg-kernel_config_module_sig_action:testaction:1
       
     
-    
-      Randomize the address of the kernel image (KASLR)
+    
+      Ensure SMEP is not disabled during boot
       
-        ocil:ssg-kernel_config_randomize_base_action:testaction:1
+        ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
       
     
-    
-      Record Events that Modify the System's Network Environment
+    
+      Set hostname as computer node name in audit logs
       
-        ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+        ocil:ssg-auditd_name_format_action:testaction:1
       
     
-    
-      Enforce Spectre v2 mitigation
+    
+      Install the Host Intrusion Prevention System (HIPS) Module
       
-        ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+        ocil:ssg-package_MFEhiplsm_installed_action:testaction:1
       
     
-    
-      Enable syslog-ng Service
+    
+      Verify User Who Owns Backup gshadow File
       
-        ocil:ssg-service_syslogng_enabled_action:testaction:1
+        ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
       
     
-    
-      System Audit Logs Must Be Owned By Root
+    
+      Ensure rsyslog is Installed
       
-        ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+        ocil:ssg-package_rsyslog_installed_action:testaction:1
       
     
-    
-      Record attempts to alter time through settimeofday
+    
+      Enable poison without sanity check
       
-        ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
+        ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
       
     
-    
-      Enable TCP/IP syncookie support
+    
+      Ensure SELinux State is Enforcing
       
-        ocil:ssg-kernel_config_syn_cookies_action:testaction:1
+        ocil:ssg-selinux_state_action:testaction:1
       
     
-    
-      Enable GSSAPI Authentication
+    
+      Verify Permissions on passwd File
       
-        ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1
+        ocil:ssg-file_permissions_etc_passwd_action:testaction:1
       
     
-    
-      Enable rsyslog Service
+    
+      Record Events that Modify the System's Mandatory Access Controls
       
-        ocil:ssg-service_rsyslog_enabled_action:testaction:1
+        ocil:ssg-audit_rules_mac_modification_action:testaction:1
       
     
-    
-      Record Events that Modify the System's Discretionary Access Controls - lsetxattr
+    
+      Disable x86 vsyscall emulation
       
-        ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
+        ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
       
     
-    
-      Set Password Warning Age
+    
+      Disable Host-Based Authentication
       
-        ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1
+        ocil:ssg-disable_host_auth_action:testaction:1
       
     
-    
-      Record Unsuccessful Access Attempts to Files - truncate
+    
+      Enable Use of Strict Mode Checking
       
-        ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1
+        ocil:ssg-sshd_enable_strictmodes_action:testaction:1
       
     
-    
-      Make the auditd Configuration Immutable
+    
+      Enforce Spectre v2 mitigation
       
-        ocil:ssg-audit_rules_immutable_action:testaction:1
+        ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
       
     
-    
-      Verify User Who Owns passwd File
+    
+      Verify Permissions on shadow File
       
-        ocil:ssg-file_owner_etc_passwd_action:testaction:1
+        ocil:ssg-file_permissions_etc_shadow_action:testaction:1
       
     
-    
-      Disable the 32-bit vDSO
+    
+      IOMMU configuration directive
       
-        ocil:ssg-kernel_config_compat_vdso_action:testaction:1
+        ocil:ssg-grub2_enable_iommu_force_action:testaction:1
       
     
-    
-      Remove the OpenSSH Server Package
+    
+      Enable checks on credential management
       
-        ocil:ssg-package_openssh-server_removed_action:testaction:1
+        ocil:ssg-kernel_config_debug_credentials_action:testaction:1
       
     
-    
-      Ensure /tmp Located On Separate Partition
+    
+      Install the ntp service
       
-        ocil:ssg-partition_for_tmp_action:testaction:1
+        ocil:ssg-package_ntp_installed_action:testaction:1
       
     
-    
-      Ensure the audit Subsystem is Installed
+    
+      Explicit arguments in sudo specifications
       
-        ocil:ssg-package_audit_installed_action:testaction:1
+        ocil:ssg-sudoers_explicit_command_args_action:testaction:1
       
     
-    
-      Ensure auditd Collects File Deletion Events by User - unlinkat
+    
+      Disable support for /proc/kkcore
       
-        ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
+        ocil:ssg-kernel_config_proc_kcore_action:testaction:1
       
     
-    
-      Ensure syslog-ng is Installed
+    
+      Add nodev Option to /dev/shm
       
/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml	2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 
 
-  draft
+  draft
   Guide to the Secure Configuration of Debian 11
   This guide presents a catalog of security-relevant
 configuration settings for Debian 11. It is a rendering of
@@ -43,9 +43,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.
   
-    
+    
       
-        
+        
       
     
     
@@ -53,19 +53,19 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
     
@@ -73,14 +73,9 @@
         
       
     
-    
-      
-        
-      
-    
-    
+    
       
-        
+        
       
     
     
@@ -88,34 +83,34 @@
         
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
-    
+    
       
-        
+        
       
     
     
@@ -123,9 +118,14 @@
         
       
     
-    
+    
       
-        
+        
+      
+    
+    
+      
+        
       
     
   
@@ -1956,6 +1956,14 @@
 name = "aide"
 version = "*"
 
+              include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+
               - name: Ensure aide is installed
   package:
     name: aide
@@ -1972,14 +1980,6 @@
   - no_reboot_needed
   - package_aide_installed
 
-              include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
-
               
                 
               
@@ -3025,20 +3025,6 @@
           BP28(R58)
           Restricting the capability of sudo allowed commands to execute sub-commands
 prevents users from running programs with privileges they wouldn't have otherwise.
-          - name: Ensure noexec is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
-    line: Defaults noexec
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - high_severity
-  - low_complexity
-  - low_disruption
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_noexec
-
           
 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
@@ -3060,6 +3046,20 @@
     false
 fi
 
+          - name: Ensure noexec is enabled in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+    line: Defaults noexec
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+  - high_severity
+  - low_complexity
+  - low_disruption
+  - no_reboot_needed
+  - restrict_strategy
+  - sudo_add_noexec
+
           
             
RPMS.2017/scap-security-guide-redhat-0.1.66-0.0.noarch.rpm RPMS/scap-security-guide-redhat-0.1.66-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-redhat-0.1.66-0.0.noarch.rpm to scap-security-guide-redhat-0.1.66-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-redhat
--- old-rpm-tags
+++ new-rpm-tags
@@ -799,13 +799,13 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html 833334b17b171431e94523c65fa03a3b3ebacfabda0c2f5dd7852c0d5a228b73 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html 742a99068c9547ca2c2085b911fda85a99ed742479fb0fe103e530fc8f9b6ad2 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html 15a026a71a91d02f8e74b67abb7e787de7eb2075558614439ffd7edd366209a7 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html ffa9e85ad9e5713c80043c4b0f588612323c4cd064516e39d49e2270fc39ab53 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html fea2849dd25bc5d08f9319691e34949b12925e9dc62ec30e11d8dabf43cffcb3 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html 17b693f3ed7428b7736e2081e6f94bdd8b6f65820ea07656678236ae9a37ee19 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_server_l1.html 2494cd89e9ad7fa319cb06885d10fdc787827122299dab3447ae13784d173246 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l1.html 5aa15346b6b641080c791b08e2a020f89780361885dc29306e618e5c014e6c27 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l2.html ca641956d4d0d6cf9fdd3021ca8001ff3f49f7a6a04606cb4445b08a2b274996 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cjis.html 2d4badb5379a88959135be3de47f11523646181f7d9cea6458f2c4987b150941 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cui.html 4d4357d7775ff54d8e7b94931001c8574278d6c6e901421e84ce1278913d0145 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html e5ef8c3fc21ea5836db1f839c170f295b0e799d1a78285306c0f293a9e577678 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html f67492f73268bf39a5d4258966a4de1bd078e7c68656be3ccc105454e457cbe7 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html 942d04e0ece2cfbcf3ed00c88e20812160819fdba6c6c978b5490f7acc39255b 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html f0df131201ad9a8ad2da4b8182fa327ff7ff5d5c4c8412e68fe0f27808e5cda9 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html e41dcbe2bad26c441ec2de11ffb8e6386aa632f4730b607f6471d18c25cddc74 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html 75b72237329e4e013a98032dd4aa93f8e908453cae1f2d792c407c808efe0cc5 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html f21101394a3744a24b0cfaed470a92946aeeb031b7059745cdf03cf661276d91 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html 6d0bb1460f63535690c667dbd028b2d9c13f77c177c2761a9592a95b85eafbfb 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_server_l1.html 7fce7b78875d932f6ca1700e556cd4ecc2bedd5c6c8e9a0227b96d9323d9c81e 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l1.html f3da3f52e51d9b6f7d69db9efc65104f3e76a90c60cf7a24376c0389b077387d 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l2.html f6cdf28bccc618d646305f2cc057ef71eec60350e3d1a3e24edd44cf824e11a1 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cjis.html 0a432d4c6315306a93f0870cc128d185ea468045d32ef4966778d737ab0a02a4 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cui.html 043d6a54c894378a291cc9870b1a1d7828c811e7f0d3d3e07c6b6337c2d65ffd 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html 3141ad57f32f5ccb16fe7530b8b0c9fbf9201a3dd0dac0ec8b66b43a27e180f0 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html c0158adc86e2f468ce10e3d6bd14cc0e8ce4eb6adf372241b2e3909bc2cb0186 2
@@ -813,21 +813,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html 04b477713c72ab1d3bc63e349c28d214efaa5eb142f5d10b4de7a10a46c9634a 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ospp.html 9b450451561675d36340a5cd4c98c5bf0e5caadc895c48b92015d92853be764c 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 0df5ab2dd6a3f48385da60cebed966e8371c5e35f3e960e3da57163824e148a0 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-stig.html e1a78b721e3820560c28069c1a384c594434e9f187adbf744074f23f4ef9a0ac 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html 85ba5fd2e324320f26ccd54652b1da2dc21cf92f26b632e41bba95f261129e00 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rht-ccp.html 1669f8f3b66d529ddc85054ea59430d2b5c2806a1f26b80c9851906d0f11f967 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html a1ed5e8ae4b80c08b681825adbe177f3621cd0c291d4f1f9c91f723151866467 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig.html 5154ef6616dd6b4119fac5344eef78dee0154c9c7ea70608bf2ec0150d87badb 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html 8e200f802332ef845ee93a94d6387bf6f25973e3119e23a76a0ada1bd17d2f32 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html 3d330d1d08ec55ec522926fb4108555d7f1178422395d0693a1c1826d6a093ba 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html f65fcb19cbc22dad7a454b1a01ad4d1bb3e56aa93fc8484a84a773cd5ab14a13 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html 87742474e723be07cf26cf2fc32d17e7fcbced4cfc23cc42737619441ce96242 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 9423400c750ebd0d86a41f23bd455953d38a6076b69c7020001ffbbd826506e5 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html 2e50650c9c245eb83480d37eb087fd33fb9c79530be261890800522c4e37438a 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html 3c0581dd4f6a16f6e04810833e333295e160ec6192cee8573ff3ac31877cced5 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html eeecd5498b7ec8617691bd68a6dd8f1edeb0a853cc45aa7541030f03e97dc595 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html 965c579bfa61fe86f9057127b79f40ef7f75dbc8330be7cb2cf3622db7674807 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html 7cc1dc235ab6b617b8b0efbec5f053960bbede44aedfe744b370c86ff1b20c6f 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html 5dabd6f274ba1be79597cee2e7703170b29a2a472a0e54ba56aa7ae242628feb 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html e375bfe66b29e96db9b647ab60baf7f374aad59f47113e4ea7ec8db40475ff1e 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html 2dee6cebf379b429ab04ee766da05172b0a1241a657d72a70d877ee5b83b8c07 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html 39d829f5a7e2100ca0897059ab63ae0948fa4a4710de7d6045272e034a1e86c2 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ospp.html 9be78e71dcd28de16029f489a91af9aaca9b0c876f4a1edda9a2ef864ff3306d 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html a88afd72cf03bfdcabe46d9fbe76a88e10837168c7937cec4537ec60f1b932a5 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-stig.html 4480faa9aede0b37b8e8ea298e96eadbdf4cd860a253f10b32baa09bbe88c715 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html b08f1c9133718c4498fc5a394b0b6808eeb8e4f36936d374f25dfa52ff620f4d 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rht-ccp.html 09a5250f61d65d6d453de06a5f7812c256f2dcb8fef709f42beed8bab5d75576 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html becb51f35b6244aa8b4ed841999a2a8cec1bf451fa8197b2a756dbaceb077f34 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig.html e2155eabdacc7151103084758675de8449fc4afb118bd77cb426cb6a6f36a19f 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html 2ac800e08249396fc5ced779dbb6b85e57f75dc0f5d7307e51386959e9b5da8c 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html e0fb16a6bd978e2596b68313a5ee75df5d644cf1507b8e7324f77b9762702169 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html b54c44a8772559d07ad849e4714086544dfa30c5ffe4d7d42b2fba406933f6e5 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html 783bd6ca1ce5cb0a6b5e771147dd458cbc4c4f2f08309d55527a0ca7268504c0 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 463ed17024717c08398d83939db53f8089d45798e169c8e8f05df78612845c9d 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html 28cbb63914c750d77b84f2465fc4bd37a52401a4a04ee4cb78e288a98d682b03 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html 4c3e3a60d0763e18d8ae68e7ea955e4394b989d988db6f1b87ac62041af1de9b 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html ab3886736e5fea4338f9678d548a9139dbcdc89c1f83f7ac74d705ed146fd889 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html 291731000b1c1f28a9e1260dc600eaa309e03159e53c91560d5301c65e0cc667 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html 09e3582816091b3388783c9f2ddce0b3abb9e9debe4be5fafb39334c10b70044 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html f4ca93333bc6ea610d1e49480a6d3cfb77c3d6f549bf2ca19eea9ebafe30fdc1 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html 7ecaa8d0f8b25ad7582b02dfbc968966132cae13978f893d2e283d6efdf4d9cf 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html 6d82459e4ecb315450404604b824cbe4d24778d3f850f0d07608e300b71bc376 2
@@ -835,18 +835,18 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html b22819a969c1c1c084e656c1a1feb43835274355e7bcaff6e759ebc140be58ff 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html 1f51545d53e613b3d8056ed066f2328be9d98e8bd203139b058b63e67d5580c1 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html d7eb83ef0451e5cdfc583ee618ca38e6e6b3d8a1ad30f89275158bab9b473484 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html b2740af32a14bbe5b1f6103d9229576d0c0af8c222e29519ed500e5c2e44d5d4 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html c51e95a3f780370fcc8322b0ce53343131243c4f49dcddf3f22410609e82f5d3 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html e84414deb4c3fb6558761903e858b11b41c15718538de3627a537b9c0a103b68 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html 5e07b86037aaf7e9e0b1b2044bd145414f5b6afa2a89b333e5a579aca9dfdf82 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html f105520c3b24b98b6d17be585624b6253d8bade316fc1d805419631340c0484e 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 93b58ba77e9a415bd9d72f244e9b5f18eac91f2a46079566e0674ad3a2a45f89 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html c46757f396ac9cbfd7c11c87d41c9f2d3fe95eeb6d0ab4702659e7675800f4f7 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 240348a88e99501b538c5abe47f23c0488d76ca9767c897f1ee4e9c9569f4b9f 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 47af7878b1e14a070f3fd2a6664d7b3107f9c198817ec8cf0ebbcb4795558a20 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 598297fbbde5495c68bd6f40282eed553a87736229b5492672d712c4fd78a43a 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 75990ff97a4ee92a777d5857612ac39ffb3dc749579989984d63f53f9d22e96d 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 460f657f7ae63f25b0dfd508a4eeb69d219a6e51368c039644ecf0c411fa0140 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html ef73eec0e1b768d7e269995bfb402e904883ed57e64c15b310649d345e421a27 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 814ec859932116e3806e30aa0fcf53a0dd0a85d52fd5dc477d552fa4b801495d 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 89c0512c19674ca7b19b491be788768ddd6c3ac69383d74618c88d6f7b39cc3b 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html 745ffd13697befad6dce5ea3bc2b2f6e862eb7d83856c9a1ef718abcb452e6b7 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html 4f79ee45dbd2bc9174cca2ab2a84d791f3d607a1ee567cfaa676c8174e186a0d 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html e2b45caaa213babaf777632ea7c694de57a73b3bb28f1670b2716d5237bcfbac 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html 230eb1c14a112cb80eb05c38dad07a6b1c73526eef43ee7c2993185a26bce45e 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html c4a86c3b3aa81150f09357b4b3cb57a9e6c6fe0c9e18389bd0c9824a439eb995 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html 781bcdab4e745af6218dabd9c58053f2c7d61cc95da89f14d2b4cc1809b7186f 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html 4c31cb078113dedef65c8452ef246d97c7bf8f83540b9078563305b728c9a72a 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 397a290e919e795ac5e5e3141deb316d2bf18bc2009ace704c1f2d36a933ce02 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 7435d97c43a7d935cff9ff7283b9142bb21cd3e64bcdb70c2584336d2ee36a8a 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html c0275d6f5581409cb6d5b9c9305052be68ef3e7ec1a253ae1d961b76b44787c9 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 2cc06b2a6f59d8e9647448c87e396f905ec3d8d25a184efadaa1fdd9ed377137 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html f396555b146449c6e3d000ae49b5d0490e383f6f4ede168b14e26415537cd13e 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 606d77f576e1e4e84b92ae32bcf57f1712d37af54cd645feba544e248c97ea99 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html b935e45a98439577bbf6263ce963247018b3338c4f25dd7c66fd30cf44325857 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 98493475bef16b231c01f411c7891117b785fed4613b0111a70ac18d44151ee1 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 786b17fad6cc58a9c60c5f04210a81a44e88f781fded116a4773651454c5bc5f 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 166c01546d7f219939fd4481a9e6d0e2297bb53953ad2e62868a4e1c21a3bc02 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html c5161424ffc4c6069ade87f08ac6479031e1f673933b5095bebc391e1e1117be 2
@@ -854,5 +854,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 4fb6ce895f7c44165d0935fc8be3cbaadc892ecc49d8f3076d0c4e063c07d7df 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 95bd91529316fd80f4c6d82cc2ac9014d839da1e5fcae51becaa6d2a0a9b5775 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 9d0feffd961d7acee28f0cddce62ce34e3a57f966f7ccfbd2da357bbe9b7c380 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 6562d8ec65244383b10b0ed34a2cf59c688c27bc63c3209dadaf1b2528ea7252 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html cca0a44442dc68f2b54dafb7604ed70c86dd2a9b3ce77328a6fc53a04343d569 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html cf246518cf856db2759a08ed672401cc897ddbf7c42c453387a4a32fd5816f9b 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 4ebca4baebdadef0679b89d7de00025efb12d261394f6c4b227f865062bab2ff 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 6335c8abaa38755356d1f89b01bedff593048cec24dab14a90268546a215a719 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 9847ab387776c2f9562b969cf85bed16003a12b33da1f12d76ef09e041ce9da1 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 0970bf5460f8a1086e22b22f7a22df5e974aa33454bc58f37d9fbbb7b059fa4d 2
@@ -860,11 +860,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html df1f50b0ec07ffe66ad87f1a713da4106fcb53f3eaf1fa3e84ead911dae9e59b 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 0a5d0bc500a5ab210157c373407265bf30061130a17bec39aa2e86e93d0b6016 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 2d2c3cf5d2a5ede8f5bb110c739c819717308a5d132ea22e275996f8a90c80ea 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 819bf32dc979a95b1e22f7aa0d35917f6121b365ae9ee163d52d08d36fe234ff 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html dde59d3027cb39a7cee91c8866a2b2e32b39e39431372d2e81668a9f89194ff8 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html d6351cacd8487ab88222b70d8acf8ea8e21eaaa910a82666c7a5666b014d50bd 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html c28acfb9cff17e77129768763303ab5b0a29a60583e5c181e482c8725e2ab650 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2864496810ea370f2737321c05a1536183d806607c5560cb8c89e471e8775afa 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 083363f8462e4afdb787ac1ed37c679b4091cc5b85d6a310c89cdab2f275c891 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html a1f6a4db591577ba8b471266ec8ea56f170039a0b1eab99679ff08085a09a65f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 7de4dc05f5f15ef96ca3be96a299924ae106c98b00001b0bfb4deb154e9e3ae8 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html ea619b79e16e25acbbc6a23c078cffc69956794fb87d1ead3fe7bad6306d1928 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html f37b83f6ec4bd8c6c4926703881fa5361d062a2c3577fc2df32827bb7da0c9d5 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 6fd895e3520cdf4da059fccbf1cd4089e8c60feda1e272c271dff8d9e80de1a1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html f2e30af30a82d3ad596c42458617553f09da7a217313df87ea9fabc667c41dc4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 867e19f1f80a5f32376fd0417e4da03ed020f342d3d7a052a8b25872f73a2f35 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 2834c7d30b790ba12b9c5e578b252de59a58edba6813ed3321a08ce39ac809b0 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 0e2a8d9b9f2f0d23b825be77fdbe4eda1a75abb55056d6d4904732aa5aab1998 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 8f0d874e3dee484cafde828b98d17787d95facbd5ba9518bf825706001009709 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html ce00a2dffa3a3bc5f327ef752034775188b5d40969a9b6f92b051e4c2667af5e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 4ef4f627a8a93cb5fc4f11bebae26641b2efc84eb74791813f74f1767f3bff97 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html cba0ee0bdd65a788f2d2ca7be02e4b05ebb0464e453e75cc732a3dd429749cf9 2
@@ -872,15 +872,15 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 08aad2fb5cefe2d9af29ec9d86faa32e4d3cead0c4441c34f13bfb5ff0440e58 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 7751666c35f38d6a646c43a9dcb59df78f56f43298a80db4ba188c578114e6a7 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html c42dfd47b91e06dd4fc0f85344fb39257401c8b06cb9be9c799b4070b58cc258 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 5739340f99ff1434d80df9aa35477641ebf2b5e4a7b6c93858b8d0511bd26c58 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 844a14a87e5d08795cab973d969869b622109c71bc6bdcfe758b5019b75790d1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html b3b10d30900d0ab31a7897360bb6a0390443f69541d458d078abe6959b401e92 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 3aa9d38478e61ab862714194c299868d5b4a582306a7683cbadc9ee51c864e22 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 499f6997a1a4fcddfa393f9a1a2e43bd7b9d2402b89eaebb5289d86713210ab7 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 91db4ac5b1637f8d4fe06fdf2544ac64fdab104657723bbf03b0f3198c8d8357 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html b74f913e892b1c968a5a0ea442343bf2651bc6734b011e91d557666ffdccf6bc 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html eb18cd11330685ae46ad008d724918a0e61a18aaa43b2f1c0ae470c5f0453390 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html c62fc9883f50b44ae7792129dc2ce5397120fdd068045241db970dd24dc9e2c1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html d2d211afcc84ad677f3d9079eb8e20e7126bdaa08e805073a9c0c1991fd2b95f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 7da21c3a2ab946ad1ae28427fcaca0221ad5fcd8710556cf9ee03cdc22cb343f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html fd49eaeeeedffd60a9c5974f62c4d9959be2b7bcc7839a7937e71e1a32d79291 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 8bf52093fedb04f9bcabd15562e6cfe9a997fcabbdfdc17f3e3c572c565736a5 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 3f2ddbe31525377d1ba83ca040a25c45510b8d5e745bf4e6a92add898fc43868 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html f41a833a507f78283f015d27072555bd135ce476624ea17b34e723f2d4204c61 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 388f620efc691c4a9f131901705dea21316b360fc1e31acb11db6ce15231da6d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 91dd7c61e14f7476045f7a088bcb5205858015882146908235f75715fdb06307 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html e44fa87bb1451cacff917d6aa069e36340854261c7f74a6d894c6d480e11ed83 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 48650fbf6a6bd85ac0511871db0c8198b42ac593375fcaf5e3456689fa4be29f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 28ec363cac7e2d5814081fae9c1870a81f394c96c4e463f2d805e0043b8bbe43 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 82534ca3fa6b0a89154a0ff5dc3ef14ede70bc5a2742ba7ce8e6eddfc3d2932e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 4cb9c2b77b1cb1f08268b90203467377b7cce578da548694aa790fd49c3b3e27 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html d37ebe6d217c3bc69a1ac32afc912f20426a7610ebf8bf4aac94d18f79eb9756 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html d9284ac7f4a4d41bbb140ead7364c9812445b9cba6f7378550432c4c759fc164 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html d25b10b01c27762886fb6d636303d12e135ec4a5118b1edbdb2944552bc03495 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 0255364dc12767da07b49eebaec334460516aa13a8f87d5f691176d0580b60fc 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 1cb71f19b7710c714862fb7a5c2f2a9388d5562420ccce2026b40d53e978d3d5 2
@@ -888,12 +888,12 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 09e5efd285088a165d4cf212774e2f5d3fe48f39f93ec33079e35d2955e5f1f0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 10c9541d1f6e3062758e53b52bae10d29947abf898ba75553b669ea8112f6f14 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html b7bf2b45397e31f9911167986d9ad600bec96fa0373653ef4e5c7e019e7fd336 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 1206c9aa102d8709a84f688832b7647362c31f083f80c393727add593462a22f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html cb6af02a109c3ec077dd054e4b2405030a94313355d40f034c91b89e9765ed7c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html e19ca46f90162a502cc73cf11719bcc3dce326368c4420c6459b07c5de06b217 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html 46c2aa7ffbb48f9ccc28f0aecf19e010039bc46a99ed07c62621f36ba9d67ff2 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html 199b3f4a36bb6aeac635c8d55cd438216e340565ee6a4ef5b08a0a713130ce15 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html 12b0b77ebff7a75e5385d149c5914cf01075bf3dff7bd518a52b49f718bc8255 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-cui.html 5a05183328ddd6b56fc81b7649398b9b5af6a30faab976b0081b762e65fbcf90 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html 01e5639fbad2d9a6afc26c3a690fc65c3167765b6d92a25e100d9a2643094107 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html c39102ec4831fced48b672d9d481a46cf26a534792d24cad12594f1261b6be67 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 6a4845cf32456e9d7efe4d743bbcb799af34fa59dd45ca6cb7e5238a2308e58b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 36a896872b40c0d146366f5a469912cee9a9ce992963ea943bcb8a7455d2787c 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html a9c81f304338b7946b745c2e3573dbfdb2d4de9a07b1f1b99a094bfa580d6c1b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 87ef93690cc2c230f034c1b3e5ece0076a106148f24a28a2ddf453716108b41c 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html a91b7d9347fcae32e9cf268d49e8fd18de078e132c66b7cbe12f967ea2b2d6c8 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html b38c01939679015546640ef95699fb2736ad3026af0d2ffec72b89558e9e2828 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html 5743d921ffe58108741494c33c4d583be9578c404276ac58535e7b8636fe151d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html f7cf21420a77e2f33a1cc1b2a8feb0e4ff9b3083aaf71ba920b4470f81ff44eb 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html 50360c7628cbd313d22b6f46b465301dc59433d15e2cdc0b60b71c7eb358aa4b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-cui.html 225dfbcb17699e707ae0f731f2d7d08f031adf0dfb7a3e75da2014aa5411517b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html ad718d98c4a1450869533a9d32f7e8b81ed1939aee3e5f04a56f8780407a6f84 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html 74e2e108750f40fb568f330f9e9e02873cff433d87742e8ca0facce96682921e 2
@@ -901,11 +901,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html 2bc619d1248d6df61babeffd09485ad17d8a8d2f1ebab73391c147f071e41932 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-pci-dss.html 7f15384742e0b4a8b3cc619c0c4078d33387eee153eea96a36a75efaa6ad571d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html f4807c76999bd13fa428468c8cb3616c84275244b7364d17bcb2b76a6adac895 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html 3e7eb8e1e9db8bd6dacdcaee314dbbdb336a5854fa7cd69d70f8765355db34a3 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html b431148789ac4b5b7e0737611fabae809a49f8a616b93f27c542f648163bc763 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 9493d6d447757f30c71ce74adc9151b23efe32df24190e564d196d663bc72576 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html fd089b09bde6622d8091a86a5ba47d3668006cba583a941f9867c23e0b6e7e07 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html d96e26a8ce1e9ea9861d8f433a925ba419e476766c7cc0ab9dc52bd3e356d2f3 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 5cc02d259a55dfd2ed2f7709f0126ed8269b29fe68d4a8ad983aa694d517e0d1 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html c5f50cc8481e4b8311c26132a1b1a640fee765b95b666a9a057e6901a97d7528 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 44aa0343d7a06448a0127ee468e86c0327ee177385ef60a44782380d09b861a2 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html b60169a1665840c202bb58444e9bfe36b02780e56b9c09de0f0b57a8964da1d6 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-pci-dss.html 3cef98ea67c855cee8e35d6ac35df0239e84390e60d37764ea16313f28d169f8 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html 5e2ce9b0f19730a3c2366100337ebbd5874ac216931b8907b612476d459107b5 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html 9371015715d736ff43e0f028b1f6eab870ee2f45e3a6aadac61f78ab7853343f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html 1c15758d78fd8ea5e0e622366bd17d895e9648054d970700504afbb80e9877e2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html fb367123332f14110ccdc512e75fe09308792152b206d4702fa6e462d9530119 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html fea8c2fbef0ed009668f38bb8daa278b7e7100ed9604183dd002fa18c7f53561 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html f3b83b56d15e70266ddb250d2511683a3bf4cafc76875c10b8d3f09dbf093a8e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 23d54a05947a070ff4b2109f73e48af1759146c19a140bfaf64d5ca445986a8d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 6d53c3bc0dfc5e3f689f3c8066b415ae303d6ecd0b2f786de3c9df34e12708a0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 7fa1c4e2b8ba36d8e01322ec46caea4695bcbd2b983c3ff19b98d2c52c768f74 2
@@ -913,15 +913,15 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 5e907f4d85c2f1805df6b2471842908e382b8b0c23b1a4e499e15d7e7010a45e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 8b5d281ba0dbaa8809d766adc6630e0bcb26c8c93a0d63031555121c42651a34 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html ae7388b28c290d3c674da90b10f8e76b8f90813fdf4572566d00d484169b38a1 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 33c76ddb33245004e89bf2b5714615ef2d50f630bea0f48b6dc095be321955c2 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 166bb078f55021453b4bb79cafe4613ce00f668deff007216e7e32fe95e0fe12 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html ddda6d32233f910a147396f9bd825c2d08ef65f23d8204874cdd0f91a7ceccb7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html abc2e13a77fd5effa214707d1f7781f18ea26f37105c98409119ee4a7411f650 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2378f70ac51abfc099d8f2e595d9bf3275db0deb7adb51d61516a13d3a418257 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html c7c66fbf377b6ad426c8676dd8de45f2ae7a4ed0a76ac83ec1d5031c43a79e3f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 561c9341f96fbf62fb83bace9e9249f63ba107dc5d8e3abdbaf1b2af742607c8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 9d72178b8e0e6654200fc055c928acc27dde23385fec898e33ce4907bbe1d324 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 5fa95d0065f240fb69f01b4d581c08ef2c72f1f7ec96928d4f044472457d7ef6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 893c350a0dbdbf2e1cb3f2b5130a9dd57ebbd169798347afce605a5e024feeb6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html fe67cd16cb4116b6fe420149334485788c6e4ee8249aab225a431472c486d5aa 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 2a89e91632e3c2431116a5c50a59157cd96f4b4ab8e0f311e9de26d89dd895d8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 47dfcbe40f0c5025f9b3788f5478327824aa6f162cd3b209186bcb7322eee931 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 488b88644cd219f1b0b542bff6e439a424136ab00c905aa94aceb06b8efd1986 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html f2ba38fbc00bd372362ab55a2a224199bee9da2d84c0624ea6b64a02793d6a2f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 32a20a6d0b64dbd8ace46eb3f4435c7b6f63f103736bcb29adc0bd291c87845e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html f310f6d74164d5c0a1f321f65dab5280d76a196f709239604fc1e265382c79e5 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 06b2aabac4f58721a2498802892cf7901b9f3b759197324775b91e858f482333 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html 215d47b8ffa6a9a217b5d9992ab2da2a6e7e0008f1b1c5393d0a3f13a195e344 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html a80046ea5b9933a536567b693d9768cf2b519486146137cfc9efeb05164f3d3c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 9ce45b178bdca82e3a7c352d23e9030b2e98520d4dd9acd9b11927bcfd537396 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 72f445ad7a3de5c858c639754bca974e14ca069719f599a9b3a6e4159e9441af 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 1dd150a45840dd66b55e2db9b5d76c4bb7219f705015037d9d5e739def0f4128 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 33340ea0fc71c6360057b949bc2166df8248fea73b79a836eb625363c6d72f75 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 63f8718a584d94b6ab7ecdb781ae85f8ff6103bd4315b4e432ae008b295175d5 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html bd520f3137a1dcb6a9dbfdfb011be8a2a17906ce20f2787e32dbb0447fc1c342 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 213eebd46608d5c0770edc7af2913e4cff1cd02ef67ae7d8a5860f4adc81189f 2
@@ -929,21 +929,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html b99468bc6ac8719a7721175f940e54a94167c229530752e564bf1c83e7356f37 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html f7fdb10446c38688c8f81055046ab40839bd80a94342fa23243500829ab0e6a5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html e7c1d4167be06c9fed2c6df03d892ce64aec274574190158cc224ac847ec4cf8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 95f1648e3a58d093efbde8ee0de334d8d89ef35c59f0b6862b40d4346931e1c5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 04eebb21833407e74202a78afa1bd0b81b6261f52b124c3328726a67c84ce70d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 7c40d0b8bafe7da136b584fbea39daa7ef77a13dbfb6993bf4cad0a2513296c8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 9f85251c4150e77bf9616717935c8d804959b86c6746a1277e0758a0f1238ec6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html ab8e2b902ff4556c52b850f6cdd23b84b9a9bbae21b4311d8c1eea8aaf6b7dd4 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html a33d07a7fc88f4277381a89caa257a5f354e3b307b09c5756b3ec89cbcd10929 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 26e69a7d3b3fc70b4f71b9715744d4b884d6e89ac61cfb628e229084e01440da 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 7039e42f587e1a7199690042268dfbc3ea022b241a933a3660480d9dde455190 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 910d441752b6197dc776854bd33488f9cfd42c3b2847f6ddbb05cbe56a179c43 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 78283a561833e4f2030d89ce3e5d5c8e814404fd03752e0760c2125753281942 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 27cfe4cd261092b7c7b5a8ab5400a10c85ffbaca0a0fa3cdc28c2bbec456053e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 8c51f85cfac8a0d8349f8e4314b36166a55b5f6aedada14f4147963d56187a56 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 429072cd40c930e10329f63829c4420896584a20d8e0d0da7fcc821ef863cb09 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 613a83f9181fe92866b8f5b8c5be43578329ecfc0f4172e33f15f22833dad36a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 1655e88648a52aa63599b109476b4e9f8c2682162fc6b82a20c9e3e5a98c63ad 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 51e934ff6afcbda5ac208dbd8c3cf2ef5e2bf550d01c2afef8f839776195183c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 987a3100924b0c9e36680374c25c3f40568b15506731f5d058decd642a6ae3ad 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html ba602ba1f4b15119443008f6eeb83840944b63ee500502d2c5c3a0acbf85d353 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html c54eefcb2f7bcba49ffc9e03b21973fdef6e8836545fe5e2b12e32219603f495 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 3d8d1b2831706876dea68b56fea12dd428ca0489260b8d14ae16d7ca974d112b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html c7640ba004619f6933b3da7ba9170ee76ba901e814a53d33cb917564e7077634 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 13a24cbf4974d14fe04d0f87f48517849bcd32c92471a25708a15050ed59df84 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 80e064d66a3f2c5b223fd5fb63a98b074227e1b6e5a29903157b85113223e697 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html d2fcb04cd55d797617b9658b80264d8d4a4e8b37a89be04228205970db0958b4 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 8bb3f0e107f9a745f66c9105b32ff40d1ec34bcb9262f66867809eb09128bb05 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html b4e32e16aeb45e910d0ff7327eeaa16244425185abe9a786d8a3087dea2d446c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html b6d2edc0d35b239187d0652e51b6bb1b6421bb36aaad0601bdd2db3f24bd94db 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 720f90803cff2a63904d3399033b5019b2c83e888408b2d9062a90659fa55b29 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 0c3835686a17d27b5cf69181224c3fc025881f164681c7e9042ce173e2388f4a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 01b091c39724a5d296d56f7593c9ec4337261b4da36d7bf5d7c4893b49fa900f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 677063d676412a1f1a45eaf97be9d7397e77724c9c0ceced5a44299a94182a82 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html a9ffb0e4927bae149d51941df35ddc9ede3c720f60f505dfb0cd671fa65f0c0f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 1ea35dc6ab831aa63975883d7a43cd6f6e67dea5f5e5edb154c4d98e20d3fbcf 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html b8be8276f54269757af1926440150b8bbd264ee87303a0135b2024601031af71 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 4ee764f61df13ea1e4647f50cebe6de74c84d448cf2cff25d36cbc20926b8d8c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 48e519f57396443aa3df37a4b31b7421af230bc72b10e4878186dbcb765463ff 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 8464a7775bed491e9333a3f0aa08adc825a2e0c6ffeef4458e199a449cbae8ed 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 2bc53922c542d87177079a228e60be64f154f1903aee7631ee7ec6bcfd63f6dc 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 5bcf2d0eafddfb4813238191e6dbecf72281a01d2ea843d8ebbef657c7ba4267 2
@@ -951,18 +951,18 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html e00727f3e426cdc16f959816ca51c5c15c55b267d672ab35c723da8a470320e6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 325c65bbad54af2fe1587d9c56b86908ebc1a8100a282d777fb0d048b7f5dcd6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 5cf6caff02806ccf81bff34839662d5a67889d9ef96074e512faf87d19635a90 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 47c4f14ed4d0b21c557913cdeae92fef7836b8b88a145ec7a9395374e3cf462f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 5bec0b5c506f668023e8efbf8a41a7cfa17c7a7243b9268bd2e0f6d9d5802380 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 4003ced676a491542d900153a7f6e1c9af6b5332d934c274d9ae29a2be85d6d5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 61032a6dd84c52c89deb21003ae882b549f603ce727bf645d819392771cec439 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 053be717f26835a6704cddbffbd544d654bb00501220fdd01ea0c62c65860b86 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 88cba4230d197f15cb53ff3764420e2fcb1a85bdfb42e0b153161753c138ccf1 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 06894730fea25349a0a3e7f1a7673724aacbb4396bc1b3bd29dd5c290820a28e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 25a7cd9c4d62c67a7eae3a27535120d98fbc9073d1de80c179caaf14e7213a07 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html d1ca34d674db3bb8d441a7e4dda198018c0fdd977e29ec872a8026230870e0dd 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 96dcbe6a3f99afa17777fe3ce057a5100c5de9f2f844444443fbc4fced3b424a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html f490df475dab79b3e49821286061b7ec1e5c031318bde7cc75bad6672ab6ebf5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 2ad75690a23f5348ef92e3ef12e31edc3a36d0ee36656f6ddcaa5994da60fdb5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 4edf97f540183826053595497229be55e3a94a5f8905a84f7b17d64c5a6c87c6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 7e635aa566f8d01033bdaf6e1122f6f39672b05e0d0738ab5ee0451ee06f4cc6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 74528dcd393b94ae51f783fcfd4d853fe050570d07a1dd240f322f1565b95178 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 095e404d636709d078f7ec395c86d0207e7f33ff3aa3f6e0cb2e651526b860c2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 825bc01fd21fb5679f22dffae544e7d7e5e2cdc90ff69955231af452def90e91 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html b3918f2d6c0023787a6aa8af327a4db5ccbcf14143c558f60dac5ccad1157690 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html e4677f8fc49325c2b12a8adc55c05c2dc32de23202b77cec08a287bfc771dd1b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html c9dc4711708b516e96efd0d6869a75f165e88fd241e2a4e58b495dba542feafa 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 59178ec066dbd09bc768db61a1304384f0f374abb6b79a10c374a921f01ff6f5 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html d48ac4d50844d47e927229120312a869c68ddf9c27b6e302a67065a7152d3fbb 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 0e9a762f050b8b79a89ffb318420db958dfc3a582635c3841098e3a6485a26ae 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html a750fde99db94369a5dbe64cdabb9daec3d851e474ec82787f961a7b0611e7a9 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 1de4421724bc96b3c6ee1a4a96f86e1fa66751947f2235553fded23bb659ca52 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html cee48cb7c8fc264a5475881bb23acf3471cae987fa45885fa3c3ebe19e06bfb6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 0b055bb34f137114b02021f26589d34b9abeeef0bebcafe6ff0ab3c73d0c5657 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 461458cafd66c97129d1c313ff714c41b39e1cbab1d1fe68bfe5b81ed0a3a9ef 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html ec410066864f12865135da758e3aed6d86aa139163f7c38772a527d8c09767e6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html e273de1020f37ac377714e8e23059608adc2c8523343625cee1356d31d7c264c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html ab92e6387b6e5897e5c65852da7747ae0f8580a0296a2cf605b6692f125bf322 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 7778505e3c7991bcfa46b7ef554da73f2ba1b9cd41f882739290b12f436b4c49 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html b90fc75099eb776fe98022d1ef0e919af70d30582109290c8c694fa0d073459d 2
@@ -970,5 +970,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html f4caa85a9eb23dfa10ce7369a9a028254eb1055850437d343e4709ecc0506302 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html d49db5ff9725fc8694ec74f991239da58f7c188d20f6a1ee52b06deaa00f5743 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 1c3fd884d9a8900d2f2cef06b0bc3fa87ef28170d5542e1a935bc5a6e6ecea5b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 1a9e738fda58ced60a6620207a1aefcc2b42834215f9252a620f16f0a1b511df 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 6e01612ebb9bb9747d3b542b03a0a1fdfa82debd40bdabe8e9434a86a0d53a2c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html c8ea1999a6b0a97a0a3b58cdaae8e86a5ee164ec399b45585ce67982aa76306e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 86f110a579f106e688b9cb767c9092b04c124d1693bcbe75b59d74c725c64455 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 8aca860bccda030eea1bffc44038e0abcee8d1a34e6c4b67ba6a11d61ea1092c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 0c65bfee4b9564f701fadbdd973d8707221d3b5c52893a5097d39c0b1616d7c3 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 0d492d6cd83b0a5a88f3cb3e830bb00fbbc1039ddaf3c3650877971f0d2b850a 2
@@ -976,3 +976,3 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 6039af44cc883aec90568bd976bb9fc0cab767c4419b2366b478dec9edf0d1fe 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html c0ec762361193c06df3f595eef7cf170633ec464a2e370686696b0efe01a675a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 6deddccb8bd41806b28bbbc11391c5c0cd5fdbacd6bcc0040a2da256c952097c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html ce87a67cf7cf48bc5a56c61fb51ed799864cdb6169201969447f5c5f54203443 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 7db0dea867c831dcd9c67344760fcbdcf33e6b8ca7308d53641085628517370e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 8cfa92110ef446bf3a0a39b72cf1e41caeed46b4cf367ba853a044519ed50695 2
@@ -980,2 +980,2 @@
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html e48e71fcbcd44a53e7898901c9754f7493d4fabab9d0f0935099739b2f5f7b84 2
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html e7d7fd04ea4750f2f49f051e78673f49984abe49d2cc95e410e8fccc96380b25 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 7d888a9efb8a33bac9a02309f44e468368e41be970f55f830dc2a63c4a278787 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 2d507c7d3a9bf272c91ff8a731cc4e6ab79b1131d2412055bf85edfec57e667b 2
@@ -983,2 +983,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 731936a531f5cb19a3f3215341ae18a85771dc58e29f72bbcd69b0f7d99bf297 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 94814ec5e5806dc0d5e90c587a3da701acb2b96a0a72d4ef040a4c64989c0d4b 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 8134c3d0f597e04fb5660499b276e8879310321a78313dab257f5226825ee2e3 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 06937d67caf31600ba08d0b21210c4d64531f138d1dd3ec1b33ca5aa78429a0b 2
@@ -988,3 +988,3 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 1856c76f03ad75945f98a0878737538b745907e170a3840050d36f32986a0cf3 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html c3f5073b95e59a262bf840dba63ec98142f61c8552bc7ad0a5b15afeccb8f355 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html cd6773fa49f3968b95cd6d8801158b0b5be9799825111227f96a996ccb67d71d 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 4fe8d225bb56906664e930e601ca9c49a6a908a6afb2ad0c2ea6048efe2a8815 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html a147d6f23d2822e6537e7a3d57e1b9b3f096d2ad25a8a25857782abd74092942 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 93ddee08abc9fd4528ce26a8e6491ff992d27f92614161970bc104d74317080c 2
@@ -994,2 +994,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 462d130cf2e3a0e090ef623a37c3ae8e42ff41bf3c8bc42e1f44bc8077ce40a0 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 679f812feea9ad1194ffde0a5a555f2b52964dec69edaeaa7c549f10817c93f5 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html ea3c453484c3013bf4004a011c1df40fa8b7a03b9f337fd90fac73638bbc0ffd 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 172d35464f5d04ca6d3080ee2d9d94840b695d4352b3d14803e9db2c836fd327 2
@@ -999,2 +999,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 42383fc84c8ca316652e51714f392a46a53e8097c556d8b3c805c08cf0f7e325 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 5b580e3ed0c00afa45ddb9351f071a16911aa22a2eeac58c6bab8c824b836a53 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 68014bdb4f192956306e7fc7b1844ac1efa676ee5fc420686334dba95950e878 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 7e675490480273784e83f349c269ad2667423997af221a35739dff16b4280337 2
@@ -1005 +1005 @@
-/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html e20ce98ddf15e14a9613406c9be08e935eb02c2d2075111d3d9af37e5ccba066 2
+/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 3b782428fc1a3620de71ef04044dd221fde7293ffae2ed12d94e0eee015e1d15 2
@@ -1010 +1010 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 5e9350a2266a6e2da84e20e4dd6a152f8e05d91b98b04e815c95d59a367764aa 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 7025e96796f01a4701e179b3e037b5c52051a7d743ae13501dde881cd9eb866c 2
@@ -1012,2 +1012,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html f9ed8e357ad2cc8422f9eb9c6817a4c1ced095817bf3e6556ce0207a13407d1f 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 30783f6e56002ebe79ec38c182fab212ad7428d82a94f5e779a6e385f18b01cd 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 133661a92ea8911356d5da830bbf4b2293668f6cce56056f066288521443623a 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html a275a99332cda9112a05479953d9e62e387110efc2965129881f9a926ebc9869 2
@@ -1018,3 +1018,3 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 4b65c92ad13d29abe567f6060b0979b82b57485c55a17622cee642f9f15144f1 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 3090191e4a0a1d1fdbaed3165ef3afcb82247480479320d4e8abcd3e0d77ab24 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html fa064501dabf3a4834a1b43d8d91c919873650b97bff66a83d8f31b9ba9216bd 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html f0101cc168224b6472568f2d29d912fcab87a16ca6c4c6e8b7e17603b7f221a4 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 49e5c07038b71acdf0767af9a6c1879283bafb008038d3723084577462df6ec2 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html e8c223c98ead4ac2323ba4e119485dd90c50cd990382401a3ac5aa87c3b483c5 2
@@ -1030 +1030 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html e1662cc0272ca2ec6e08d78404430405a6144120a4d8c3938c28631848d94fb5 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html ade97d24bba713cec43b4c9410c408317f19af1b95cc297f17828c429f6bd7e6 2
@@ -1032,2 +1032,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html acb0b3d1c1377181ee48eae094f817a49d0361e6358b2d53d65a24007b358c75 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html e5678fb8146ca562333c1b094b8bd5955ecf80ae5a1430b8ed127728dfde1d45 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html b59c3cac48a398779606b6fac53283400a35dc91df964e1cbd41ff6d3fd970a1 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 4d56c2d77ff6d74e06b24fbdb07a5f31b66440c7b576ac2675bcf41171926728 2
@@ -1037,2 +1037,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 4d27893dd499e50d64bade8c038ca704093b27213167a452be8e67a0269cb9c2 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 52657ef4dba0eee255787bb75990d2a52725a8854123ea66881a699e259fff81 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 5a7f82a25243e9a24aecdea4b5684866eab2492ec7dd5037c98817a7ce8b5698 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 5040689304bf34d4c13ecefec153dc0b541d459aac0e7caf4028fdb0d092e770 2
@@ -1424,2 +1424,2 @@
-/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 3251bdbd26a96abac5f8cc9e3f5419009a3223b7f1a4c69a906a730fe8c081d0 0
-/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml d5d78ac01f88eb2550ea952ed2421904fc078689a4b4518a0361746a107452f9 0
+/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml b5c178a221a5f7dc4957f5b4b91d6afa2ac4e7200c08bd56109a9968f394bff7 0
+/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 9a7a45528ce979bf3dfde41b6ad967feb3c3dc9865af578c2057b2b8cb9bd37a 0
@@ -1429,9 +1429,9 @@
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 08286842da6ece6bea9ec6e5179a1bf2f7c3c166dd29118dd74076bb6b231a61 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 9da84cfb46f7898ef446f87ab6e9657d342516fb1d53ca013893ffddcaa15eeb 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 803eb00fcd4a24748596257b313c571ab14284ec868773d99ec24d7f906854eb 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 5fa4acbaf40af0444dcd0ce537be9679c4a77c6df0c2f71e7b8d0bf13a1283f0 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 140dbd644cc30be35f9b1347bf3f86a96a421fc8a956fc885fa9e3e44e2e1438 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 7071dd7091cc4d55926d8b7d0e6e832be5a6c47bc9a2e62bdc9d4fcc6dd8348d 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 5f69d2a6759977e5b7bb704a48da8bf80f4cf20ad55b222dec64a1a1648a8f0c 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 29fd6da1f2c5cc91657e2b71ad480f04f6b7359a076177b81bd1145dc687968c 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml da624d783ec8eb67d4f7090e6b12c85385458b465a08ac791585e6b0c5616609 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 7da257c191277a689fa97dffa5d9905e381e506506bb4410c955b780e579c8be 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 06aafb758c0e5265e8044e412420fdf34a0dedd5937ef2152d00bec74c6c7acd 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 97da389f78edb1bc1750a75ad789db20a457850d57836fbb176ae49fd5c47f88 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 670064684fabc78c992ee6a854349c4a45a626286bc8876e591b39184a3c77bc 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 62d7de51db812bb2a8873135093a3cacab76cf62651d4377e3ebe7ecc9d7c17c 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 1433da454a754a947b699707a6feea4055e46c9c34708e22f9e12dda7047ebbe 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml ad4a63ff048750362303363b3f9cecc0daf6bf93eb0e97f762d79950525bfa60 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 49f6dd5d1a38a204a47cdf61ea2f217ea681b86c0d68a3a217e75ce358d33cb9 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml a5e7f3091ee46cc762d12d9e5258102f91724ccc8f498fe94db5ee97a883ec3a 0
@@ -1440,3 +1440,3 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 722c8452ecb6d852f75a3f3ec94c0d527b9ebe487ce8b66bff23fcce5868e452 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 73e6205d422aa2212c9f343532433c86491029ff9fff26d32ffd935140838041 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 7c93dcafeda1e2b6544bb050b072832964db5dbe4f0c64c04c1b283d2510ce3f 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 1734eb4457aac2c79802456ebb069e5f36b9784e8e44dca0e3f5c719c925f45c 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 7d10b7716d206207fe3fc9640248fe20ae672a29dfd64fd6bc06ecef31e92857 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 511eb09d625a7b9cdf3ef9b88c34985a2bb4038cd18f4dbbc6a49977e0ff7646 0
@@ -1444 +1444 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml a469dbb77b5f33f1a01b751a42d5daeb679950819cb2bd1ecf0bc4ed01592c08 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml c8fc1904efcaf17ffe8af51d570899fe8bb904208ddbf457daf9326e3c1f2b3b 0
@@ -1447,3 +1447,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 3f51451db7ea4c91ed21a78833ca6ea5de3dd69e68556d41f0b1f0adbabe032a 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 40e260c475591a2b383e5513acb1ee52d2f879e9480dd65923ea7db28332206e 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml b373034920fe61e031846c495f2bf97721e48adf705fef406a4784047713d4bd 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 53cb03d1fea5c6bc2795b9714a1ce646503cd0d2bc38e5065e4925ad1bbf676f 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2731c2e56f995e57c103a5a1c2ec1f7cf09f46ef201031de8c3a84079fdcb490 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 19458191b184b631cd75cafef028728a06707430da5625f6183be4cff3dbee0d 0
@@ -1451 +1451 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 93333bdd23e0c3c8c616ba369320810a82dd2af8a44ec581a1d6ae64330526c6 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 1bfe7994beaa308742807b528aaef8215ee62320bf0fefc686edf783fe39110f 0
@@ -1454,3 +1454,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 0cf069fc9c218e67614b1b55fdf5ede4eb33bd8de1bd227a63b01ec53342fb1a 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 38f4133482994967e1f3476ec321aba17e5cb100bc2e29bedb6a2f52578937b0 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 40d47a4203fb9e9814120b10f42c65784222a463eb5ef0ed03821bb8f785d61e 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 394f244c4c1c05782ce2299d078f678e4d4c2e69b7694e11ba3951b8382cdddc 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 6fb335976219ba0cf25f0dfd460207787a1be03b052501346b27f1ebc268b4a8 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 806baacd689d3c2e45762fc60439dacb2da746bf5adcfe3aecca0263e55bec64 0
@@ -1458 +1458 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml ccd181791512f8ea1f4c0a36c2441fa5011156bdbf20486ac3b84c2bec294187 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 365e968fba95a6ec5013b38fc00e435d6b53700678e467d277b0d665c50a7bd4 0
@@ -1461,3 +1461,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 5f72d8cc408b5a0eba04f1da0f443aaee1074e3983ba4739127296b341287594 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml e58015f30352c202023419b3d2b2db47e60e55af69e8938a15c557ac205ee93e 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 4fea644d48353545214f7481e6ad70104e39ce1cfc3c192fe5f47e6e9277b157 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 1367a767f70b45a5a0f99ee487db9928ee6eb92573261963a5938b2b4bf83680 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 6905722e7ff3ea540a67a4e259361ced4e6000e40f836f4be7d6ea34a18f53ac 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 07fbd3dad1a03faf0294473e2d18ccffcdbd7d1c3f58132c054fba1082479507 0
@@ -1465 +1465 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 05d8377336ce7bef1db3ba454fa82e0b78e6680932c3f739728871778f4fe70d 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 4b5c40fe6fc22bcb56ca9b40e9afb8c719fdde579a9f45b1bc782d6c50ae844d 0
@@ -1468,3 +1468,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml d6bc5a0b62de27db34699753f6a90c576f3c7cf732f3895c110ab0c920d3b5e9 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 873da493092ea267dbad7048d495178069c7505895b41ce50191280b14b38efd 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 66f642953f71b191b200a34e86a6b61fd95c397e1d35fd266fc0b7d11aee8cf6 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml a0a2152161b08a6855a795f18ca3b06bb13a0d9520718b30c1ac1ab7aea2cf27 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 8421841444245b3053ccc78b531e049486061942f1a492976678be076c13cd1d 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml cc8880cd0592212148b3d00d3e6b2b928ea597f85d9da5c2b13b1ac56ee80cee 0
@@ -1472 +1472 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 18963ba05a1d3d2de294c28f55821d55b6d97c11bb9faff47e1a34eb448df931 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml a5d9fb0f443eb9e077ab0cea246a77caebd1bca4033ef81ce2dade05e6ea85a7 0
@@ -1475,3 +1475,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 78d8300b8a5746f4262c533a2565f72563059a966b6528a3973f254220994ec1 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml ebf86c51f4424779fff6e8b7baafc48e23e3ae64659245250b8c1f349554b9c2 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml f7818a0ec985b1cf5306541385703b7058bb46551d2a947c6b3d9ee8bd86b54c 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml e1b86c85e96405ba7bef088b27e9bb89cb9b80bca82d8278506c16520f9726fc 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml b805485cc7fa64041d1d41f9863048cd2fb3af547a35e5c97841256569f1419b 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 018699f5531d699a89e183d5a47c486f5cd16c0e80c04693b479d707f7908008 0
@@ -1479 +1479 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 763a00f12a5b7929863b5666f6e8009a5ce2daec42b1e601d927d5698ebb6c6f 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml dbc734063a290c6b0568e7ea92cf4125d917c348a3dc30b2e0ba084f37ebaa60 0
@@ -1482,3 +1482,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 08924aaeead8a9d48b35957634450c20b5146325b9ed721fcaf7b7687f1bf5eb 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 4a2c9db0ae86b342b72b8e19a3aa87200cb1a12405aad882fe58e5e466ee4127 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 7fd4c6d11f43a882af2be0f15df8b498be9fd9795742ffb3b38112ee74866fe5 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml b8707f1d393f781f7e1e864fdf2f9e407b9f90bd23077aad06cd968ca6573452 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 759923b65f598b09365fe7ceae7acbf5a882d228ef11b24401a6c1a902f31b56 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml ca5ef1c3d775e0b1da55f9385f31182b6d8e90b1319bbe7320ef36bce5f9e97e 0
@@ -1486 +1486 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 08c1fee773972ceca2fdcb51cd305d2911729fe487f4135889cb8ac8fd8b82f0 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 4178e26cc998d29e4fad48eef6e0dadad84a2b50508ffd3d4bcec9d81e6bdbb5 0
@@ -1489,3 +1489,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml aeb59fa7139f5284d5b322948507920e9d6bddf3fdd2efa718ab37d028bdec09 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 51b56af0de967c3b50905d8d12d079d326b9f7fad4083acb414aaf1283387716 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 0b90d032aa4849739ebf814e42626cfd9fa46d395ee85da75a04dd8cee88035c 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml bb436fd257911abd4132a8d190c5eb77017ca1c69a17ff2b0cf9a5504fbc5cb9 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml fc670b7242d8563fc40cd04c1c842662ef48dd783b64729115c3dae813960cc5 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 69e5189a5c5941abe39642636c047a08220aec3b1ae11184bffd03079e09633a 0
@@ -1493 +1493 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 0601899ef5e4409d273f8194bcbc3145e1aff8d608daa89257bc0bceb0aac8df 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 49a9c3be19a14acbe331ca4b29010eb48f0a97fc62903497db571b2e813db385 0
@@ -1496,3 +1496,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml e0ea1a143a42e16d7e9aad350778daf200abaafd37a80a03b4daddda67702d62 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml d925ef51c2686484f70b28bb278cbfb0be8f145fb70e06e7d4d39b0546ba0cd8 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 556b43e9832a5b7492f83bf1143db75ab0770bc75dccedd7daf139d92c1e95bb 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml b3bfca69619516329a328e098e6a72965aa94743d9d13c4e83a6a5a16a7a1dbb 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 917a8be220705731bb368267435783dcc20f3335d61ebf398e3af16dd0aa3ea9 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 7d55d72db709b9b2a6f98490c4ae7bbb8b723a650179b9c71fd5a2e626754188 0
@@ -1500,4 +1500,4 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml fa00a9a83c3020a82c93e66c3fde4f8deca17450d54c30ea2fab522f33063fc6 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 7414add756c7d21aded90740d9e92b31b900cf7a8d665316bd342d8423709f60 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml ac1b19caec869dbeea5db6e6ea44a2a1d737dd72dbd42fe93ebce6f74d102f28 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 649c3acf1efec994d7147e43208004344a5bda842aa43ee33fb0a478c9c5dde8 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 8c263280a96cb44293f946b2272e106ede25acaabebc4dfcbd84e0707b4dd955 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 1e1197a21d1f7c41598496dfe373ce027a4d796ff878ab72beac8ab356c71241 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 479145f26331ea78bab89fb605da9681665b28afc0e99345114fd5d3a8ae2a73 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml e5d7c5880a20561ad7e1b1c96c6601b9a456fc8a381ecd6d0963464492f6f51b 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html	2023-02-06 00:00:00.000000000 +0000
@@ -84,7 +84,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleC2S for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_C2S
CPE Platforms
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::workstation
  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:centos:centos:7
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Avahi Server
    2. Base Services
    3. Cron and At Daemons
    4. DHCP
    5. DNS Server
    6. FTP Server
    7. Web Server
    8. IMAP and POP3 Server
    9. LDAP
    10. Mail Server Software
    11. NFS and RPC
    12. Network Time Protocol
    13. Obsolete Services
    14. Print Support
    15. Proxy Server
    16. Samba(SMB) Microsoft Windows File Sharing Server
    17. SNMP Server
    18. SSH Server
    19. X Window System
Checklist
Group  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           Group contains 101 groups and 234 rules
Group  
@@ -128,11 +128,30 @@
                                   [ref]
The aide package can be installed with the following command:
 
 $ sudo yum install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable

+package --add=aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,25 +167,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable

-package --add=aide
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -189,7 +189,24 @@
 system. The operating system's Information Management Officer (IMO)/Information System
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r880848_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -291,23 +308,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
The prelinking feature changes binaries in an attempt to decrease their startup
@@ -317,7 +317,22 @@
 Next, run the following command to return binaries to a normal, non-prelinked state:
 
$ sudo /usr/sbin/prelink -ua
Rationale:
Because the prelinking feature changes binaries, it can interfere with the
 operation of certain software and/or modes such as AIDE, FIPS, etc.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_disable_prelink
Identifiers and References
References: 
-            11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.5.4


# prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+    if grep -q ^PRELINKING /etc/sysconfig/prelink
+    then
+        sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+    else
+        printf '\n' >> /etc/sysconfig/prelink
+        printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+    fi
+
+    # Undo previous prelink changes to binaries if prelink is available.
+    if test -x /usr/sbin/prelink; then
+        /usr/sbin/prelink -ua
+    fi
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Does prelink file exist
   stat:
     path: /etc/sysconfig/prelink
   register: prelink_exists
@@ -352,21 +367,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# prelink not installed
-if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
-    if grep -q ^PRELINKING /etc/sysconfig/prelink
-    then
-        sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
-    else
-        printf '\n' >> /etc/sysconfig/prelink
-        printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
-    fi
-
-    # Undo previous prelink changes to binaries if prelink is available.
-    if test -x /usr/sbin/prelink; then
-        /usr/sbin/prelink -ua
-    fi
-fi
 
Group  
                 Disk Partitioning
                           Group contains 6 rules
[ref]  
@@ -544,7 +544,40 @@
 provided by a trusted vendor. Self-signed certificates are disallowed by
 this requirement. Certificates used to verify the software must be from an
 approved Certificate Authority (CA).
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activatedIdentifiers and References
References: 
-            BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r877463_rule

Complexity:low
Disruption:medium
Strategy:configure
- name: Gather the package facts
+            BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r877463_rule

# Remediation is applicable only in certain platforms
+if rpm --quiet -q yum; then
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/yum.conf"; then
+    sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    "${sed_command[@]}" "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
+else
+    # \n is precaution for case where file ends without trailing newline
+    cce=""
+    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
+    printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
+fi
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html	2023-02-06 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_enhanced
CPE Platforms
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::workstation
  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:centos:centos:7
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           Group contains 61 groups and 166 rules
Group  
@@ -124,11 +124,30 @@
                                   [ref]
The aide package can be installed with the following command:
 
 $ sudo yum install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable

+package --add=aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -144,25 +163,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable

-package --add=aide
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -184,7 +184,20 @@
 
$ sudo /usr/sbin/aide --check

 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+/usr/sbin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -256,19 +269,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-/usr/sbin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains 10 rules
[ref]  
@@ -453,25 +453,7 @@
 limited root privileges to users and log root activity. The basic philosophy
 is to give as few privileges as possible but still allow system users to
 get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installedIdentifiers and References
References: 
-            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.2.1


-[[packages]]
-name = "sudo"
-version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
-  package:
-    name: sudo
-    state: present
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.1.5
-  - enable_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - package_sudo_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.2.1

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if ! rpm -q --quiet "sudo" ; then
@@ -481,15 +463,33 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-

Complexity:low
Disruption:low
Strategy:enable

+


+[[packages]]
+name = "sudo"
+version = "*"
+

Complexity:low
Disruption:low
Strategy:enable

 package --add=sudo
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+  package:
+    name: sudo
+    state: present
+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.1.5
+  - enable_strategy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - package_sudo_installed
 
Rule  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   [ref]
The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -499,20 +499,7 @@
 /etc/sudoers configuration file or any sudo configuration snippets
 in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the
 command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References
References: 
-            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\benv_reset\b.*$
-    line: Defaults env_reset
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_env_reset
-

Complexity:low
Disruption:low
Strategy:restrict

+            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
     if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
@@ -532,6 +519,19 @@
     echo "Skipping remediation, /etc/sudoers failed to validate"
     false
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html	2023-02-06 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_high
CPE Platforms
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::workstation
  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:centos:centos:7
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           Group contains 61 groups and 180 rules
Group  
@@ -124,11 +124,30 @@
                                   [ref]
The aide package can be installed with the following command:
 
 $ sudo yum install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable

+package --add=aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -144,25 +163,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable

-package --add=aide
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -184,7 +184,20 @@
 
$ sudo /usr/sbin/aide --check

 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+/usr/sbin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -256,19 +269,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-/usr/sbin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -291,7 +291,24 @@
 system. The operating system's Information Management Officer (IMO)/Information System
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r880848_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -393,23 +410,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Notification of Post-AIDE Scan Details
                                   [ref]
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -428,7 +428,35 @@
 system. The operating system's Information Management Officer (IMO)/Information System
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_scan_notification
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SV-204446r880851_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+var_aide_scan_notification_email='root@localhost'
+
+
+CRONTAB=/etc/crontab
+CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
+
+# NOTE: on some platforms, /etc/crontab may not exist
+if [ -f /etc/crontab ]; then
+	CRONTAB_EXIST=/etc/crontab
+fi
+
+if [ -f /var/spool/cron/root ]; then
+	VARSPOOL=/var/spool/cron/root
+fi
+
+if ! grep -qR '^.*/usr/sbin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
+	echo "0 5 * * * root /usr/sbin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
   set_fact:
     var_aide_scan_notification_email: !!str root@localhost
   tags:
@@ -472,34 +500,6 @@
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html	2023-02-06 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_intermediary
CPE Platforms
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::workstation
  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:centos:centos:7
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server
Checklist
Group  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           Group contains 57 groups and 156 rules
Group  
@@ -124,11 +124,30 @@
                                   [ref]
The aide package can be installed with the following command:
 
 $ sudo yum install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable

+package --add=aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -144,25 +163,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable

-package --add=aide
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -184,7 +184,20 @@
 
$ sudo /usr/sbin/aide --check

 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+/usr/sbin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -256,19 +269,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-/usr/sbin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Group  
                 Disk Partitioning
                           Group contains 10 rules
[ref]  
@@ -453,25 +453,7 @@
 limited root privileges to users and log root activity. The basic philosophy
 is to give as few privileges as possible but still allow system users to
 get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References
References: 
-            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.2.1


-[[packages]]
-name = "sudo"
-version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
-  package:
-    name: sudo
-    state: present
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.1.5
-  - enable_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - package_sudo_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.2.1

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if ! rpm -q --quiet "sudo" ; then
@@ -481,15 +463,33 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-

Complexity:low
Disruption:low
Strategy:enable

+


+[[packages]]
+name = "sudo"
+version = "*"
+

Complexity:low
Disruption:low
Strategy:enable

 package --add=sudo
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+  package:
+    name: sudo
+    state: present
+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.1.5
+  - enable_strategy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - package_sudo_installed
 
Rule  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   [ref]
The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -499,20 +499,7 @@
 /etc/sudoers configuration file or any sudo configuration snippets
 in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the
 command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References
References: 
-            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
-  lineinfile:
-    path: /etc/sudoers
-    regexp: ^[\s]*Defaults.*\benv_reset\b.*$
-    line: Defaults env_reset
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-  - sudo_add_env_reset
-

Complexity:low
Disruption:low
Strategy:restrict

+            BP28(R58)

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
     if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
@@ -532,6 +519,19 @@
     echo "Skipping remediation, /etc/sudoers failed to validate"
     false
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html	2023-02-06 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_minimal
CPE Platforms
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::workstation
  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:centos:centos:7
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services
Checklist
Group  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           Group contains 27 groups and 39 rules
Group  
@@ -111,7 +111,22 @@
 


 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-204430r853885_rule


Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -146,33 +161,33 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Complexity:low
Disruption:low
Strategy:restrict

+
Rule  
+                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+


+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
+            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-204429r861003_rule

Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
+      # comment out "NOPASSWD" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-
Rule  
-                                Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
-                                  [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-


-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-204429r861003_rule

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -207,21 +222,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
 
Group  
                 Updating Software
                           Group contains 5 rules
[ref]  
@@ -255,7 +255,40 @@
 provided by a trusted vendor. Self-signed certificates are disallowed by
 this requirement. Certificates used to verify the software must be from an
 approved Certificate Authority (CA).
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Identifiers and References
References: 
-            BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r877463_rule


# Remediation is applicable only in certain platforms
+if rpm --quiet -q yum; then
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/yum.conf"; then
+    sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    "${sed_command[@]}" "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
+else
+    # \n is precaution for case where file ends without trailing newline
+    cce=""
+    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
+    printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:medium
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -308,7 +341,17 @@
   - low_complexity
   - medium_disruption
   - no_reboot_needed
-

# Remediation is applicable only in certain platforms
+
Rule  
+                                Ensure gpgcheck Enabled for Local Packages
+                                  [ref]
yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
Rationale:
Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+


+Accordingly, patches, service packs, device drivers, or operating system components must
+be signed with a certificate recognized and approved by the organization.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
Identifiers and References
References: 
+            BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, SV-204448r877463_rule

# Remediation is applicable only in certain platforms
 if rpm --quiet -q yum; then
 
 # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
@@ -320,7 +363,7 @@
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^localpkg_gpgcheck")
 
 # shellcheck disable=SC2059
 printf -v formatted_output "%s = %s" "$stripped_key" "1"
@@ -328,9 +371,9 @@
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/yum.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    "${sed_command[@]}" "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
+    "${sed_command[@]}" "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
 else
     # \n is precaution for case where file ends without trailing newline
     cce=""
@@ -341,17 +384,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Rule  
-                                Ensure gpgcheck Enabled for Local Packages
-                                  [ref]
yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
Rationale:
Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-


/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html	2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html	2023-02-06 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 
Profile Information
Profile TitleCIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis
CPE Platforms
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::workstation
  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:centos:centos:7
Revision History
Current version: 0.1.66
  • draft
-                    (as of 2023-02-07)
+                    (as of 2039-03-12)
                 
Table of Contents
  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System
Checklist
Group  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           Group contains 107 groups and 303 rules
Group  
@@ -123,11 +123,30 @@
                                   [ref]
The aide package can be installed with the following command:
 
 $ sudo yum install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable

+package --add=aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+
+class install_aide {
+  package { 'aide':
+    ensure => 'installed',
+  }
+}
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,25 +162,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable

-package --add=aide
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
-
-class install_aide {
-  package { 'aide':
-    ensure => 'installed',
-  }
-}
 
Rule  
                                 Build and Test AIDE Database
                                   [ref]
Run the following command to generate a new database:
@@ -183,7 +183,20 @@
 
$ sudo /usr/sbin/aide --check

 If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files
 must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+/usr/sbin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -255,19 +268,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-/usr/sbin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Rule  
                                 Configure Periodic Execution of AIDE
                                   [ref]
At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,7 +290,24 @@
 system. The operating system's Information Management Officer (IMO)/Information System
 Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
 monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References
References: 
-            BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r880848_rule


# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -392,30 +409,33 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi