Result Details
Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-90843-4
Install AIDE
Rule ID | xccdf_org.ssgproject.content_rule_package_aide_installed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_aide_installed:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90843-4 References:
BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 |
Description | The aide package can be installed with the following command:
$ sudo dnf install aide |
Rationale | The AIDE package must be installed if it is to be available for integrity checking. |
|
|
|
|
|
OVAL test results details
package aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
Build and Test AIDE Databasexccdf_org.ssgproject.content_rule_aide_build_database mediumCCE-83438-2
Build and Test AIDE Database
Rule ID | xccdf_org.ssgproject.content_rule_aide_build_database |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-aide_build_database:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83438-2 References:
BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 |
Description | Run the following command to generate a new database:
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file
/var/lib/aide/aide.db.new.gz .
Storing the database, the configuration file /etc/aide.conf , and the binary
/usr/sbin/aide
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. |
Rationale | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. |
|
|
OVAL test results details
package aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
Testing existence of operational aide database file
oval:ssg-test_aide_operational_database_absolute_path:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_operational_database_absolute_path:obj:1 of type
file_object
Filepath |
---|
Referenced variable has no values (oval:ssg-variable_aide_operational_database_absolute_path:var:1) |
Configure AIDE to Verify the Audit Toolsxccdf_org.ssgproject.content_rule_aide_check_audit_tools mediumCCE-87757-1
Configure AIDE to Verify the Audit Tools
Rule ID | xccdf_org.ssgproject.content_rule_aide_check_audit_tools |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-aide_check_audit_tools:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87757-1 References:
CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 |
Description | The operating system file integrity tool must be configured to protect the integrity of the audit tools. |
Rationale | Protecting the integrity of the tools used for auditing purposes is a
critical step toward ensuring the integrity of audit information. Audit
information includes all information (e.g., audit records, audit settings,
and audit reports) needed to successfully audit information system
activity.
Audit tools include but are not limited to vendor-provided and open-source
audit tools needed to successfully view and manipulate audit information
system activity and records. Audit tools include custom queries and report
generators.
It is not uncommon for attackers to replace the audit tools or inject code
into the existing tools to provide the capability to hide or erase system
activity from the audit logs.
To address this risk, audit tools must be cryptographically signed to
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. |
|
|
OVAL test results details
package aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
auditctl is checked in /etc/aide.conf
oval:ssg-test_aide_verify_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/aide.conf | ^\/usr\/sbin\/auditctl\s+([^\n]+)$ | 1 |
auditd is checked in /etc/aide.conf
oval:ssg-test_aide_verify_auditd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_auditd:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/aide.conf | ^/usr/sbin/auditd\s+([^\n]+)$ | 1 |
ausearch is checked in /etc/aide.conf
oval:ssg-test_aide_verify_ausearch:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_ausearch:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/aide.conf | ^/usr/sbin/ausearch\s+([^\n]+)$ | 1 |
aureport is checked in /etc/aide.conf
oval:ssg-test_aide_verify_aureport:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_aureport:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/aide.conf | ^/usr/sbin/aureport\s+([^\n]+)$ | 1 |
autrace is checked in /etc/aide.conf
oval:ssg-test_aide_verify_autrace:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_autrace:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/aide.conf | ^/usr/sbin/autrace\s+([^\n]+)$ | 1 |
rsyslogd is checked in /etc/aide.conf
oval:ssg-test_aide_verify_rsyslogd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_rsyslogd:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/aide.conf | ^/usr/sbin/rsyslogd\s+([^\n]+)$ | 1 |
augenrules is checked in /etc/aide.conf
oval:ssg-test_aide_verify_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/aide.conf | ^/usr/sbin/augenrules\s+([^\n]+)$ | 1 |
Configure Periodic Execution of AIDExccdf_org.ssgproject.content_rule_aide_periodic_cron_checking mediumCCE-83437-4
Configure Periodic Execution of AIDE
Rule ID | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-aide_periodic_cron_checking:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83437-4 References:
BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 |
Description | At a minimum, AIDE should be configured to run a weekly scan.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab :
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab :
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example.
The usage of cron's special time codes, such as @daily and
@weekly is acceptable. |
Rationale | By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.
Detecting such changes and providing an automated response can help avoid unintended,
negative consequences that could ultimately affect the security state of the operating
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. |
|
|
OVAL test results details
package aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
run aide with cron
oval:ssg-test_aide_periodic_cron_checking:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_periodic_cron_checking:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/crontab | ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ | 1 |
run aide with cron
oval:ssg-test_aide_crond_checking:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_crond_checking:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/cron.d | ^.*$ | ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ | 1 |
run aide with cron
oval:ssg-test_aide_var_cron_checking:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_var_cron_checking:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/var/spool/cron/root | ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ | 1 |
run aide with cron.(daily|weekly)
oval:ssg-test_aide_crontabs_checking:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_crontabs_checking:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
^/etc/cron.(daily|weekly)$ | ^.*$ | ^[^#]*\/usr\/sbin\/aide\s+\-\-check\s*$ | 1 |
Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-83450-7
Configure System Cryptography Policy
Rule ID | xccdf_org.ssgproject.content_rule_configure_crypto_policy |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-configure_crypto_policy:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-83450-7 References:
A.5.SEC-RHEL4, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 |
Description | To configure the system cryptography policy to use ciphers only from the DEFAULT
policy, run the following command:
$ sudo update-crypto-policies --set DEFAULT
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. |
Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. |
Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
OVAL test results details
check for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/crypto-policies/config | DEFAULT |
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/crypto-policies/state/current | DEFAULT |
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1671581305 |
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/etc/crypto-policies/back-ends/nss.config | regular | 0 | 0 | 447 | rw-r--r-- |
Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy mediumCCE-83445-7
Configure SSH to use System Crypto Policy
Rule ID | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-configure_ssh_crypto_policy:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83445-7 References:
A.5.SEC-RHEL6, A.11.SEC-RHEL6, CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14 |
Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . |
Rationale | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. |
OVAL test results details
Check that the SSH configuration mandates usage of system-wide crypto policies.
oval:ssg-test_configure_ssh_crypto_policy:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/sysconfig/sshd | ^\s*(?i)CRYPTO_POLICY\s*=.*$ | 1 |
Ensure /dev/shm is configuredxccdf_org.ssgproject.content_rule_partition_for_dev_shm lowCCE-86283-9
Ensure /dev/shm is configured
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_dev_shm |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-partition_for_dev_shm:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-86283-9 References:
1.1.8.1 |
Description | The /dev/shm is a traditional shared memory concept.
One program will create a memory portion, which other processes
(if permitted) can access. If /dev/shm is not configured,
tmpfs will be mounted to /dev/shm by systemd. |
Rationale | Any user can upload and execute files inside the /dev/shm similar to
the /tmp partition. Configuring /dev/shm allows an administrator
to set the noexec option on the mount, making /dev/shm useless for an attacker to
install executable code. It would also prevent an attacker from establishing a
hardlink to a system setuid program and wait for it to be updated. Once the program
was updated, the hardlink would be broken and the attacker would have his own copy
of the program. If the program happened to have a security vulnerability, the attacker
could continue to exploit the known flaw. |
OVAL test results details
/dev/shm on own partition
oval:ssg-testdev_shm_partition:tst:1
true
Following items have been found on the system:
Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
---|
/dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | size=1874848k | nr_inodes=468712 | inode64 | 468712 | 0 | 468712 |
Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-83468-9
Ensure /home Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-partition_for_home:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-83468-9 References:
BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.7.1 |
Description | If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later. |
Rationale | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. |
|
|
OVAL test results details
/home on own partition
oval:ssg-testhome_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mounthome_own_partition:obj:1 of type
partition_object
Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp lowCCE-90845-9
Ensure /tmp Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_tmp |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-partition_for_tmp:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-90845-9 References:
BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.2.1 |
Description | The /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM. |
Rationale | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
|
|
OVAL test results details
/tmp on own partition
oval:ssg-testtmp_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mounttmp_own_partition:obj:1 of type
partition_object
Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-83466-3
Ensure /var Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-partition_for_var:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-83466-3 References:
BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.3.1 |
Description | The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM. |
Rationale | Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. |
|
|
OVAL test results details
/var on own partition
oval:ssg-testvar_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_own_partition:obj:1 of type
partition_object
Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log lowCCE-90848-3
Ensure /var/log Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-partition_for_var_log:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-90848-3 References:
BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.5.1 |
Description | System logs are stored in the /var/log directory.
Ensure that /var/log has its own partition or logical
volume at installation time, or migrate it using LVM. |
Rationale | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/ . |
|
|
OVAL test results details
/var/log on own partition
oval:ssg-testvar_log_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_log_own_partition:obj:1 of type
partition_object
Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-90847-5
Ensure /var/log/audit Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-partition_for_var_log_audit:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-90847-5 References:
BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, 1.1.6.1 |
Description | Audit logs are stored in the /var/log/audit directory.
Ensure that /var/log/audit has its own partition or logical
volume at installation time, or migrate it using LVM.
Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon. |
Rationale | Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. |
|
|
OVAL test results details
/var/log/audit on own partition
oval:ssg-testvar_log_audit_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_log_audit_own_partition:obj:1 of type
partition_object
Mount point |
---|
/var/log/audit |
Ensure /var/tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_tmp mediumCCE-83487-9
Ensure /var/tmp Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_tmp |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-partition_for_var_tmp:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83487-9 References:
BP28(R12), SRG-OS-000480-GPOS-00227, 1.1.4.1 |
Description | The /var/tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM. |
Rationale | The /var/tmp partition is used as temporary storage by many programs.
Placing /var/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
|
|
OVAL test results details
/var/tmp on own partition
oval:ssg-testvar_tmp_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_tmp_own_partition:obj:1 of type
partition_object
Disable the GNOME3 Login User Listxccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list mediumCCE-88285-2
Disable the GNOME3 Login User List
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dconf_gnome_disable_user_list:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-88285-2 References:
A.11.SEC-RHEL9, CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 |
Description | In the default graphical environment, users logging directly into the
system are greeted with a login screen that displays all known users.
This functionality should be disabled by setting disable-user-list
to true .
To disable, add or edit disable-user-list to
/etc/dconf/db/distro.d/00-security-settings . For example:
[org/gnome/login-screen]
disable-user-list=true
Once the setting has been added, add a lock to
/etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/login-screen/disable-user-list
After the settings have been set, run dconf update . |
Rationale | Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in. |
|
|
OVAL test results details
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/dconf/profile/user | user-db:user
system-db:local |
GUI user list is disabled
oval:ssg-test_disable_user_list:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_user_list:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/distro.d/ | ^.*$ | ^\[org/gnome/login-screen\]([^\n]*\n+)+?disable-user-list=true$ | 1 |
GUI user list cannot be enabled
oval:ssg-test_prevent_user_disable_user_list:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_disable_user_list:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/distro.d/locks/ | ^.*$ | ^/org/gnome/login-screen/disable-user-list$ | 1 |
Disable XDMCP in GDMxccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp highCCE-86033-8
Disable XDMCP in GDM
Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-gnome_gdm_disable_xdmcp:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-86033-8 References:
1.8.10 |
Description | XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g.
XDMCP Gnome docs.
To disable XDMCP support in Gnome, set Enable to false under the [xdmcp] configuration section in /etc/gdm/custom.conf . For example:
[xdmcp]
Enable=false
|
Rationale | XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does
not provide for the confidentiality and integrity of user passwords or the
remote session. If a privileged user were to login using XDMCP, the
privileged user password could be compromised due to typed XEvents
and keystrokes will traversing over the network in clear text. |
|
|
OVAL test results details
tests the value of Enable setting in the /etc/gdm/custom.conf file
oval:ssg-test_gnome_gdm_disable_xdmcp:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_gnome_gdm_disable_xdmcp:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/gdm/custom.conf | ^\s*\[xdmcp\].*(?:\n\s*[^[\s].*)*\n^\s*Enable[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
The configuration file /etc/gdm/custom.conf exists for gnome_gdm_disable_xdmcp
oval:ssg-test_gnome_gdm_disable_xdmcp_config_file_exists:tst:1
true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/etc/gdm/custom.conf | regular | 0 | 0 | 227 | rw-r--r-- |
Disable GNOME3 Automountingxccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount mediumCCE-87734-0
Disable GNOME3 Automounting
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dconf_gnome_disable_automount:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87734-0 References:
A.11.SEC-RHEL12, 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.8.6, 1.8.7 |
Description | The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount within GNOME3, add or set
automount to false in /etc/dconf/db/local.d/00-security-settings .
For example:
[org/gnome/desktop/media-handling]
automount=false
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount
After the settings have been set, run dconf update . |
Rationale | Disabling automatic mounting in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media. |
|
|
OVAL test results details
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/dconf/profile/user | user-db:user
system-db:local |
Disable automount in GNOME3
oval:ssg-test_dconf_gnome_disable_automount:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_dconf_gnome_disable_automount:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount=false$ | 1 |
Prevent user from changing automount setting
oval:ssg-test_prevent_user_gnome_automount:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_gnome_automount:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/desktop/media-handling/automount$ | 1 |
Disable GNOME3 Automount Openingxccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open mediumCCE-90128-0
Disable GNOME3 Automount Opening
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dconf_gnome_disable_automount_open:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90128-0 References:
A.11.SEC-RHEL12, 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.8.6, 1.8.7 |
Description | The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
automount-open to false in /etc/dconf/db/local.d/00-security-settings .
For example:
[org/gnome/desktop/media-handling]
automount-open=false
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update . |
Rationale | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Disabling automatic mounting in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media. |
|
|
OVAL test results details
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/dconf/profile/user | user-db:user
system-db:local |
Disable automount-open in GNOME
oval:ssg-test_dconf_gnome_disable_automount_open:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_dconf_gnome_disable_automount_open:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount-open=false$ | 1 |
Prevent user from changing automount-open setting
oval:ssg-test_prevent_user_gnome_automount_open:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_gnome_automount_open:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/desktop/media-handling/automount-open$ | 1 |
Disable GNOME3 Automount runningxccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun lowCCE-90257-7
Disable GNOME3 Automount running
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dconf_gnome_disable_autorun:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-90257-7 References:
A.11.SEC-RHEL12, 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.8.8, 1.8.9 |
Description | The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable autorun-never within GNOME3, add or set
autorun-never to true in /etc/dconf/db/local.d/00-security-settings .
For example:
[org/gnome/desktop/media-handling]
autorun-never=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update . |
Rationale | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Disabling automatic mount running in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media. |
|
|
OVAL test results details
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/dconf/profile/user | user-db:user
system-db:local |
Disable autorun in GNOME
oval:ssg-test_dconf_gnome_disable_autorun:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_dconf_gnome_disable_autorun:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?autorun-never=true$ | 1 |
Prevent user from changing autorun setting
oval:ssg-test_prevent_user_gnome_autorun:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_gnome_autorun:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/desktop/media-handling/autorun-never$ | 1 |
Set GNOME3 Screensaver Inactivity Timeoutxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay mediumCCE-86510-5
Set GNOME3 Screensaver Inactivity Timeout
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dconf_gnome_screensaver_idle_delay:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86510-5 References:
A.11.SEC-RHEL7, 1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, 1.8.4 |
Description | The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to
/etc/dconf/db/local.d/00-security-settings :
[org/gnome/desktop/session]
idle-delay=uint32 900 |
Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from
the immediate physical vicinity of the information system but does not logout because of the
temporary nature of the absence. Rather than relying on the user to manually lock their operating
system session prior to vacating the vicinity, GNOME3 can be configured to identify when
a user's session has idled and take action to initiate a session lock. |
|
|
OVAL test results details
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/dconf/profile/user | user-db:user
system-db:local |
screensaver idle delay is configured
oval:ssg-test_screensaver_idle_delay:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_screensaver_idle_delay:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/desktop/session\]([^\n]*\n+)+?idle-delay=uint32[\s][0-9]*$ | 1 |
screensaver idle delay setting is correct
oval:ssg-test_screensaver_idle_delay_setting:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_screensaver_idle_delay_setting:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/ | ^.*$ | ^idle-delay[\s=]*uint32[\s]([^=\s]*) | 1 |
Set GNOME3 Screensaver Lock Delay After Activation Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay mediumCCE-86954-5
Set GNOME3 Screensaver Lock Delay After Activation Period
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dconf_gnome_screensaver_lock_delay:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86954-5 References:
A.11.SEC-RHEL7, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, 1.8.4 |
Description | To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 5 in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 5
After the settings have been set, run dconf update . |
Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense. |
|
|
OVAL test results details
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/dconf/profile/user | user-db:user
system-db:local |
screensaver lock is set correctly
oval:ssg-test_screensaver_lock_delay:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_screensaver_lock_delay:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?lock-delay=uint32[\s][0-9]*$ | 1 |
screensaver lock delay setting is correct
oval:ssg-test_screensaver_lock_delay_setting:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_screensaver_lock_delay_setting:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/ | ^.*$ | ^lock-delay[\s=]*uint32[\s]([^=\s]*) | 1 |
Ensure Users Cannot Change GNOME3 Screensaver Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks mediumCCE-87491-7
Ensure Users Cannot Change GNOME3 Screensaver Settings
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dconf_gnome_screensaver_user_locks:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87491-7 References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, 1.8.5 |
Description | If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update . |
Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings. |
|
|
OVAL test results details
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/dconf/profile/user | user-db:user
system-db:local |
screensaver lock delay cannot be changed by user
oval:ssg-test_user_change_lock_delay_lock:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_user_change_lock_delay_lock:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/desktop/screensaver/lock-delay$ | 1 |
Ensure Users Cannot Change GNOME3 Session Idle Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks mediumCCE-85971-0
Ensure Users Cannot Change GNOME3 Session Idle Settings
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dconf_gnome_session_idle_user_locks:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-85971-0 References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, 1.8.5 |
Description | If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update . |
Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings. |
|
|
OVAL test results details
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/dconf/profile/user | user-db:user
system-db:local |
user cannot change screensaver idle delay
oval:ssg-test_user_change_idle_delay_lock:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_user_change_idle_delay_lock:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/desktop/session/idle-delay$ | 1 |
Remove the GDM Package Groupxccdf_org.ssgproject.content_rule_package_gdm_removed mediumCCE-83549-6
Remove the GDM Package Group
Rule ID | xccdf_org.ssgproject.content_rule_package_gdm_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_gdm_removed:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83549-6 References:
CM-7(a), CM-7(b), CM-6(a), SRG-OS-000480-GPOS-00227, 1.8.1 |
Description |
By removing the gdm package, the system no longer has GNOME installed
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:
$ sudo yum remove gdm |
Rationale | Unnecessary service packages must not be installed to decrease the attack surface of the system.
A graphical environment is unnecessary for certain types of systems including a virtualization
hypervisor. |
|
|
|
|
OVAL test results details
package gdm is removed
oval:ssg-test_package_gdm_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
gdm | x86_64 | 1 | 21.el9 | 40.1 | 1:40.1-21.el9 | 199e2f91fd431d51 | gdm-1:40.1-21.el9.x86_64 |
Make sure that the dconf databases are up-to-date with regards to respective keyfilesxccdf_org.ssgproject.content_rule_dconf_db_up_to_date highCCE-87295-2
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
Rule ID | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dconf_db_up_to_date:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-87295-2 References:
A.11.SEC-RHEL4, 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227, 1.8.2 |
Description | By default, DConf uses a binary database as a data backend.
The system-level database is compiled from keyfiles in the /etc/dconf/db/
directory by the dconf update command. More specifically, content present
in the following directories:
/etc/dconf/db/distro.d
/etc/dconf/db/local.d |
Rationale | Unlike text-based keyfiles, the binary database is impossible to check by OVAL.
Therefore, in order to evaluate dconf configuration, both have to be true at the same time -
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. |
OVAL test results details
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
Check if the distro dconf DB is up-to-date with keyfiles in the distro tree.
oval:ssg-test_dconf_distro_up_to_date:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-var_dconf_distro_db_modified_time:var:1 | 11170931 |
no keyfiles applicable to the distro database
oval:ssg-test_dconf_distro_no_keyfiles:tst:1
false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/etc/dconf/db/distro.d/locks/20-authselect | symbolic link | 0 | 0 | 27 | rwxrwxrwx |
/etc/dconf/db/distro.d/20-authselect | symbolic link | 0 | 0 | 24 | rwxrwxrwx |
Check if the local dconf DB is up-to-date with keyfiles in the local tree.
oval:ssg-test_dconf_local_up_to_date:tst:1
error
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-var_dconf_local_db_modified_time:var:1 | 11170931 |
no keyfiles applicable to the local database
oval:ssg-test_dconf_local_no_keyfiles:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_dconf_local_config:obj:1 of type
file_object
Filepath |
---|
^/etc/dconf/db/local.d/.* |
Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-83523-1
Install sudo Package
Rule ID | xccdf_org.ssgproject.content_rule_package_sudo_installed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_sudo_installed:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83523-1 References:
BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, 10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 |
Description | The sudo package can be installed with the following command:
$ sudo dnf install sudo |
Rationale | sudo is a program designed to allow a system administrator to give
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done.
|
OVAL test results details
package sudo is installed
oval:ssg-test_package_sudo_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
sudo | x86_64 | (none) | 9.el9 | 1.9.5p2 | 0:1.9.5p2-9.el9 | 199e2f91fd431d51 | sudo-0:1.9.5p2-9.el9.x86_64 |
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_ptyxccdf_org.ssgproject.content_rule_sudo_add_use_pty mediumCCE-83538-9
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
Rule ID | xccdf_org.ssgproject.content_rule_sudo_add_use_pty |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sudo_add_use_pty:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83538-9 References:
BP28(R58), A.5.SEC-RHEL1, Req-10.2.5, 10.2.1.5, 5.3.2 |
Description | The sudo use_pty tag, when specified, will only execute sudo
commands from users logged in to a real tty.
This should be enabled by making sure that the use_pty tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . |
Rationale | Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
access to the user's terminal after the main program has finished executing. |
|
|
OVAL test results details
use_pty exists in /etc/sudoers or /etc/sudoers.d/
oval:ssg-test_use_pty_sudoers:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_use_pty_sudoers:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/sudoers(|\.d/.*)$ | ^[\s]*Defaults[\s]*\buse_pty.*$ | 1 |
Ensure Sudo Logfile Exists - sudo logfilexccdf_org.ssgproject.content_rule_sudo_custom_logfile lowCCE-83527-2
Ensure Sudo Logfile Exists - sudo logfile
Rule ID | xccdf_org.ssgproject.content_rule_sudo_custom_logfile |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sudo_custom_logfile:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-83527-2 References:
Req-10.2.5, 10.2.1.5, 5.3.3 |
Description | A custom log sudo file can be configured with the 'logfile' tag. This rule configures
a sudo custom logfile at the default location suggested by CIS, which uses
/var/log/sudo.log. |
Rationale | A sudo log file simplifies auditing of sudo commands. |
|
|
OVAL test results details
logfile exists in /etc/sudoers or /etc/sudoers.d/
oval:ssg-test_logfile_sudoers:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_logfile_sudoers:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/sudoers(|\.d/.*)$ | ^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b).*$ | 1 |
Ensure Users Re-Authenticate for Privilege Escalation - sudoxccdf_org.ssgproject.content_rule_sudo_require_authentication mediumCCE-83543-9
Ensure Users Re-Authenticate for Privilege Escalation - sudo
Rule ID | xccdf_org.ssgproject.content_rule_sudo_require_authentication |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sudo_require_authentication:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83543-9 References:
A.5.SEC-RHEL2, 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, 5.3.4 |
Description | The sudo NOPASSWD and !authenticate option, when
specified, allows a user to execute commands using sudo without having to
authenticate. This should be disabled by making sure that
NOPASSWD and/or !authenticate do not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ ." |
Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. |
OVAL test results details
!authenticate does not exist in /etc/sudoers
oval:ssg-test_no_authenticate_etc_sudoers:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/sudoers | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
!authenticate does not exist in /etc/sudoers.d
oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/sudoers.d | ^.*$ | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
NOPASSWD does not exist /etc/sudoers
oval:ssg-test_nopasswd_etc_sudoers:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/sudoers | ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ | 1 |
NOPASSWD does not exist in /etc/sudoers.d
oval:ssg-test_nopasswd_etc_sudoers_d:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_nopasswd_etc_sudoers_d:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/sudoers.d | ^.*$ | ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ | 1 |
Require Re-Authentication When Using the sudo Commandxccdf_org.ssgproject.content_rule_sudo_require_reauthentication mediumCCE-90029-0
Require Re-Authentication When Using the sudo Command
Rule ID | xccdf_org.ssgproject.content_rule_sudo_require_reauthentication |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sudo_require_reauthentication:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90029-0 References:
A.5.SEC-RHEL2, CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, 5.3.5, 5.3.6 |
Description | The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
The default timestamp_timeout value is 5 minutes.
The timestamp_timeout should be configured by making sure that the
timestamp_timeout tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ .
If the value is set to an integer less than 0, the user's time stamp will not expire
and the user will not have to re-authenticate for privileged actions until the user's session is terminated. |
Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. |
|
|
OVAL test results details
check correct configuration in /etc/sudoers
oval:ssg-test_sudo_timestamp_timeout:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sudo_timestamp_timeout:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^\/etc\/(sudoers|sudoers\.d\/.*)$ | ^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[+]?(\d*\.\d+|\d+\.\d*|\d+)$ | 1 |
check correct configuration in /etc/sudoers
oval:ssg-test_sudo_timestamp_timeout_no_signs:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sudo_timestamp_timeout_no_signs:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^\/etc\/(sudoers|sudoers\.d\/.*)$ | ^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[\-](\d*\.\d+|\d+\.\d*|\d+)$ | 1 |
Ensure gpgcheck Enabled In Main dnf Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-83457-2
Ensure gpgcheck Enabled In Main dnf Configuration
Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-ensure_gpgcheck_globally_activated:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-83457-2 References:
BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.2 |
Description | The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure dnf to check package signatures before installing
them, ensure the following line appears in /etc/dnf/dnf.conf in
the [main] section:
gpgcheck=1 |
Rationale | Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by the
organization.
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from a vendor.
This ensures the software has not been tampered with and that it has been
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). |
OVAL test results details
check value of gpgcheck in /etc/dnf/dnf.conf
oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/dnf/dnf.conf | gpgcheck=1 |
Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled mediumCCE-87599-7
Enable GNOME3 Login Warning Banner
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dconf_gnome_banner_enabled:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87599-7 References:
A.11.SEC-RHEL4, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, 1.8.2 |
Description | In the default graphical environment, displaying a login warning banner
in the GNOME Display Manager's login screen can be enabled on the login
screen by setting banner-message-enable to true .
To enable, add or edit banner-message-enable to
/etc/dconf/db/distro.d/00-security-settings . For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to
/etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update .
The banner text must also be set. |
Rationale | Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.
For U.S. Government systems, system use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not exist. |
|
|
OVAL test results details
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/dconf/profile/user | user-db:user
system-db:local |
GUI banner is enabled
oval:ssg-test_banner_gui_enabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_banner_gui_enabled:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/distro.d/ | ^.*$ | ^\[org/gnome/login-screen\]([^\n]*\n+)+?banner-message-enable=true$ | 1 |
GUI banner cannot be changed by user
oval:ssg-test_prevent_user_banner_gui_enabled_change:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_banner_gui_enabled_change:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/distro.d/locks/ | ^.*$ | ^/org/gnome/login-screen/banner-message-enable$ | 1 |
Set the GNOME3 Login Warning Banner Textxccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text mediumCCE-86529-5
Set the GNOME3 Login Warning Banner Text
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dconf_gnome_login_banner_text:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86529-5 References:
A.11.SEC-RHEL4, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, 1.8.2 |
Description | In the default graphical environment, configuring the login warning banner text
in the GNOME Display Manager's login screen can be configured on the login
screen by setting banner-message-text to 'APPROVED_BANNER'
where APPROVED_BANNER is the approved banner for your environment.
To enable, add or edit banner-message-text to
/etc/dconf/db/distro.d/00-security-settings . For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to
/etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update .
When entering a warning banner that spans several lines, remember
to begin and end the string with ' and use \n for new lines. |
Rationale | An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers. |
|
|
OVAL test results details
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/dconf/profile/user | user-db:user
system-db:local |
GUI banner cannot be changed by user
oval:ssg-test_prevent_user_banner_change:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_banner_change:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/distro.d/locks/ | ^.*$ | ^/org/gnome/login-screen/banner-message-text$ | 1 |
login banner text is correctly set
oval:ssg-test_gdm_login_banner_text_setting:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_gdm_login_banner_text_setting:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/dconf/db/distro.d/ | ^.*$ | ^banner-message-text=[\s]*'*(.*?)'$ | 1 |
Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-83557-9
Modify the System Login Banner
Rule ID | xccdf_org.ssgproject.content_rule_banner_etc_issue |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-banner_etc_issue:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83557-9 References:
A.11.SEC-RHEL4, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, 1.7.2 |
Description |
To configure the system login banner edit /etc/issue . Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't. |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist. |
|
|
OVAL test results details
correct banner in /etc/issue
oval:ssg-test_banner_etc_issue:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/issue | \S
Kernel \r on an \m
|
/etc/issue.d/cockpit.issue | Activate the web console with: systemctl enable --now cockpit.socket
|
Modify the System Login Banner for Remote Connectionsxccdf_org.ssgproject.content_rule_banner_etc_issue_net mediumCCE-86148-4
Modify the System Login Banner for Remote Connections
Rule ID | xccdf_org.ssgproject.content_rule_banner_etc_issue_net |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-banner_etc_issue_net:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86148-4 References:
A.11.SEC-RHEL4, CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, 1.7.3 |
Description | To configure the system login banner edit /etc/issue.net . Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't. |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist. |
|
|
OVAL test results details
correct banner in /etc/issue.net
oval:ssg-test_banner_etc_issue_net:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/issue.net | \S
Kernel \r on an \m
|
Modify the System Message of the Day Bannerxccdf_org.ssgproject.content_rule_banner_etc_motd mediumCCE-83559-5
Modify the System Message of the Day Banner
Rule ID | xccdf_org.ssgproject.content_rule_banner_etc_motd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-banner_etc_motd:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83559-5 References:
A.11.SEC-RHEL4, 1.7.1 |
Description | To configure the system message banner edit /etc/motd . Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't. |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist. |
OVAL test results details
correct banner in /etc/motd
oval:ssg-test_banner_etc_motd:tst:1
true
Following items have been found on the system:
Verify Group Ownership of System Login Bannerxccdf_org.ssgproject.content_rule_file_groupowner_etc_issue mediumCCE-86699-6
Verify Group Ownership of System Login Banner
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_etc_issue:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86699-6 References:
1.7.5 |
Description |
To properly set the group owner of /etc/issue , run the command:
$ sudo chgrp root /etc/issue |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
Proper group ownership will ensure that only root user can modify the banner. |
OVAL test results details
Testing group ownership of /etc/issue
oval:ssg-test_file_groupowner_etc_issue_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_issue_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/issue | oval:ssg-symlink_file_groupowner_etc_issue_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_issue_gid_0_0:ste:1 |
Verify Group Ownership of System Login Banner for Remote Connectionsxccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net mediumCCE-86052-8
Verify Group Ownership of System Login Banner for Remote Connections
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_etc_issue_net:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86052-8 References:
1.7.6 |
Description |
To properly set the group owner of /etc/issue.net , run the command:
$ sudo chgrp root /etc/issue.net |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
Proper group ownership will ensure that only root user can modify the banner. |
OVAL test results details
Testing group ownership of /etc/issue.net
oval:ssg-test_file_groupowner_etc_issue_net_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_issue_net_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/issue.net | oval:ssg-symlink_file_groupowner_etc_issue_net_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_issue_net_gid_0_0:ste:1 |
Verify Group Ownership of Message of the Day Bannerxccdf_org.ssgproject.content_rule_file_groupowner_etc_motd mediumCCE-86697-0
Verify Group Ownership of Message of the Day Banner
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_motd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_etc_motd:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86697-0 References:
1.7.4 |
Description |
To properly set the group owner of /etc/motd , run the command:
$ sudo chgrp root /etc/motd |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
Proper group ownership will ensure that only root user can modify the banner. |
OVAL test results details
Testing group ownership of /etc/motd
oval:ssg-test_file_groupowner_etc_motd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_motd_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/motd | oval:ssg-symlink_file_groupowner_etc_motd_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_motd_gid_0_0:ste:1 |
Verify ownership of System Login Bannerxccdf_org.ssgproject.content_rule_file_owner_etc_issue mediumCCE-86700-2
Verify ownership of System Login Banner
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_issue |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_etc_issue:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86700-2 References:
1.7.5 |
Description |
To properly set the owner of /etc/issue , run the command:
$ sudo chown root /etc/issue |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
Proper ownership will ensure that only root user can modify the banner. |
OVAL test results details
Testing user ownership of /etc/issue
oval:ssg-test_file_owner_etc_issue_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_issue_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/issue | oval:ssg-symlink_file_owner_etc_issue_uid_0:ste:1 | oval:ssg-state_file_owner_etc_issue_uid_0_0:ste:1 |
Verify ownership of System Login Banner for Remote Connectionsxccdf_org.ssgproject.content_rule_file_owner_etc_issue_net mediumCCE-86057-7
Verify ownership of System Login Banner for Remote Connections
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_etc_issue_net:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86057-7 References:
1.7.6 |
Description |
To properly set the owner of /etc/issue.net , run the command:
$ sudo chown root /etc/issue.net |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
Proper ownership will ensure that only root user can modify the banner. |
OVAL test results details
Testing user ownership of /etc/issue.net
oval:ssg-test_file_owner_etc_issue_net_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_issue_net_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/issue.net | oval:ssg-symlink_file_owner_etc_issue_net_uid_0:ste:1 | oval:ssg-state_file_owner_etc_issue_net_uid_0_0:ste:1 |
Verify ownership of Message of the Day Bannerxccdf_org.ssgproject.content_rule_file_owner_etc_motd mediumCCE-86698-8
Verify ownership of Message of the Day Banner
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_motd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_etc_motd:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86698-8 References:
1.7.4 |
Description |
To properly set the owner of /etc/motd , run the command:
$ sudo chown root /etc/motd |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
Proper ownership will ensure that only root user can modify the banner. |
OVAL test results details
Testing user ownership of /etc/motd
oval:ssg-test_file_owner_etc_motd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_motd_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/motd | oval:ssg-symlink_file_owner_etc_motd_uid_0:ste:1 | oval:ssg-state_file_owner_etc_motd_uid_0_0:ste:1 |
Verify permissions on System Login Bannerxccdf_org.ssgproject.content_rule_file_permissions_etc_issue mediumCCE-83551-2
Verify permissions on System Login Banner
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_issue |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_etc_issue:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83551-2 References:
1.7.5 |
Description |
To properly set the permissions of /etc/issue , run the command:
$ sudo chmod 0644 /etc/issue |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
Proper permissions will ensure that only root user can modify the banner. |
OVAL test results details
Testing mode of /etc/issue
oval:ssg-test_file_permissions_etc_issue_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_issue_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/issue | oval:ssg-exclude_symlinks__etc_issue:ste:1 | oval:ssg-state_file_permissions_etc_issue_0_mode_0644or_stricter_:ste:1 |
Verify permissions on System Login Banner for Remote Connectionsxccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net mediumCCE-86048-6
Verify permissions on System Login Banner for Remote Connections
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_etc_issue_net:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86048-6 References:
1.7.6 |
Description |
To properly set the permissions of /etc/issue.net , run the command:
$ sudo chmod 0644 /etc/issue.net |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
Proper permissions will ensure that only root user can modify the banner. |
OVAL test results details
Testing mode of /etc/issue.net
oval:ssg-test_file_permissions_etc_issue_net_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_issue_net_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/issue.net | oval:ssg-exclude_symlinks__etc_issue_net:ste:1 | oval:ssg-state_file_permissions_etc_issue_net_0_mode_0644or_stricter_:ste:1 |
Verify permissions on Message of the Day Bannerxccdf_org.ssgproject.content_rule_file_permissions_etc_motd mediumCCE-83554-6
Verify permissions on Message of the Day Banner
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_motd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_etc_motd:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83554-6 References:
1.7.4 |
Description |
To properly set the permissions of /etc/motd , run the command:
$ sudo chmod 0644 /etc/motd |
Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
Proper permissions will ensure that only root user can modify the banner. |
OVAL test results details
Testing mode of /etc/motd
oval:ssg-test_file_permissions_etc_motd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_motd_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/motd | oval:ssg-exclude_symlinks__etc_motd:ste:1 | oval:ssg-state_file_permissions_etc_motd_0_mode_0644or_stricter_:ste:1 |
Limit Password Reuse: password-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth mediumCCE-86354-8
Limit Password Reuse: password-auth
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_pam_pwhistory_remember_password_auth:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86354-8 References:
1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, 5.5.3 |
Description | Do not allow users to reuse recent passwords. This can be accomplished by using the
remember option for the pam_pwhistory PAM module.
On systems with newer versions of authselect , the pam_pwhistory PAM module
can be enabled via authselect feature:
authselect enable-feature with-pwhistory
Otherwise, it should be enabled using an authselect custom profile.
Newer systems also have the /etc/security/pwhistory.conf file for setting
pam_pwhistory module options. This file should be used whenever available.
Otherwise, the pam_pwhistory module options can be set in PAM files.
The value for remember option must be equal or greater than
5 |
Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not
re-used by a user. |
Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report. warning
Newer versions of authselect contain an authselect feature to easily and properly
enable pam_pwhistory.so module. If this feature is not yet available in your
system, an authselect custom profile must be used to avoid integrity issues in PAM files.
If a custom profile was created and used in the system before this authselect feature was
available, the new feature can't be used with this custom profile and the
remediation will fail. In this case, the custom profile should be recreated or manually
updated. |
|
|
OVAL test results details
Check pam_pwhistory.so presence in /etc/pam.d/password-auth
oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
requisite | required | requisite,required | ^\s*password\s+(?:requisite)\s+pam_pwhistory\.so.*$ | ^\s*password\s+(?:required)\s+pam_pwhistory\.so.*$ |
| /etc/pam.d/password-auth | 1 |
Check remember parameter is present and correct in /etc/pam.d/password-auth
oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_pamd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_pamd:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
5 | ^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ |
| /etc/pam.d/password-auth | 1 |
Check the absence of remember parameter in /etc/security/pwhistory.conf
oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_no_pwhistory_conf:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_param_conf:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^\s*remember\s*=\s*([0-9]+) | ^/etc/security/pwhistory.conf$ | 1 |
Check remember parameter is absent in /etc/pam.d/password-auth
oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_no_pamd:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_pamd:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ | /etc/pam.d/password-auth | 1 |
Check remember parameter is present and correct in /etc/security/pwhistory.conf
oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_pwhistory_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_param_conf:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
5 | ^\s*remember\s*=\s*([0-9]+) |
| ^/etc/security/pwhistory.conf$ | 1 |
Limit Password Reuse: system-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth mediumCCE-89176-2
Limit Password Reuse: system-auth
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_pam_pwhistory_remember_system_auth:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-89176-2 References:
1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, 5.5.3 |
Description | Do not allow users to reuse recent passwords. This can be accomplished by using the
remember option for the pam_pwhistory PAM module.
On systems with newer versions of authselect , the pam_pwhistory PAM module
can be enabled via authselect feature:
authselect enable-feature with-pwhistory
Otherwise, it should be enabled using an authselect custom profile.
Newer systems also have the /etc/security/pwhistory.conf file for setting
pam_pwhistory module options. This file should be used whenever available.
Otherwise, the pam_pwhistory module options can be set in PAM files.
The value for remember option must be equal or greater than
5 |
Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not
re-used by a user. |
Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report. warning
Newer versions of authselect contain an authselect feature to easily and properly
enable pam_pwhistory.so module. If this feature is not yet available in your
system, an authselect custom profile must be used to avoid integrity issues in PAM files. |
|
|
OVAL test results details
Check pam_pwhistory.so presence in /etc/pam.d/system-auth
oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
requisite | required | requisite,required | ^\s*password\s+(?:requisite)\s+pam_pwhistory\.so.*$ | ^\s*password\s+(?:required)\s+pam_pwhistory\.so.*$ |
| /etc/pam.d/system-auth | 1 |
Check remember parameter is present and correct in /etc/pam.d/system-auth
oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_pamd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_pamd:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
5 | ^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ |
| /etc/pam.d/system-auth | 1 |
Check the absence of remember parameter in /etc/security/pwhistory.conf
oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_no_pwhistory_conf:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_param_conf:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^\s*remember\s*=\s*([0-9]+) | ^/etc/security/pwhistory.conf$ | 1 |
Check remember parameter is absent in /etc/pam.d/system-auth
oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_no_pamd:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_pamd:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ | /etc/pam.d/system-auth | 1 |
Check remember parameter is present and correct in /etc/security/pwhistory.conf
oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_pwhistory_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_param_conf:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
5 | ^\s*remember\s*=\s*([0-9]+) |
| ^/etc/security/pwhistory.conf$ | 1 |
Lock Accounts After Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-83587-6
Lock Accounts After Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_deny:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83587-6 References:
BP28(R18), A.30.SEC-RHEL1, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, 8.3.4, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, 5.4.2, 5.5.2 |
Description | This rule configures the system to lock out accounts after a number of incorrect login attempts
using pam_faillock.so .
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected.
Ensure that the file /etc/security/faillock.conf contains the following entry:
deny = <count>
Where count should be less than or equal to
3 and greater than 0.
In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig ,
depending on the OS version. |
Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. |
Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
|
|
OVAL test results details
No more than one pam_unix.so is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
No more than one pam_unix.so is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/system-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
One and only one occurrence is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
Check the expected deny value in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
3 | ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) |
| ^/etc/pam.d/system-auth$ | 1 |
Check the expected deny value in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_password:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
3 | ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) |
| ^/etc/pam.d/password-auth$ | 1 |
Check the absence of deny parameter in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*deny[\s]*=[\s]*([0-9]+) | ^/etc/security/faillock.conf$ | 1 |
Check the absence of deny parameter in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) | ^/etc/pam.d/system-auth$ | 1 |
Check the absence of deny parameter in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) | ^/etc/pam.d/password-auth$ | 1 |
Check the expected deny value in in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
3 | ^[\s]*deny[\s]*=[\s]*([0-9]+) |
| ^/etc/security/faillock.conf$ | 1 |
Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-83588-4
Set Lockout Time for Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83588-4 References:
BP28(R18), A.30.SEC-RHEL1, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, 8.3.4, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, 5.5.2 |
Description | This rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using pam_faillock.so .
Ensure that the file /etc/security/faillock.conf contains the following entry:
unlock_time=<interval-in-seconds> where
interval-in-seconds is 900 or greater.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid any errors when manually editing these files,
it is recommended to use the appropriate tools, such as authselect or authconfig ,
depending on the OS version.
If unlock_time is set to 0 , manual intervention by an administrator is required
to unlock a user. This should be done using the faillock tool. |
Rationale | By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account. |
Warnings | warning
If the system supports the new /etc/security/faillock.conf file but the
pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and
/etc/pam.d/password-auth , the remediation will migrate the unlock_time parameter
to /etc/security/faillock.conf to ensure compatibility with authselect tool.
The parameters deny and fail_interval , if used, also have to be migrated
by their respective remediation. warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
|
|
OVAL test results details
No more than one pam_unix.so is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
No more than one pam_unix.so is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/system-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
One and only one occurrence is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
Check the expected unlock_time value in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
900 | ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) |
| ^/etc/pam.d/system-auth$ | 1 |
Check the expected unlock_time value in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
900 | ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) |
| ^/etc/pam.d/password-auth$ | 1 |
Check the absence of unlock_time parameter in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*unlock_time[\s]*=[\s]*([0-9]+) | ^/etc/security/faillock.conf$ | 1 |
Check the absence of unlock_time parameter in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) | ^/etc/pam.d/system-auth$ | 1 |
Check the absence of unlock_time parameter in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) | ^/etc/pam.d/password-auth$ | 1 |
Check the expected unlock_time value in in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
900 | ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) |
| ^/etc/security/faillock.conf$ | 1 |
Ensure PAM Enforces Password Requirements - Minimum Different Categoriesxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass mediumCCE-83563-7
Ensure PAM Enforces Password Requirements - Minimum Different Categories
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_pam_minclass:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83563-7 References:
A.11.SEC-RHEL3, 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, 5.5.1 |
Description | The pam_pwquality module's minclass parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry
to require 4
differing categories of characters when changing passwords. |
Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised.
Requiring a minimum number of character categories makes password guessing attacks more difficult
by ensuring a larger search space. |
|
|
OVAL test results details
check the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_minclass:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_minclass:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/security/pwquality\.conf$ | ^\s*minclass[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-83579-3
Ensure PAM Enforces Password Requirements - Minimum Length
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_pam_minlen:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83579-3 References:
BP28(R18), A.11.SEC-RHEL3, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, 8.3.6, 8.3.9, SRG-OS-000078-GPOS-00046, 5.5.1 |
Description | The pam_pwquality module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=14
after pam_pwquality to set minimum password length requirements. |
Rationale | The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a
password in resisting attempts at guessing and brute-force attacks.
Password length is one factor of several that helps to determine strength
and how long it takes to crack a password. Use of more characters in a password
helps to exponentially increase the time and/or resources required to
compromise the password. |
|
|
OVAL test results details
check the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_minlen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_minlen:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/security/pwquality\.conf$ | ^\s*minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Sessionxccdf_org.ssgproject.content_rule_accounts_password_pam_retry mediumCCE-83569-4
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_retry |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_pam_retry:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83569-4 References:
A.11.SEC-RHEL3, 1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227, 5.5.1 |
Description | To configure the number of retry prompts that are permitted per-session:
Edit the /etc/security/pwquality.conf to include
retry=3 , or a lower value if site
policy is more restrictive. The DoD requirement is a maximum of 3 prompts
per session. |
Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module. |
|
|
OVAL test results details
check the configuration of /etc/pam.d/password-auth
oval:ssg-test_password_pam_pwquality_retry_password_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_password_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/pam.d/password-auth | ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ | 1 |
check the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality_retry_system_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_system_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/pam.d/system-auth | ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ | 1 |
check the configuration of /etc/pam.d/password-auth
oval:ssg-test_password_pam_pwquality_retry_password_auth_not_set:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_password_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/pam.d/password-auth | ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ | 1 |
check the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality_retry_system_auth_not_set:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_system_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/pam.d/system-auth | ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ | 1 |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_retry_pwquality_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_pwquality_conf:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/security/pwquality.conf | ^[\s]*retry[\s]*=[\s]*(\d+)(?:[\s]|$) | 1 |
Set Password Hashing Algorithm in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs mediumCCE-90590-1
Set Password Hashing Algorithm in /etc/login.defs
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_logindefs:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90590-1 References:
BP28(R32), A.19.SEC-RHEL3, 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 8.3.2, SRG-OS-000073-GPOS-00041, 5.5.4 |
Description | In /etc/login.defs , add or correct the following line to ensure
the system will use SHA512 as the hashing algorithm:
ENCRYPT_METHOD SHA512 |
Rationale | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Using a stronger hashing algorithm makes password cracking attacks more difficult. |
OVAL test results details
The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs
oval:ssg-test_etc_login_defs_encrypt_method:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-variable_last_encrypt_method_instance_value:var:1 | SHA512 |
Set PAM''s Password Hashing Algorithm - password-authxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth mediumCCE-85946-2
Set PAM''s Password Hashing Algorithm - password-auth
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_passwordauth:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-85946-2 References:
BP28(R32), A.19.SEC-RHEL3, 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, 5.5.4 |
Description | The PAM system service can be configured to only store encrypted
representations of passwords. In
/etc/pam.d/password-auth ,
the
password section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so module in the
password section to include the argument sha512 , as shown
below:
password sufficient pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for
the new passwords will be generated using the SHA-512 algorithm. This is
the default. |
Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are
configured to store only encrypted representations of passwords.
Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult. |
OVAL test results details
check /etc/pam.d/password-auth for correct settings
oval:ssg-test_pam_unix_passwordauth_sha512:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/pam.d/password-auth | password sufficient pam_unix.so sha512 shadow nullok use_authtok |
Set PAM''s Password Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth mediumCCE-83581-9
Set PAM''s Password Hashing Algorithm
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_systemauth:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83581-9 References:
BP28(R32), A.19.SEC-RHEL3, 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 8.3.2, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, 5.5.4 |
Description | The PAM system service can be configured to only store encrypted
representations of passwords. In "/etc/pam.d/system-auth", the
password section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so module in the
password section to include the argument sha512 , as shown
below:
password sufficient pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for
the new passwords will be generated using the SHA-512 algorithm. This is
the default. |
Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are
configured to store only encrypted representations of passwords.
Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult. |
OVAL test results details
check /etc/pam.d/system-auth for correct settings
oval:ssg-test_pam_unix_sha512:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/pam.d/system-auth | password sufficient pam_unix.so sha512 shadow nullok use_authtok |
Set Account Expiration Following Inactivityxccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration mediumCCE-83627-0
Set Account Expiration Following Inactivity
Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-account_disable_post_pw_expiration:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83627-0 References:
1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, 8.2.6, SRG-OS-000118-GPOS-00060, 5.6.1.4 |
Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd :
INACTIVE=30
If a password is currently on the verge of expiration, then
30
day(s) remain(s) until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 60
days plus 30 day(s) could
elapse until the account would be automatically disabled. See the
useradd man page for more information. |
Rationale | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. |
|
|
OVAL test results details
the value INACTIVE parameter should be set appropriately in /etc/default/useradd
oval:ssg-test_etc_default_useradd_inactive:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_default_useradd_inactive:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/default/useradd | ^\s*INACTIVE\s*=\s*(\d+)\s*$ | 1 |
Ensure All Accounts on the System Have Unique Namesxccdf_org.ssgproject.content_rule_account_unique_name mediumCCE-83628-8
Ensure All Accounts on the System Have Unique Names
Rule ID | xccdf_org.ssgproject.content_rule_account_unique_name |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-account_unique_name:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83628-8 References:
5.5.2, CCI-000770, CCI-000804, Req-8.1.1, 8.2.1, 6.2.6 |
Description | Ensure accounts on the system have unique names.
To ensure all accounts have unique names, run the following command:
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
If a username is returned, change or delete the username. |
Rationale | Unique usernames allow for accountability on the system. |
OVAL test results details
There should not exist duplicate user name entries in /etc/passwd
oval:ssg-test_etc_passwd_no_duplicate_user_names:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1 | 38 |
Set Password Maximum Agexccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs mediumCCE-83606-4
Set Password Maximum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_maximum_age_login_defs:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83606-4 References:
BP28(R18), A.5.SEC-RHEL5, 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, 8.3.10.1, SRG-OS-000076-GPOS-00044, 5.6.1.1 |
Description | To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 365
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is 365 . |
Rationale | Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to
periodically change their passwords. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise. |
|
|
OVAL test results details
The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs
oval:ssg-test_pass_max_days:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-variable_last_pass_max_days_instance_value:var:1 | 99999 |
Set Password Minimum Agexccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs mediumCCE-83610-6
Set Password Minimum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_minimum_age_login_defs:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83610-6 References:
A.5.SEC-RHEL5, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000198, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, 8.3.9, SRG-OS-000075-GPOS-00043, 5.6.1.2 |
Description | To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS 1
A value of 1 day is considered sufficient for many
environments. The DoD requirement is 1.
The profile requirement is 1 . |
Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
Setting the minimum password age protects against users cycling back to a
favorite password after satisfying the password reuse requirement. |
|
|
OVAL test results details
The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs
oval:ssg-test_pass_min_days:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-variable_last_pass_min_days_instance_value:var:1 | 0 |
Set Existing Passwords Maximum Agexccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing mediumCCE-86031-2
Set Existing Passwords Maximum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_set_max_life_existing:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86031-2 References:
A.5.SEC-RHEL5, CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000076-GPOS-00044, 5.6.1.1 |
Description | Configure non-compliant accounts to enforce a 365-day maximum password lifetime
restriction by running the following command:
$ sudo chage -M 365 USER |
Rationale | Any password, no matter how complex, can eventually be cracked. Therefore,
passwords need to be changed periodically. If the operating system does
not limit the lifetime of passwords and force users to change their
passwords, there is the risk that the operating system passwords could be
compromised. |
|
|
OVAL test results details
Compares a specific field in /etc/shadow with a specific variable value
oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_existing:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/shadow | root:$6$GBCi8s2HtC5NTU0n$Z94mW0WKU6S4V9.tc9DWA3y3L.D99D3E9fbAJhBEqZIQRb.tYwC3fLQKX1T8OhJbvIajf.gQ9w/vOVwW2lVsn/::0:99999:7::: |
/etc/shadow | user1:$6$0ivCyZ.dAZT.BBxH$.onuO8VtH7Wv2hq8QfblnV7Sfe1EdJ4s/TLj7Hu00Scn9VH7AMNY1UuMxQjVlAAQJ/WpoNRKMy.dAuxsXjWFy0::0:99999:7::: |
Compares a specific field in /etc/shadow with a specific variable value
oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_existing_minimum:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/shadow | root:$6$GBCi8s2HtC5NTU0n$Z94mW0WKU6S4V9.tc9DWA3y3L.D99D3E9fbAJhBEqZIQRb.tYwC3fLQKX1T8OhJbvIajf.gQ9w/vOVwW2lVsn/::0:99999:7::: |
/etc/shadow | user1:$6$0ivCyZ.dAZT.BBxH$.onuO8VtH7Wv2hq8QfblnV7Sfe1EdJ4s/TLj7Hu00Scn9VH7AMNY1UuMxQjVlAAQJ/WpoNRKMy.dAuxsXjWFy0::0:99999:7::: |
Passwords must have the maximum password age set non-empty in /etc/shadow.
oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_not_empty:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_set_max_life_existing_shadow_password_users_max_life_not_existing:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]+:)(?:[^:]*:){2}():(?:[^:]*:){3}(?:[^:]*)$ | 1 |
Set Existing Passwords Minimum Agexccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing mediumCCE-89069-9
Set Existing Passwords Minimum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_set_min_life_existing:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-89069-9 References:
A.5.SEC-RHEL5, CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043, 5.6.1.2 |
Description | Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USER |
Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password, the
password could be repeatedly changed in a short period of time to defeat the
organization's policy regarding password reuse. |
|
|
OVAL test results details
Compares a specific field in /etc/shadow with a specific variable value
oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_existing:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/shadow | root:$6$GBCi8s2HtC5NTU0n$Z94mW0WKU6S4V9.tc9DWA3y3L.D99D3E9fbAJhBEqZIQRb.tYwC3fLQKX1T8OhJbvIajf.gQ9w/vOVwW2lVsn/::0:99999:7::: |
/etc/shadow | user1:$6$0ivCyZ.dAZT.BBxH$.onuO8VtH7Wv2hq8QfblnV7Sfe1EdJ4s/TLj7Hu00Scn9VH7AMNY1UuMxQjVlAAQJ/WpoNRKMy.dAuxsXjWFy0::0:99999:7::: |
Compares a specific field in /etc/shadow with a specific variable value
oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_existing_minimum:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/shadow | root:$6$GBCi8s2HtC5NTU0n$Z94mW0WKU6S4V9.tc9DWA3y3L.D99D3E9fbAJhBEqZIQRb.tYwC3fLQKX1T8OhJbvIajf.gQ9w/vOVwW2lVsn/::0:99999:7::: |
/etc/shadow | user1:$6$0ivCyZ.dAZT.BBxH$.onuO8VtH7Wv2hq8QfblnV7Sfe1EdJ4s/TLj7Hu00Scn9VH7AMNY1UuMxQjVlAAQJ/WpoNRKMy.dAuxsXjWFy0::0:99999:7::: |
Passwords must have the maximum password age set non-empty in /etc/shadow.
oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_not_empty:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_set_min_life_existing_shadow_password_users_max_life_not_existing:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]+:)(?:[^:]*:)():(?:[^:]*:){4}(?:[^:]*)$ | 1 |
Set Existing Passwords Warning Agexccdf_org.ssgproject.content_rule_accounts_password_set_warn_age_existing mediumCCE-86915-6
Set Existing Passwords Warning Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_warn_age_existing |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_set_warn_age_existing:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86915-6 References:
A.5.SEC-RHEL5, CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), 5.6.1.3 |
Description | To configure how many days prior to password expiration that a warning will be issued to
users, run the command:
$ sudo chage --warndays 7 USER
The DoD requirement is 7, and CIS recommendation is no less than 7 days.
This profile requirement is 7 . |
Rationale | Providing an advance warning that a password will be expiring gives users
time to think of a secure password. Users caught unaware may choose a simple
password or write it down where it may be discovered. |
OVAL test results details
Compares a specific field in /etc/shadow with a specific variable value
oval:ssg-test_accounts_password_set_warn_age_existing:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/shadow | user1:$6$0ivCyZ.dAZT.BBxH$.onuO8VtH7Wv2hq8QfblnV7Sfe1EdJ4s/TLj7Hu00Scn9VH7AMNY1UuMxQjVlAAQJ/WpoNRKMy.dAuxsXjWFy0::0:99999:7::: |
/etc/shadow | root:$6$GBCi8s2HtC5NTU0n$Z94mW0WKU6S4V9.tc9DWA3y3L.D99D3E9fbAJhBEqZIQRb.tYwC3fLQKX1T8OhJbvIajf.gQ9w/vOVwW2lVsn/::0:99999:7::: |
Check the inexistence of users with a password defined
oval:ssg-test_accounts_password_set_warn_age_existing_no_pass:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/shadow | user1:$6$0ivCyZ.dAZT.BBxH$.onuO8VtH7Wv2hq8QfblnV7Sfe1EdJ4s/TLj7Hu00Scn9VH7AMNY1UuMxQjVlAAQJ/WpoNRKMy.dAuxsXjWFy0::0:99999:7::: |
/etc/shadow | root:$6$GBCi8s2HtC5NTU0n$Z94mW0WKU6S4V9.tc9DWA3y3L.D99D3E9fbAJhBEqZIQRb.tYwC3fLQKX1T8OhJbvIajf.gQ9w/vOVwW2lVsn/::0:99999:7::: |
Set Password Warning Agexccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs mediumCCE-83609-8
Set Password Warning Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_warn_age_login_defs:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83609-8 References:
A.5.SEC-RHEL5, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 0418, 1055, 1402, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(f), IA-5(1)(d), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.2.4, 8.3.9, 5.6.1.3 |
Description | To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs and add or correct
the following line:
PASS_WARN_AGE 7
The DoD requirement is 7.
The profile requirement is 7 . |
Rationale | Setting the password warning age enables users to
make the change at a practical time. |
OVAL test results details
The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs
oval:ssg-test_pass_warn_age:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-variable_last_pass_warn_age_instance_value:var:1 | 7 |
Set existing passwords a period of inactivity before they been lockedxccdf_org.ssgproject.content_rule_accounts_set_post_pw_existing mediumCCE-86759-8
Set existing passwords a period of inactivity before they been locked
Rule ID | xccdf_org.ssgproject.content_rule_accounts_set_post_pw_existing |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_set_post_pw_existing:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86759-8 References:
DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, 5.6.1.4 |
Description | Configure user accounts that have been inactive for over a given period of time
to be automatically disabled by running the following command:
$ sudo chage --inactive 30USER |
Rationale | Inactive accounts pose a threat to system security since the users are not logging in to
notice failed login attempts or other anomalies. |
OVAL test results details
Compares a specific field in /etc/shadow with a specific variable value
oval:ssg-test_accounts_set_post_pw_existing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_test_accounts_set_post_pw_existing:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:){4}(\d+):(?:[^:]*:)(?:[^:]*)$ | 1 |
Check the inexistence of users with a password defined
oval:ssg-test_accounts_set_post_pw_existing_no_pass:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_set_post_pw_existing_no_pass:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:){4}(\d+):(?:[^:]*:)(?:[^:]*)$ | 1 |
Verify All Account Password Hashes are Shadowedxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed mediumCCE-83618-9
Verify All Account Password Hashes are Shadowed
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_all_shadowed:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83618-9 References:
1, 12, 15, 16, 5, 5.5.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.10, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 1410, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(h), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 8.3.2, 6.2.1 |
Description | If any password hashes are stored in /etc/passwd (in the second field,
instead of an x or * ), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely. |
Rationale | The hashes for all user account passwords should be stored in
the file /etc/shadow and never in /etc/passwd ,
which is readable by all users. |
OVAL test results details
password hashes are shadowed
oval:ssg-test_accounts_password_all_shadowed:tst:1
true
Following items have been found on the system:
Username | Password | User id | Group id | Gcos | Home dir | Login shell | Last login |
---|
clevis | | 996 | 992 | Clevis Decryption Framework unprivileged user | /var/cache/clevis | /usr/sbin/nologin | 0 |
rtkit | | 172 | 172 | RealtimeKit | /proc | /sbin/nologin | 0 |
sssd | | 995 | 991 | User for sssd | / | /sbin/nologin | 0 |
geoclue | | 994 | 990 | User for geoclue | /var/lib/geoclue | /sbin/nologin | 0 |
libstoragemgmt | | 993 | 989 | daemon account for libstoragemgmt | /var/run/lsm | /sbin/nologin | 0 |
setroubleshoot | | 992 | 988 | SELinux troubleshoot server | /var/lib/setroubleshoot | /sbin/nologin | 0 |
pipewire | | 991 | 986 | PipeWire System Daemon | /var/run/pipewire | /sbin/nologin | 0 |
flatpak | | 990 | 985 | User for flatpak system helper | / | /sbin/nologin | 0 |
gdm | | 42 | 42 | | /var/lib/gdm | /sbin/nologin | 1689911610 |
cockpit-ws | | 989 | 984 | User for cockpit web service | /nonexisting | /sbin/nologin | 0 |
cockpit-wsinstance | | 988 | 983 | User for cockpit-ws instances | /nonexisting | /sbin/nologin | 0 |
gnome-initial-setup | | 987 | 982 | | /run/gnome-initial-setup/ | /sbin/nologin | 0 |
sshd | | 74 | 74 | Privilege-separated SSH | /usr/share/empty.sshd | /sbin/nologin | 0 |
chrony | | 986 | 981 | | /var/lib/chrony | /sbin/nologin | 0 |
dnsmasq | | 985 | 980 | Dnsmasq DHCP and DNS server | /var/lib/dnsmasq | /sbin/nologin | 0 |
tcpdump | | 72 | 72 | | / | /sbin/nologin | 0 |
systemd-oom | | 978 | 978 | systemd Userspace OOM Killer | / | /usr/sbin/nologin | 0 |
user1 | | 1000 | 1000 | user1 | /home/user1 | /bin/bash | 1701081883 |
pcp | | 977 | 977 | Performance Co-Pilot | /var/lib/pcp | /sbin/nologin | 0 |
tss | | 59 | 59 | Account used for TPM access | /dev/null | /sbin/nologin | 0 |
root | | 0 | 0 | root | /root | /bin/bash | 1701081869 |
operator | | 11 | 0 | operator | /root | /sbin/nologin | 0 |
lp | | 4 | 7 | lp | /var/spool/lpd | /sbin/nologin | 0 |
daemon | | 2 | 2 | daemon | /sbin | /sbin/nologin | 0 |
colord | | 997 | 993 | User for colord | /var/lib/colord | /sbin/nologin | 0 |
dbus | | 81 | 81 | System message bus | / | /sbin/nologin | 0 |
avahi | | 70 | 70 | Avahi mDNS/DNS-SD Stack | /var/run/avahi-daemon | /sbin/nologin | 0 |
mail | | 8 | 12 | mail | /var/spool/mail | /sbin/nologin | 0 |
shutdown | | 6 | 0 | shutdown | /sbin | /sbin/shutdown | 0 |
games | | 12 | 100 | games | /usr/games | /sbin/nologin | 0 |
adm | | 3 | 4 | adm | /var/adm | /sbin/nologin | 0 |
nobody | | 65534 | 65534 | Kernel Overflow User | / | /sbin/nologin | -1 |
ftp | | 14 | 50 | FTP User | /var/ftp | /sbin/nologin | 0 |
halt | | 7 | 0 | halt | /sbin | /sbin/halt | 0 |
systemd-coredump | | 999 | 997 | systemd Core Dumper | / | /sbin/nologin | 0 |
bin | | 1 | 1 | bin | /bin | /sbin/nologin | 0 |
polkitd | | 998 | 996 | User for polkitd | / | /sbin/nologin | 0 |
sync | | 5 | 0 | sync | /sbin | /bin/sync | 0 |
Ensure all users last password change date is in the pastxccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past mediumCCE-86526-1
Ensure all users last password change date is in the past
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_last_change_is_in_past:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86526-1 References:
5.6.1.5 |
Description | All users should have a password change date in the past. |
Rationale | If a user recorded password change date is in the future then they could
bypass any set password expiration. |
Warnings | warning
Automatic remediation is not available, in order to avoid any system disruption. |
OVAL test results details
Check if the password last chage time is less than or equal today.
oval:ssg-test_accounts_password_last_change_is_in_past:tst:1
false
Following items have been found on the system:
Var ref | Value | Value |
---|
oval:ssg-var_accounts_password_last_change_time_diff:var:1 | 1701168717 | 1701168717 |
Check the inexistence of users with a password defined
oval:ssg-test_accounts_password_last_change_is_in_past_no_pass:tst:1
false
Following items have been found on the system:
Username | Password | Chg lst | Chg allow | Chg req | Exp warn | Exp inact | Exp date | Flag | Encrypt method |
---|
root | $6$GBCi8s2HtC5NTU0n$Z94mW0WKU6S4V9.tc9DWA3y3L.D99D3E9fbAJhBEqZIQRb.tYwC3fLQKX1T8OhJbvIajf.gQ9w/vOVwW2lVsn/ | -1 | 0 | 99999 | 7 | -1 | -1 | 18446744073709551615 | SHA-512 |
user1 | $6$0ivCyZ.dAZT.BBxH$.onuO8VtH7Wv2hq8QfblnV7Sfe1EdJ4s/TLj7Hu00Scn9VH7AMNY1UuMxQjVlAAQJ/WpoNRKMy.dAuxsXjWFy0 | -1 | 0 | 99999 | 7 | -1 | -1 | 18446744073709551615 | SHA-512 |
All GIDs referenced in /etc/passwd must be defined in /etc/groupxccdf_org.ssgproject.content_rule_gid_passwd_group_same lowCCE-83613-0
All GIDs referenced in /etc/passwd must be defined in /etc/group
Rule ID | xccdf_org.ssgproject.content_rule_gid_passwd_group_same |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-gid_passwd_group_same:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-83613-0 References:
1, 12, 15, 16, 5, 5.5.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000764, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.5.a, 8.2.2, SRG-OS-000104-GPOS-00051, 6.2.3 |
Description | Add a group to the system for each GID referenced without a corresponding group. |
Rationale | If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group
with the Group Identifier (GID) is subsequently created, the user may have unintended rights to
any files associated with the group. |
OVAL test results details
Verify all GIDs referenced in /etc/passwd are defined in /etc/group
oval:ssg-test_gid_passwd_group_same:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/passwd | root:x:0:0: |
/etc/passwd | bin:x:1:1: |
/etc/passwd | daemon:x:2:2: |
/etc/passwd | adm:x:3:4: |
/etc/passwd | lp:x:4:7: |
/etc/passwd | sync:x:5:0: |
/etc/passwd | shutdown:x:6:0: |
/etc/passwd | halt:x:7:0: |
/etc/passwd | mail:x:8:12: |
/etc/passwd | operator:x:11:0: |
/etc/passwd | games:x:12:100: |
/etc/passwd | ftp:x:14:50: |
/etc/passwd | nobody:x:65534:65534: |
/etc/passwd | systemd-coredump:x:999:997: |
/etc/passwd | dbus:x:81:81: |
/etc/passwd | polkitd:x:998:996: |
/etc/passwd | avahi:x:70:70: |
/etc/passwd | tss:x:59:59: |
/etc/passwd | colord:x:997:993: |
/etc/passwd | clevis:x:996:992: |
/etc/passwd | rtkit:x:172:172: |
/etc/passwd | sssd:x:995:991: |
/etc/passwd | geoclue:x:994:990: |
/etc/passwd | libstoragemgmt:x:993:989: |
/etc/passwd | setroubleshoot:x:992:988: |
/etc/passwd | pipewire:x:991:986: |
/etc/passwd | flatpak:x:990:985: |
/etc/passwd | gdm:x:42:42: |
/etc/passwd | cockpit-ws:x:989:984: |
/etc/passwd | cockpit-wsinstance:x:988:983: |
/etc/passwd | gnome-initial-setup:x:987:982: |
/etc/passwd | sshd:x:74:74: |
/etc/passwd | chrony:x:986:981: |
/etc/passwd | dnsmasq:x:985:980: |
/etc/passwd | tcpdump:x:72:72: |
/etc/passwd | systemd-oom:x:978:978: |
/etc/passwd | user1:x:1000:1000: |
/etc/passwd | pcp:x:977:977: |
Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-83611-4
Prevent Login to Accounts With Empty Password
Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_empty_passwords:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-83611-4 References:
1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_UAU.1, Req-8.2.3, 8.3.6, 8.3.9, SRG-OS-000480-GPOS-00227, 5.4.1 |
Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in
/etc/pam.d/system-auth and
/etc/pam.d/password-auth
to prevent logins with empty passwords. |
Rationale | If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments. |
Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
Note that this rule is not applicable for systems running within a
container. Having user with empty password within a container is not
considered a risk, because it should not be possible to directly login into
a container anyway. |
|
|
|
OVAL test results details
make sure nullok is not used in /etc/pam.d/system-auth
oval:ssg-test_no_empty_passwords:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/pam.d/system-auth |
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok |
/etc/pam.d/password-auth |
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok |
Ensure There Are No Accounts With Blank or Null Passwordsxccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow highCCE-85972-8
Ensure There Are No Accounts With Blank or Null Passwords
Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_empty_passwords_etc_shadow:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-85972-8 References:
A.6.SEC-RHEL4, CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, 5.6.6, 6.2.2 |
Description | Check the "/etc/shadow" file for blank passwords with the
following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding.
Configure all accounts on the system to have a password or lock
the account with the following commands:
Perform a password reset:
$ sudo passwd [username]
Lock an account:
$ sudo passwd -l [username] |
Rationale | If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments. |
Warnings | warning
Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway. |
OVAL test results details
make sure there aren't blank or null passwords in /etc/shadow
oval:ssg-test_no_empty_passwords_etc_shadow:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_no_empty_passwords_etc_shadow:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/shadow | ^[^:]+::.*$ | 1 |
Verify No .forward Files Existxccdf_org.ssgproject.content_rule_no_forward_files mediumCCE-86756-4
Verify No .forward Files Exist
Rule ID | xccdf_org.ssgproject.content_rule_no_forward_files |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_forward_files:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86756-4 References:
6.2.14 |
Description | The .forward file specifies an email address to forward the user's mail to. |
Rationale | Use of the .forward file poses a security risk in that sensitive data may
be inadvertently transferred outside the organization. The .forward file
also poses a risk as it can be used to execute commands that may perform
unintended actions. |
OVAL test results details
.forward files are not group or world accessible
oval:ssg-test_accounts_users_home_forward_file_existance:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_users_home_forward_file_existance:obj:1 of type
file_object
Path | Filename |
---|
/home/user1 | \.forward$ |
Verify No netrc Files Existxccdf_org.ssgproject.content_rule_no_netrc_files mediumCCE-83617-1
Verify No netrc Files Exist
Rule ID | xccdf_org.ssgproject.content_rule_no_netrc_files |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_netrc_files:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83617-1 References:
1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(h), IA-5(1)(c), CM-6(a), IA-5(7), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, 6.2.13 |
Description | The .netrc files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any .netrc files should be removed. |
Rationale | Unencrypted passwords for remote FTP servers may be stored in .netrc
files. |
OVAL test results details
look for .netrc in /home
oval:ssg-test_no_netrc_files_home:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_netrc_files_home:obj:1 of type
file_object
Behaviors | Path | Filename |
---|
no value | /home | ^\.netrc$ |
Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-83624-7
Verify Only Root Has UID 0
Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_no_uid_except_zero:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-83624-7 References:
1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, Req-8.5, 8.2.2, 8.2.3, SRG-OS-000480-GPOS-00227, 6.2.9 |
Description | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
Otherwise assign a UID greater than "1000" that has not already been
assigned. |
Rationale | An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner. |
OVAL test results details
test that there are no accounts with UID 0 except root in the /etc/passwd file
oval:ssg-test_accounts_no_uid_except_root:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/passwd | ^(?!root:)[^:]*:[^:]*:0 | 1 |
Verify Root Has A Primary GID 0xccdf_org.ssgproject.content_rule_accounts_root_gid_zero highCCE-86298-7
Verify Root Has A Primary GID 0
Rule ID | xccdf_org.ssgproject.content_rule_accounts_root_gid_zero |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_root_gid_zero:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-86298-7 References:
Req-8.1.1, 8.2.1, 5.6.4 |
Description | The root user should have a primary group of 0. |
Rationale | To help ensure that root-owned files are not inadvertently exposed to other users. |
OVAL test results details
test that there are no accounts with UID 0 except root in the /etc/passwd file
oval:ssg-test_accounts_root_gid_zero:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/passwd | root:x:0:0:root:/root:/bin/bash |
Ensure the Group Used by pam_wheel Module Exists on System and is Emptyxccdf_org.ssgproject.content_rule_ensure_pam_wheel_group_empty mediumCCE-86072-6
Ensure the Group Used by pam_wheel Module Exists on System and is Empty
Rule ID | xccdf_org.ssgproject.content_rule_ensure_pam_wheel_group_empty |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-ensure_pam_wheel_group_empty:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86072-6 References:
5.3.7 |
Description | Ensure that the group sugroup
referenced by the pam_wheel group parameter exists and has no
members. This ensures that no user can run commands with altered
privileges through the su command. |
Rationale | The su program allows to run commands with a substitute user and
group ID. It is commonly used to run commands as the root user. Limiting
access to such command is considered a good security practice. |
OVAL test results details
check /etc/group for correct setting
oval:ssg-test_ensure_pam_wheel_group_exist_and_has_no_member:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/group | root:x:0: |
/etc/group | bin:x:1: |
/etc/group | daemon:x:2: |
/etc/group | sys:x:3: |
/etc/group | adm:x:4: |
/etc/group | tty:x:5: |
/etc/group | disk:x:6: |
/etc/group | lp:x:7: |
/etc/group | mem:x:8: |
/etc/group | kmem:x:9: |
/etc/group | cdrom:x:11: |
/etc/group | mail:x:12: |
/etc/group | man:x:15: |
/etc/group | dialout:x:18: |
/etc/group | floppy:x:19: |
/etc/group | games:x:20: |
/etc/group | tape:x:33: |
/etc/group | video:x:39: |
/etc/group | ftp:x:50: |
/etc/group | lock:x:54: |
/etc/group | audio:x:63: |
/etc/group | users:x:100: |
/etc/group | nobody:x:65534: |
/etc/group | utmp:x:22: |
/etc/group | utempter:x:35: |
/etc/group | input:x:999: |
/etc/group | kvm:x:36: |
/etc/group | render:x:998: |
/etc/group | systemd-journal:x:190: |
/etc/group | systemd-coredump:x:997: |
/etc/group | dbus:x:81: |
/etc/group | polkitd:x:996: |
/etc/group | printadmin:x:995: |
/etc/group | ssh_keys:x:994: |
/etc/group | avahi:x:70: |
/etc/group | colord:x:993: |
/etc/group | clevis:x:992: |
/etc/group | rtkit:x:172: |
/etc/group | sssd:x:991: |
/etc/group | geoclue:x:990: |
/etc/group | libstoragemgmt:x:989: |
/etc/group | setroubleshoot:x:988: |
/etc/group | brlapi:x:987: |
/etc/group | pipewire:x:986: |
/etc/group | flatpak:x:985: |
/etc/group | gdm:x:42: |
/etc/group | cockpit-ws:x:984: |
/etc/group | cockpit-wsinstance:x:983: |
/etc/group | gnome-initial-setup:x:982: |
/etc/group | sshd:x:74: |
/etc/group | chrony:x:981: |
/etc/group | slocate:x:21: |
/etc/group | dnsmasq:x:980: |
/etc/group | tcpdump:x:72: |
/etc/group | sgx:x:979: |
/etc/group | systemd-oom:x:978: |
/etc/group | user1:x:1000: |
/etc/group | pcp:x:977:
|
Ensure Authentication Required for Single User Modexccdf_org.ssgproject.content_rule_ensure_root_password_configured mediumCCE-87101-2
Ensure Authentication Required for Single User Mode
Rule ID | xccdf_org.ssgproject.content_rule_ensure_root_password_configured |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-ensure_root_password_configured:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87101-2 References:
A.6.SEC-RHEL4, 5.6.6 |
Description | Single user mode is used for recovery when the system detects an
issue during boot or by manual selection from the bootloader. |
Rationale | Requiring authentication in single user mode prevents an unauthorized
user from rebooting the system into single user to gain root privileges
without credentials. |
OVAL test results details
make sure root password is set in /etc/shadow
oval:ssg-test_root_password_etc_shadow:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/shadow | root:$6$GBCi8s2HtC5NTU0n$Z94mW0WKU6S4V9.tc9DWA3y3L.D99D3E9fbAJhBEqZIQRb.tYwC3fLQKX1T8OhJbvIajf.gQ9w/vOVwW2lVsn/::0:99999:7::: |
Ensure that System Accounts Are Lockedxccdf_org.ssgproject.content_rule_no_password_auth_for_systemaccounts mediumCCE-86113-8
Ensure that System Accounts Are Locked
Rule ID | xccdf_org.ssgproject.content_rule_no_password_auth_for_systemaccounts |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_password_auth_for_systemaccounts:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86113-8 References:
A.6.SEC-RHEL3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6, CM-6(a), 5.6.2 |
Description | Some accounts are not associated with a human user of the system, and exist to perform some
administrative functions. An attacker should not be able to log into these accounts.
System accounts are those user accounts with a user ID less than 1000 .
If any system account other than root , halt , sync , shutdown
and nfsnobody has an unlocked password, disable it with the command:
$ sudo usermod -L account |
Rationale | Disabling authentication for default system accounts makes it more difficult for attackers
to make use of them to compromise a system. |
OVAL test results details
system accounts with a password defined
oval:ssg-test_no_password_auth_for_systemaccounts:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_password_auth_for_systemaccounts:obj:1 of type
shadow_object
Username | Filter |
---|
clevis | rtkit | sssd | geoclue | libstoragemgmt | setroubleshoot | pipewire | flatpak | gdm | cockpit-ws | cockpit-wsinstance | gnome-initial-setup | sshd | chrony | dnsmasq | tcpdump | systemd-oom | pcp | tss | operator | lp | daemon | colord | dbus | avahi | mail | games | adm | ftp | systemd-coredump | bin | polkitd |
| oval:ssg-filter_no_password_auth_for_systemaccounts_no_passwords_or_locked_accounts:ste:1 |
Ensure that System Accounts Do Not Run a Shell Upon Loginxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts mediumCCE-83623-9
Ensure that System Accounts Do Not Run a Shell Upon Login
Rule ID | xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_shelllogin_for_systemaccounts:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83623-9 References:
A.6.SEC-RHEL3, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 1491, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6, CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, 8.6.1, SRG-OS-000480-GPOS-00227, 5.6.2 |
Description | Some accounts are not associated with a human user of the system, and exist to perform some
administrative functions. Should an attacker be able to log into these accounts, they should
not be granted access to a shell.
The login shell for each local account is stored in the last field of each line in
/etc/passwd . System accounts are those user accounts with a user ID less than
1000 . The user ID is stored in the third field. If any system account
other than root has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin account |
Rationale | Ensuring shells are not given to system accounts upon login makes it more difficult for
attackers to make use of system accounts. |
Warnings | warning
Do not perform the steps in this section on the root account. Doing so might cause the
system to become inaccessible. |
OVAL test results details
SYS_UID_MIN not defined in /etc/login.defs
oval:ssg-test_sys_uid_min_not_defined:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201 |
SYS_UID_MAX not defined in /etc/login.defs
oval:ssg-test_sys_uid_max_not_defined:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999 |
<0, UID_MIN - 1> system UIDs having shell set
oval:ssg-test_shell_defined_default_uid_range:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/passwd | user1:x:1000:1000:user1:/home/user1:/bin/bash |
SYS_UID_MIN not defined in /etc/login.defs
oval:ssg-test_sys_uid_min_not_defined:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201 |
SYS_UID_MAX not defined in /etc/login.defs
oval:ssg-test_sys_uid_max_not_defined:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999 |
<0, SYS_UID_MIN> system UIDs having shell set
oval:ssg-test_shell_defined_reserved_uid_range:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/passwd | user1:x:1000:1000:user1:/home/user1:/bin/bash |
<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set
oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/passwd | user1:x:1000:1000:user1:/home/user1:/bin/bash |
Enforce Usage of pam_wheel with Group Parameter for su Authenticationxccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su mediumCCE-86065-0
Enforce Usage of pam_wheel with Group Parameter for su Authentication
Rule ID | xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-use_pam_wheel_group_for_su:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86065-0 References:
5.3.7 |
Description | To ensure that only users who are members of the group set in the
group pam_wheel parameter can run commands with altered
privileges through the su command, make sure that the
following line exists in the file /etc/pam.d/su :
auth required pam_wheel.so use_uid group=sugroup |
Rationale | The su program allows to run commands with a substitute
user and group ID. It is commonly used to run commands as the root
user. Limiting access to such command is considered a good security
practice. |
OVAL test results details
check /etc/pam.d/su for correct setting
oval:ssg-test_use_pam_wheel_group_for_su:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_use_pam_wheel_group_for_su:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/pam.d/su | ^\s*auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)[^#]*\bgroup=([_a-z][-0-9_a-z]*) | 1 |
Ensure All Accounts on the System Have Unique User IDsxccdf_org.ssgproject.content_rule_account_unique_id mediumCCE-88493-2
Ensure All Accounts on the System Have Unique User IDs
Rule ID | xccdf_org.ssgproject.content_rule_account_unique_id |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-account_unique_id:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-88493-2 References:
CCI-000135, CCI-000764, CCI-000804, Req-8.1.1, 8.2.1, SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020, 6.2.4 |
Description | Change user IDs (UIDs), or delete accounts, so each has a unique name. |
Rationale | To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. |
Warnings | warning
Automatic remediation of this control is not available due to unique requirements of each
system. |
OVAL test results details
There should not exist duplicate user ids in /etc/passwd
oval:ssg-test_etc_passwd_no_duplicate_user_ids:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-variable_count_of_all_uids:var:1 | 38 |
Ensure All Groups on the System Have Unique Group IDxccdf_org.ssgproject.content_rule_group_unique_id mediumCCE-86043-7
Ensure All Groups on the System Have Unique Group ID
Rule ID | xccdf_org.ssgproject.content_rule_group_unique_id |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-group_unique_id:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86043-7 References:
CCI-000764, 8.2.1, SRG-OS-000104-GPOS-00051, 6.2.5 |
Description | Change the group name or delete groups, so each has a unique id. |
Rationale | To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system. |
Warnings | warning
Automatic remediation of this control is not available due to the unique requirements of each system. |
OVAL test results details
There should not exist duplicate group ids in /etc/passwd
oval:ssg-test_etc_group_no_duplicate_group_ids:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-variable_count_of_all_group_ids:var:1 | 60 |
Ensure that Root's Path Does Not Include World or Group-Writable Directoriesxccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write mediumCCE-83643-7
Ensure that Root's Path Does Not Include World or Group-Writable Directories
Rule ID | xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_root_path_dirs_no_write:def:1 |
Time | 2023-11-27T20:52:22+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83643-7 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), CM-6(a), PR.IP-1, 6.2.8 |
Description | For each element in root's path, run:
# ls -ld DIR
and ensure that write permissions are disabled for group and
other. |
Rationale | Such entries increase the risk that root could
execute code provided by unprivileged users,
and potentially malicious code. |
OVAL test results details
Check if there aren't directories in root's path having write permission set for group or other
oval:ssg-test_accounts_root_path_dirs_no_group_other_write:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_root_path_dirs_no_group_other_write:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/root/.local/bin | /root/bin | /usr/local/sbin | /sbin | /bin | /usr/sbin | /usr/bin |
| no value | oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1 | oval:ssg-state_accounts_root_path_dirs_symlink:ste:1 |
Ensure that Root's Path Does Not Include Relative Paths or Null Directoriesxccdf_org.ssgproject.content_rule_root_path_no_dot unknownCCE-88059-1
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Rule ID | xccdf_org.ssgproject.content_rule_root_path_no_dot |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-root_path_no_dot:def:1 |
Time | 2023-11-27T20:52:22+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-88059-1 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), CM-6(a), PR.IP-1, 6.2.8 |
Description | Ensure that none of the directories in root's path is equal to a single
. character, or
that it contains any instances that lead to relative path traversal, such as
.. or beginning a path without the slash ( / ) character.
Also ensure that there are no "empty" elements in the path, such as in these examples:
PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin
These empty elements have the same effect as a single . character. |
Rationale | Including these entries increases the risk that root could
execute code from an untrusted location. |
OVAL test results details
environment variable PATH starts with : or .
oval:ssg-test_env_var_begins:tst:1
true
Following items have been found on the system:
Pid | Name | Value |
---|
4122 | PATH | /root/.local/bin:/root/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin |
environment variable PATH doesn't contain : twice in a row
oval:ssg-test_env_var_contains_doublecolon:tst:1
true
Following items have been found on the system:
Pid | Name | Value |
---|
4122 | PATH | /root/.local/bin:/root/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin |
environment variable PATH doesn't contain . twice in a row
oval:ssg-test_env_var_contains_doubleperiod:tst:1
true
Following items have been found on the system:
Pid | Name | Value |
---|
4122 | PATH | /root/.local/bin:/root/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin |
environment variable PATH ends with : or .
oval:ssg-test_env_var_ends:tst:1
true
Following items have been found on the system:
Pid | Name | Value |
---|
4122 | PATH | /root/.local/bin:/root/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin |
environment variable PATH starts with an absolute path /
oval:ssg-test_env_var_begins_slash:tst:1
true
Following items have been found on the system:
Pid | Name | Value |
---|
4122 | PATH | /root/.local/bin:/root/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin |
environment variable PATH contains relative paths
oval:ssg-test_env_var_contains_relative_path:tst:1
true
Following items have been found on the system:
Pid | Name | Value |
---|
4122 | PATH | /root/.local/bin:/root/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin |
Ensure the Default Bash Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc mediumCCE-83644-5
Ensure the Default Bash Umask is Set Correctly
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_umask_etc_bashrc:def:1 |
Time | 2023-11-27T20:52:22+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83644-5 References:
BP28(R35), A.6.SEC-RHEL5, 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, 8.6.1, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, 5.6.5 |
Description | To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask setting in /etc/bashrc to read
as follows:
umask 027 |
Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. |
|
|
OVAL test results details
Verify the existence of var_accounts_user_umask_as_number variable
oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 23 |
Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement
oval:ssg-tst_accounts_umask_etc_bashrc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_accounts_umask_etc_bashrc:obj:1 of type
variable_object
Var ref |
---|
oval:ssg-var_etc_bashrc_umask_as_number:var:1 |
Ensure the Default Umask is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs mediumCCE-83647-8
Ensure the Default Umask is Set Correctly in login.defs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_umask_etc_login_defs:def:1 |
Time | 2023-11-27T20:52:22+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83647-8 References:
BP28(R35), A.6.SEC-RHEL5, 11, 18, 3, 9, APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-1, PR.IP-2, 8.6.1, SRG-OS-000480-GPOS-00228, 5.6.5 |
Description | To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 027 |
Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users. |
|
|
OVAL test results details
Verify the existence of var_accounts_user_umask_as_number variable
oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 23 |
Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement
oval:ssg-tst_accounts_umask_etc_login_defs:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-var_etc_login_defs_umask_as_number:var:1 | 18 |
Ensure the Default Umask is Set Correctly in /etc/profilexccdf_org.ssgproject.content_rule_accounts_umask_etc_profile mediumCCE-90828-5
Ensure the Default Umask is Set Correctly in /etc/profile
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_umask_etc_profile:def:1 |
Time | 2023-11-27T20:52:22+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90828-5 References:
BP28(R35), A.6.SEC-RHEL5, 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, 8.6.1, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, 5.6.5 |
Description | To ensure the default umask controlled by /etc/profile is set properly,
add or correct the umask setting in /etc/profile to read as follows:
umask 027
Note that /etc/profile also reads scrips within /etc/profile.d directory.
These scripts are also valid files to set umask value. Therefore, they should also be
considered during the check and properly remediated, if necessary. |
Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. |
|
|
OVAL test results details
Verify the existence of var_accounts_user_umask_as_number variable
oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 23 |
umask value(s) from profile configuration files match the requirement
oval:ssg-tst_accounts_umask_etc_profile:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_accounts_umask_etc_profile:obj:1 of type
variable_object
Var ref |
---|
oval:ssg-var_etc_profile_umask_as_number:var:1 |
Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout mediumCCE-83633-8
Set Interactive Session Timeout
Rule ID | xccdf_org.ssgproject.content_rule_accounts_tmout |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_tmout:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83633-8 References:
BP28(R29), A.5.SEC-RHEL8, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.11, CCI-000057, CCI-001133, CCI-002361, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-12, SC-10, AC-2(5), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, 8.6.1, SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010, 5.6.3 |
Description | Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity.
The value of TMOUT should be exported and read only.
The TMOUT
setting in a file loaded by /etc/profile , e.g.
/etc/profile.d/tmout.sh should read as follows:
declare -xr TMOUT=900 |
Rationale | Terminating an idle session within a short time period reduces
the window of opportunity for unauthorized personnel to take control of a
management session enabled on the console or console port that has been
left unattended. |
|
|
OVAL test results details
TMOUT in /etc/profile
oval:ssg-test_etc_profile_tmout:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_profile_tmout:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/profile | ^[\s]*declare[\s]+-xr[\s]+TMOUT=([\w$]+).*$ | 1 |
TMOUT in /etc/profile.d/*.sh
oval:ssg-test_etc_profiled_tmout:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_profiled_tmout:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/profile.d | ^.*\.sh$ | ^[\s]*declare[\s]+-xr[\s]+TMOUT=([\w$]+).*$ | 1 |
Check that at least one TMOUT is defined
oval:ssg-test_accounts_tmout_defined:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_tmout_defined:obj:1 of type
variable_object
Var ref |
---|
oval:ssg-variable_count_of_tmout_instances:var:1 |
User Initialization Files Must Not Run World-Writable Programsxccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs mediumCCE-87451-1
User Initialization Files Must Not Run World-Writable Programs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_user_dot_no_world_writable_programs:def:1 |
Time | 2023-11-27T20:52:22+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87451-1 References:
CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.16 |
Description | Set the mode on files being executed by the user initialization files with the
following command:
$ sudo chmod o-w FILE |
Rationale | If user start-up files execute world-writable programs, especially in
unprotected directories, they could be maliciously modified to destroy user
files or otherwise compromise the system at the user level. If the system is
compromised at the user level, it is easier to elevate privileges to eventually
compromise the system at the root and network level. |
OVAL test results details
Init files do not execute world-writable programs
oval:ssg-test_accounts_user_dot_no_world_writable_programs:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_dot_no_world_writable_programs_init_files:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
^(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)$ | /home/user1 | Referenced variable has no values (oval:ssg-var_world_writable_programs_regex:var:1). | 1 |
All Interactive Users Home Directories Must Existxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists mediumCCE-83639-5
All Interactive Users Home Directories Must Exist
Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_user_interactive_home_directory_exists:def:1 |
Time | 2023-11-27T20:52:22+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83639-5 References:
CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.10 |
Description | Create home directories to all local interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd :
$ sudo mkdir /home/USER |
Rationale | If a local interactive user has a home directory defined that does not exist,
the user may be given access to the / directory as the current working directory
upon logon. This could create a Denial of Service because the user would not be
able to access their logon configuration files, and it may give them visibility
to system files they normally would not be able to access. |
OVAL test results details
Check the existence of interactive users.
oval:ssg-test_accounts_user_interactive_home_directory_exists:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count_fs:var:1 | 1 |
Check the existence of interactive users.
oval:ssg-test_accounts_user_interactive_home_directory_exists_users:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count:var:1 | 1 |
All Interactive User Home Directories Must Be Group-Owned By The Primary Groupxccdf_org.ssgproject.content_rule_file_groupownership_home_directories mediumCCE-83629-6
All Interactive User Home Directories Must Be Group-Owned By The Primary Group
Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_home_directories |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupownership_home_directories:def:1 |
Time | 2023-11-27T20:52:22+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83629-6 References:
CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.11 |
Description | Change the group owner of interactive users home directory to the
group found in /etc/passwd . To change the group owner of
interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
This rule ensures every home directory related to an interactive user is
group-owned by an interactive user. It also ensures that interactive users
are group-owners of one and only one home directory. |
Rationale | If the Group Identifier (GID) of a local interactive users home directory is
not the same as the primary GID of the user, this would allow unauthorized
access to the users files, and users that share the same group may not be
able to access files that they legitimately should. |
Warnings | warning
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the group-ownership
of their respective home directories. |
OVAL test results details
All home directories are group-owned by a local interactive group
oval:ssg-test_file_groupownership_home_directories:tst:1
true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/home/user1/ | directory | 1000 | 1000 | 4096 | rwx------ |
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_home_directories mediumCCE-83634-6
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_home_directories |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_home_directories:def:1 |
Time | 2023-11-27T20:52:22+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83634-6 References:
CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.12 |
Description | Change the mode of interactive users home directories to 0750 . To
change the mode of interactive users home directory, use the
following command:
$ sudo chmod 0750 /home/USER |
Rationale | Excessive permissions on local interactive user home directories may allow
unauthorized access to user files by other users. |
OVAL test results details
All home directories have proper permissions
oval:ssg-test_file_permissions_home_directories:tst:1
true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/home/user1/ | directory | 1000 | 1000 | 4096 | rwx------ |
Enable authselectxccdf_org.ssgproject.content_rule_enable_authselect mediumCCE-89732-2
Enable authselect
Rule ID | xccdf_org.ssgproject.content_rule_enable_authselect |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-enable_authselect:def:1 |
Time | 2023-11-27T20:51:57+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-89732-2 References:
BP28(R31), A.30.SEC-RHEL1, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-3, FIA_UAU.1, FIA_AFL.1, SRG-OS-000480-GPOS-00227, 5.4.1 |
Description | Configure user authentication setup to use the authselect tool.
If authselect profile is selected, the rule will enable the sssd profile. |
Rationale | Authselect is a successor to authconfig.
It is a tool to select system authentication and identity sources from a list of supported
profiles instead of letting the administrator manually build the PAM stack.
That way, it avoids potential breakage of configuration, as it ships several tested profiles
that are well tested and supported to solve different use-cases. |
Warnings | warning
If the sudo authselect select command returns an error informing that the chosen
profile cannot be selected, it is probably because PAM files have already been modified by
the administrator. If this is the case, in order to not overwrite the desired changes made
by the administrator, the current PAM settings should be investigated before forcing the
selection of the chosen authselect profile. |
OVAL test results details
The 'fingerprint-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_fingerprint_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
Filepath | Canonical path |
---|
/etc/pam.d/fingerprint-auth | /etc/authselect/fingerprint-auth |
The 'password-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_password_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
Filepath | Canonical path |
---|
/etc/pam.d/password-auth | /etc/authselect/password-auth |
The 'postlogin' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_postlogin_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
Filepath | Canonical path |
---|
/etc/pam.d/postlogin | /etc/authselect/postlogin |
The 'smartcard-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_smartcard_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
Filepath | Canonical path |
---|
/etc/pam.d/smartcard-auth | /etc/authselect/smartcard-auth |
The 'system-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_system_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
Filepath | Canonical path |
---|
/etc/pam.d/system-auth | /etc/authselect/system-auth |
Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod mediumCCE-83830-0
Record Events that Modify the System's Discretionary Access Controls - chmod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chmod:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83830-0 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown mediumCCE-83812-8
Record Events that Modify the System's Discretionary Access Controls - chown
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chown:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83812-8 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chown
oval:ssg-test_32bit_ardm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit chown
oval:ssg-test_64bit_ardm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chown
oval:ssg-test_32bit_ardm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit chown
oval:ssg-test_64bit_ardm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod mediumCCE-83832-6
Record Events that Modify the System's Discretionary Access Controls - fchmod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmod:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83832-6 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat mediumCCE-83822-7
Record Events that Modify the System's Discretionary Access Controls - fchmodat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmodat:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83822-7 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown mediumCCE-83829-2
Record Events that Modify the System's Discretionary Access Controls - fchown
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchown:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83829-2 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat mediumCCE-83831-8
Record Events that Modify the System's Discretionary Access Controls - fchownat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchownat:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83831-8 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-83821-9
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fremovexattr:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83821-9 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | true |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83821-9
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fremovexattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83821-9
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fremovexattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83821-9
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fremovexattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83821-9
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit fremovexattr auid=0
oval:ssg-test_32bit_ardm_fremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr mediumCCE-83817-7
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fsetxattr:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83817-7 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | true |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83817-7
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fsetxattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83817-7
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fsetxattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83817-7
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fsetxattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83817-7
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit fsetxattr auid=0
oval:ssg-test_32bit_ardm_fsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown mediumCCE-83833-4
Record Events that Modify the System's Discretionary Access Controls - lchown
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lchown:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83833-4 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-83814-4
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lremovexattr:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83814-4 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | true |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83814-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit lremovexattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83814-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lremovexattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83814-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lremovexattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83814-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit lremovexattr auid=0
oval:ssg-test_32bit_ardm_lremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr mediumCCE-83808-6
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lsetxattr:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83808-6 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | true |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83808-6
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit lsetxattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83808-6
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lsetxattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83808-6
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lsetxattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83808-6
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit lsetxattr auid=0
oval:ssg-test_32bit_ardm_lsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-83807-8
Record Events that Modify the System's Discretionary Access Controls - removexattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_removexattr:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83807-8 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | true |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83807-8
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit removexattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83807-8
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for removexattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83807-8
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for removexattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83807-8
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit removexattr auid=0
oval:ssg-test_32bit_ardm_removexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr mediumCCE-83811-0
Record Events that Modify the System's Discretionary Access Controls - setxattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_dac_modification_setxattr:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83811-0 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, 4.1.3.9 |
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod |
Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | true |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83811-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit setxattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83811-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for setxattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83811-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for setxattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83811-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit setxattr auid=0
oval:ssg-test_32bit_ardm_setxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run chaclxccdf_org.ssgproject.content_rule_audit_rules_execution_chacl mediumCCE-87685-4
Record Any Attempts to Run chacl
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_execution_chacl:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87685-4 References:
CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, 4.1.3.17 |
Description | At a minimum, the audit system should collect any execution attempt
of the chacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Rationale | Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chacl
oval:ssg-test_audit_rules_execution_chacl_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chacl_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chacl
oval:ssg-test_audit_rules_execution_chacl_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chacl_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run setfaclxccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl mediumCCE-90482-1
Record Any Attempts to Run setfacl
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_execution_setfacl:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90482-1 References:
CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, 4.1.3.16 |
Description | At a minimum, the audit system should collect any execution attempt
of the setfacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Rationale | Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules setfacl
oval:ssg-test_audit_rules_execution_setfacl_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfacl_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/setfacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl setfacl
oval:ssg-test_audit_rules_execution_setfacl_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfacl_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/setfacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-83748-4
Record Any Attempts to Run chcon
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_execution_chcon:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83748-4 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 4.1.3.15 |
Description | At a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chcon
oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chcon
oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-83754-2
Ensure auditd Collects File Deletion Events by User - rename
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_rename:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83754-2 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, 4.1.3.13 |
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete |
Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit rename
oval:ssg-test_32bit_ardm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit rename
oval:ssg-test_64bit_ardm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit rename
oval:ssg-test_32bit_ardm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit rename
oval:ssg-test_64bit_ardm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-83756-7
Ensure auditd Collects File Deletion Events by User - renameat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_renameat:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83756-7 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, 4.1.3.13 |
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete |
Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - unlinkxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink mediumCCE-83757-5
Ensure auditd Collects File Deletion Events by User - unlink
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlink:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83757-5 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, 4.1.3.13 |
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete |
Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlink_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlink_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlink_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlink_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-83755-9
Ensure auditd Collects File Deletion Events by User - unlinkat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83755-9 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, 4.1.3.13 |
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Unsuccessful Access Attempts to Files - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-83786-4
Record Unsuccessful Access Attempts to Files - creat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83786-4 References:
BP28(R73), A.3.SEC-RHEL9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, 4.1.3.7 |
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | true |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83786-4
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit creat tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83786-4
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83786-4
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83786-4
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83786-4
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83786-4
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-83800-3
Record Unsuccessful Access Attempts to Files - ftruncate
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83800-3 References:
BP28(R73), A.3.SEC-RHEL9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, 4.1.3.7 |
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | true |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83800-3
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit ftruncate tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83800-3
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83800-3
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83800-3
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83800-3
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83800-3
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-83801-1
Record Unsuccessful Access Attempts to Files - open
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83801-1 References:
BP28(R73), A.3.SEC-RHEL9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, 4.1.3.7 |
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | true |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83801-1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit open tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83801-1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83801-1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83801-1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83801-1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83801-1
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-83794-8
Record Unsuccessful Access Attempts to Files - openat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83794-8 References:
BP28(R73), A.3.SEC-RHEL9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, 4.1.3.7 |
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | true |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83794-8
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit openat tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83794-8
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83794-8
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83794-8
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83794-8
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83794-8
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-83792-2
Record Unsuccessful Access Attempts to Files - truncate
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83792-2 References:
BP28(R73), A.3.SEC-RHEL9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, 4.1.3.7 |
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | true |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83792-2
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit truncate tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83792-2
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83792-2
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83792-2
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83792-2
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83792-2
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Ensure auditd Collects Information on Kernel Module Unloading - create_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create mediumCCE-88436-1
Ensure auditd Collects Information on Kernel Module Unloading - create_module
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_create:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-88436-1 References:
CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, 4.1.3.19 |
Description | To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S create_module -F key=module-change
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d .
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules . |
Rationale | The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit create_module
oval:ssg-test_32bit_ardm_create_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_create_module_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit create_module
oval:ssg-test_64bit_ardm_create_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_create_module_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit create_module
oval:ssg-test_32bit_ardm_create_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_create_module_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit create_module
oval:ssg-test_64bit_ardm_create_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_create_module_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-83802-9
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_delete:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83802-9 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, 4.1.3.19 |
Description | To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d .
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules . |
Rationale | The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit mediumCCE-83803-7
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_finit:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83803-7 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, 4.1.3.19 |
Description | If the auditd daemon is configured to use the augenrules program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules |
Rationale | The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit finit_module
oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_finit_module_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit finit_module
oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_finit_module_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit finit_module
oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_finit_module_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit finit_module
oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_finit_module_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-90835-0
Ensure auditd Collects Information on Kernel Module Loading - init_module
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_init:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90835-0 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, 4.1.3.19 |
Description | To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d .
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules . |
Rationale | The addition of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_query mediumCCE-88749-7
Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_query |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_query:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-88749-7 References:
4.1.3.19 |
Description | If the auditd daemon is configured to use the augenrules program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules |
Rationale | The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit query_module
oval:ssg-test_32bit_ardm_query_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_query_module_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+query_module[\s]+|([\s]+|[,])query_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit query_module
oval:ssg-test_64bit_ardm_query_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_query_module_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+query_module[\s]+|([\s]+|[,])query_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit query_module
oval:ssg-test_32bit_ardm_query_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_query_module_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+query_module[\s]+|([\s]+|[,])query_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit query_module
oval:ssg-test_64bit_ardm_query_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_query_module_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+query_module[\s]+|([\s]+|[,])query_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Logon and Logout Events - faillockxccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock mediumCCE-83783-1
Record Attempts to Alter Logon and Logout Events - faillock
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_login_events_faillock:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83783-1 References:
BP28(R73), A.3.SEC-RHEL1, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, 4.1.3.12 |
Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/faillock -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/faillock -p wa -k logins |
Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules faillock
oval:ssg-test_arle_faillock_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_faillock_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl faillock
oval:ssg-test_arle_faillock_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_faillock_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Attempts to Alter Logon and Logout Events - lastlogxccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog mediumCCE-83785-6
Record Attempts to Alter Logon and Logout Events - lastlog
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_login_events_lastlog:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83785-6 References:
BP28(R73), A.3.SEC-RHEL1, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214, 4.1.3.12 |
Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins |
Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules lastlog
oval:ssg-test_arle_lastlog_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_lastlog_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl lastlog
oval:ssg-test_arle_lastlog_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_lastlog_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commandsxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands mediumCCE-83759-1
Ensure auditd Collects Information on the Use of Privileged Commands
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_privileged_commands:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83759-1 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO08.04, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.05, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-002234, 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.5, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.3.4.5.9, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 3.9, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, 0582, 0584, 05885, 0586, 0846, 0957, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.3, A.6.2.1, A.6.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-2, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, DE.DP-4, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, RS.CO-2, Req-10.2.2, 10.2.1.2, SRG-OS-000327-GPOS-00127, 4.1.3.6 |
Description | The audit system should collect information about usage of privileged commands for all users.
These are commands with suid or sgid bits on and they are specially risky in local block
device partitions not mounted with noexec and nosuid options. Therefore, these partitions
should be first identified by the following command:
findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid"
For all partitions listed by the previous command, it is necessary to search for
setuid / setgid programs using the following command:
$ sudo find PARTITION -xdev -perm /6000 -type f 2>/dev/null
For each setuid / setgid program identified by the previous command, an audit rule must be
present in the appropriate place using the following line structure:
-a always,exit -F path=PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the augenrules program to read
audit rules during daemon startup, add the line to a file with suffix .rules in the
/etc/audit/rules.d directory, replacing the PROG_PATH part with the full path
of that setuid / setgid identified program.
If the auditd daemon is configured to use the auditctl utility instead, add
the line to the /etc/audit/audit.rules file, also replacing the PROG_PATH part
with the full path of that setuid / setgid identified program. |
Rationale | Misuse of privileged functions, either intentionally or unintentionally by authorized users,
or by unauthorized external entities that have compromised system accounts, is a serious and
ongoing concern that can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify the
risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert
their normal role of providing some necessary but limited capability. As such, motivation
exists to monitor these programs for unusual activity. |
Warnings | warning
This rule checks for multiple syscalls related to privileged commands. If needed to check
specific privileged commands, other more specific rules should be considered. For example:
audit_rules_privileged_commands_su audit_rules_privileged_commands_umount audit_rules_privileged_commands_passwd
warning
Note that OVAL check and Bash / Ansible remediation of this rule
explicitly excludes file systems mounted at /proc directory
and its subdirectories. It is a virtual file system and it doesn't
contain executable applications. At the same time, interacting with this
file system during check or remediation caused undesirable errors. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
There is one augenrules rule for each privileged command on the system.
oval:ssg-test_augenrules_all_priv_cmds_covered:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_priv_cmds_from_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance | Filter |
---|
/usr/bin/sudo | /usr/bin/pkexec | /usr/sbin/userhelper | /usr/libexec/openssh/ssh-keysign | /usr/libexec/cockpit-session | /usr/bin/mount | /usr/sbin/pam_timestamp_check | /usr/sbin/lockdev | /usr/sbin/unix_chkpwd | /usr/libexec/sssd/proxy_child | /usr/libexec/sssd/selinux_child | /usr/libexec/Xorg.wrap | /usr/bin/gpasswd | /usr/bin/at | /usr/bin/locate | /usr/libexec/utempter/utempter | /usr/bin/crontab | /usr/bin/passwd | /usr/bin/vmware-user-suid-wrapper | /usr/bin/newgrp | /usr/bin/fusermount | /usr/bin/fusermount3 | /usr/bin/write | /usr/bin/chage | /usr/lib/polkit-1/polkit-agent-helper-1 | /usr/bin/umount | /usr/bin/su | /usr/libexec/dbus-1/dbus-daemon-launch-helper | /usr/libexec/sssd/ldap_child | /usr/libexec/sssd/krb5_child | /usr/sbin/grub2-set-bootflag | /usr/bin/chfn | /usr/bin/chsh | / | /boot | /boot/efi | ^[\s]*-a always,exit (?:-F path=([\S]+))+(?: -F perm=x)? -F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 | oval:ssg-state_unprivileged_commands:ste:1 |
Count of augenrules for priv cmds matches the count of priv cmds in the system
oval:ssg-test_augenrules_count_matches_system_priv_cmds:tst:1
error
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-var_audit_rules_privileged_commands_priv_cmds_count:var:1 | 33 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
There is one auditctl rule for each privileged command on the system.
oval:ssg-test_auditctl_all_priv_cmds_covered:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_priv_cmds_from_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance | Filter |
---|
/usr/bin/sudo | /usr/bin/pkexec | /usr/sbin/userhelper | /usr/libexec/openssh/ssh-keysign | /usr/libexec/cockpit-session | /usr/bin/mount | /usr/sbin/pam_timestamp_check | /usr/sbin/lockdev | /usr/sbin/unix_chkpwd | /usr/libexec/sssd/proxy_child | /usr/libexec/sssd/selinux_child | /usr/libexec/Xorg.wrap | /usr/bin/gpasswd | /usr/bin/at | /usr/bin/locate | /usr/libexec/utempter/utempter | /usr/bin/crontab | /usr/bin/passwd | /usr/bin/vmware-user-suid-wrapper | /usr/bin/newgrp | /usr/bin/fusermount | /usr/bin/fusermount3 | /usr/bin/write | /usr/bin/chage | /usr/lib/polkit-1/polkit-agent-helper-1 | /usr/bin/umount | /usr/bin/su | /usr/libexec/dbus-1/dbus-daemon-launch-helper | /usr/libexec/sssd/ldap_child | /usr/libexec/sssd/krb5_child | /usr/sbin/grub2-set-bootflag | /usr/bin/chfn | /usr/bin/chsh | / | /boot | /boot/efi | ^[\s]*-a always,exit (?:-F path=([\S]+))+(?: -F perm=x)? -F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 | oval:ssg-state_unprivileged_commands:ste:1 |
Count of auditctl rules for priv cmds matches the count of priv cmds in the system
oval:ssg-test_auditctl_count_matches_system_priv_cmds:tst:1
error
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-var_audit_rules_privileged_commands_priv_cmds_count:var:1 | 33 |
Ensure auditd Collects Information on the Use of Privileged Commands - kmodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod mediumCCE-90262-7
Ensure auditd Collects Information on the Use of Privileged Commands - kmod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_kmod:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90262-7 References:
BP28(R73), CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv)AU-12(c), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, 4.1.3.19 |
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Rationale | Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules kmod
oval:ssg-test_audit_rules_privileged_commands_kmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_kmod_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/kmod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl kmod
oval:ssg-test_audit_rules_privileged_commands_kmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_kmod_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/kmod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - usermodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod mediumCCE-87212-7
Ensure auditd Collects Information on the Use of Privileged Commands - usermod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_usermod:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87212-7 References:
CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, 4.1.3.18 |
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules usermod
oval:ssg-test_audit_rules_privileged_commands_usermod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usermod_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usermod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl usermod
oval:ssg-test_audit_rules_privileged_commands_usermod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usermod_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usermod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record attempts to alter time through adjtimexxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex mediumCCE-83840-9
Record attempts to alter time through adjtimex
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_time_adjtimex:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83840-9 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3, 4.1.3.4 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit adjtimex
oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_adjtimex_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit adjtimex
oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_adjtimex_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit adjtimex
oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_adjtimex_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit adjtimex
oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_adjtimex_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Time Through clock_settimexccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime mediumCCE-83837-5
Record Attempts to Alter Time Through clock_settime
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_time_clock_settime:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83837-5 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3, 4.1.3.4 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit clock_settime
oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_clock_settime_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit clock_settime
oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_clock_settime_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit clock_settime
oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_clock_settime_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit clock_settime
oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_clock_settime_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
Record attempts to alter time through settimeofdayxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday mediumCCE-83836-7
Record attempts to alter time through settimeofday
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_time_settimeofday:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83836-7 References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3, 4.1.3.4 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit settimeofday
oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_settimeofday_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit settimeofday
oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_settimeofday_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit settimeofday
oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_settimeofday_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit settimeofday
oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_settimeofday_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Time Through stimexccdf_org.ssgproject.content_rule_audit_rules_time_stime mediumCCE-83835-9
Record Attempts to Alter Time Through stime
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_stime |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_time_stime:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83835-9 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3, 4.1.3.4 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). If the
auditd daemon is configured to use the auditctl utility to
read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
|
|
OVAL test results details
32 bit architecture
oval:ssg-test_system_info_architecture_x86:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit stime
oval:ssg-test_32bit_art_stime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_stime_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit stime
oval:ssg-test_32bit_art_stime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_stime_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter the localtime Filexccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime mediumCCE-83839-1
Record Attempts to Alter the localtime File
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_time_watch_localtime:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83839-1 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3, 10.6.3, 4.1.3.4 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d :
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport and
should always be used. |
Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit /etc/localtime watch augenrules
oval:ssg-test_artw_etc_localtime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_artw_etc_localtime_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit /etc/localtime watch auditctl
oval:ssg-test_artw_etc_localtime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_artw_etc_localtime_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable mediumCCE-83716-1
Make the auditd Configuration Immutable
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_immutable |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_immutable:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83716-1 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, CCI-000162, CCI-000163, CCI-000164, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, 10.3.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, 4.1.3.20 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2
With this setting, a reboot will be required to change any audit rules. |
Rationale | Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operation. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules configuration locked
oval:ssg-test_ari_locked_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-e\s+2\s*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl configuration locked
oval:ssg-test_ari_locked_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-e\s+2\s*$ | 1 |
Record Events that Modify the System's Mandatory Access Controlsxccdf_org.ssgproject.content_rule_audit_rules_mac_modification mediumCCE-83721-1
Record Events that Modify the System's Mandatory Access Controls
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_mac_modification |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_mac_modification:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83721-1 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.8, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, 4.1.3.14 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d :
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy |
Rationale | The system's mandatory access policy (SELinux) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit selinux changes augenrules
oval:ssg-test_armm_selinux_watch_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_armm_selinux_watch_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit selinux changes auditctl
oval:ssg-test_armm_selinux_watch_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_armm_selinux_watch_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Events that Modify the System's Mandatory Access Controls in usr/sharexccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share mediumCCE-86343-1
Record Events that Modify the System's Mandatory Access Controls in usr/share
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_mac_modification_usr_share:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86343-1 References:
APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.8, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 4.1.3.14 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d :
-w /usr/share/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /usr/share/selinux/ -p wa -k MAC-policy |
Rationale | The system's mandatory access policy (SELinux) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit selinux changes augenrules in usr/share
oval:ssg-test_armm_selinux_watch_augenrules_usr_share:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_armm_selinux_watch_augenrules_usr_share:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/usr/share/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit selinux changes auditctl in usr/share
oval:ssg-test_armm_selinux_watch_auditctl_usr_share:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_armm_selinux_watch_auditctl_usr_share:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+/usr/share/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-83735-1
Ensure auditd Collects Information on Exporting to Media (successful)
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_media_export |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_media_export:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83735-1 References:
BP28(R73), A.3.SEC-RHEL10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, 4.1.3.10 |
Description | At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export |
Rationale | The unauthorized exportation of data to external media could result in an information leak
where classified information, Privacy Act information, and intellectual property could be lost. An audit
trail should be created each time a filesystem is mounted to help identify and guard against information
loss. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit mount
oval:ssg-test_32bit_ardm_mount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_mount_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit mount
oval:ssg-test_64bit_ardm_mount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_mount_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit mount
oval:ssg-test_32bit_ardm_mount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_mount_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit mount
oval:ssg-test_64bit_ardm_mount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_mount_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Network Environmentxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification mediumCCE-83706-2
Record Events that Modify the System's Network Environment
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_networkconfig_modification:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83706-2 References:
BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.5.5, 10.3.4, 4.1.3.5 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification |
Rationale | The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited. |
Remediation Shell script ⇲# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
OTHER_FILTERS=""
AUID_FILTERS=""
SYSCALL="sethostname setdomainname"
KEY="audit_rules_networkconfig_modification"
SYSCALL_GROUPING="sethostname setdomainname"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule
# Load macro arguments into arrays
read -a syscall_a <<< $SYSCALL
read -a syscall_grouping <<< $SYSCALL_GROUPING
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
file_to_inspect="/etc/audit/rules.d/$KEY.rules"
files_to_inspect=("$file_to_inspect")
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
chmod 0640 "$file_to_inspect"
fi
fi
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
# i.e, collect rules that match:
# * the action, list and arch, (2-nd argument)
# * the other filters, (3-rd argument)
# * the auid filters, (4-rd argument)
readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
candidate_rules=()
# Filter out rules that have more fields then required. This will remove rules more specific than the required scope
for s_rule in "${similar_rules[@]}"
do
# Strip all the options and fields we know of,
# than check if there was any field left over
extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
done
if [[ ${#syscall_a[@]} -ge 1 ]]
then
# Check if the syscall we want is present in any of the similar existing rules
for rule in "${candidate_rules[@]}"
do
rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
all_syscalls_found=0
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
# A syscall was not found in the candidate rule
all_syscalls_found=1
}
done
if [[ $all_syscalls_found -eq 0 ]]
then
# We found a rule with all the syscall(s) we want; skip rest of macro
skip=0
break
fi
# Check if this rule can be grouped with our target syscall and keep track of it
for syscall_g in "${syscall_grouping[@]}"
do
if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
then
file_to_edit=${audit_file}
rule_to_edit=${rule}
rule_syscalls_to_edit=${rule_syscalls}
fi
done
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
fi
if [ "$skip" -eq 0 ]; then
break
fi
done
if [ "$skip" -ne 0 ]; then
# We checked all rules that matched the expected resemblance pattern (action, arch & auid)
# At this point we know if we need to either append the $full_rule or group
# the syscall together with an exsiting rule
# Append the full_rule if it cannot be grouped to any other rule
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
do
syscall_string+=" -S $syscall"
done
fi
other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
echo "$full_rule" >> "$default_file"
chmod o-rwx ${default_file}
else
# Check if the syscalls are declared as a comma separated list or
# as multiple -S parameters
if grep -q -- "," <<< "${rule_syscalls_to_edit}"
then
delimiter=","
else
delimiter=" -S "
fi
new_grouped_syscalls="${rule_syscalls_to_edit}"
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
# A syscall was not found in the candidate rule
new_grouped_syscalls+="${delimiter}${syscall}"
}
done
# Group the syscall in the rule
sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
fi
fi
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule
# Load macro arguments into arrays
read -a syscall_a <<< $SYSCALL
read -a syscall_grouping <<< $SYSCALL_GROUPING
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
# i.e, collect rules that match:
# * the action, list and arch, (2-nd argument)
# * the other filters, (3-rd argument)
# * the auid filters, (4-rd argument)
readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
candidate_rules=()
# Filter out rules that have more fields then required. This will remove rules more specific than the required scope
for s_rule in "${similar_rules[@]}"
do
# Strip all the options and fields we know of,
# than check if there was any field left over
extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
done
if [[ ${#syscall_a[@]} -ge 1 ]]
then
# Check if the syscall we want is present in any of the similar existing rules
for rule in "${candidate_rules[@]}"
do
rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
all_syscalls_found=0
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
# A syscall was not found in the candidate rule
all_syscalls_found=1
}
done
if [[ $all_syscalls_found -eq 0 ]]
then
# We found a rule with all the syscall(s) we want; skip rest of macro
skip=0
break
fi
# Check if this rule can be grouped with our target syscall and keep track of it
for syscall_g in "${syscall_grouping[@]}"
do
if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
then
file_to_edit=${audit_file}
rule_to_edit=${rule}
rule_syscalls_to_edit=${rule_syscalls}
fi
done
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
fi
if [ "$skip" -eq 0 ]; then
break
fi
done
if [ "$skip" -ne 0 ]; then
# We checked all rules that matched the expected resemblance pattern (action, arch & auid)
# At this point we know if we need to either append the $full_rule or group
# the syscall together with an exsiting rule
# Append the full_rule if it cannot be grouped to any other rule
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
do
syscall_string+=" -S $syscall"
done
fi
other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
echo "$full_rule" >> "$default_file"
chmod o-rwx ${default_file}
else
# Check if the syscalls are declared as a comma separated list or
# as multiple -S parameters
if grep -q -- "," <<< "${rule_syscalls_to_edit}"
then
delimiter=","
else
delimiter=" -S "
fi
new_grouped_syscalls="${rule_syscalls_to_edit}"
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
# A syscall was not found in the candidate rule
new_grouped_syscalls+="${delimiter}${syscall}"
}
done
# Group the syscall in the rule
sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
fi
fi
done
# Then perform the remediations for the watch rules
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
do
# Extract filepath from the match
rulesd_audit_file=$(echo $match | cut -f1 -d ':')
# Append that path into list of files for inspection
files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
# Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
# If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
do
# Extract filepath from the match
rulesd_audit_file=$(echo $match | cut -f1 -d ':')
# Append that path into list of files for inspection
files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
# Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
# If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
do
# Extract filepath from the match
rulesd_audit_file=$(echo $match | cut -f1 -d ':')
# Append that path into list of files for inspection
files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
# Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
# If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
do
# Extract filepath from the match
rulesd_audit_file=$(echo $match | cut -f1 -d ':')
# Append that path into list of files for inspection
files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
# Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
# If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Reboot: | false |
---|
Strategy: | restrict |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Remediate audit rules for network configuration for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Remediate audit rules for network configuration for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/issue in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/issue in /etc/audit/audit.rules
lineinfile:
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules
lineinfile:
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules
lineinfile:
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules
lineinfile:
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit /etc/issue augenrules
oval:ssg-test_arnm_etc_issue_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/issue.net augenrules
oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_net_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/hosts augenrules
oval:ssg-test_arnm_etc_hosts_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_hosts_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/sysconfig/network augenrules
oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_sysconfig_network_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit /etc/issue auditctl
oval:ssg-test_arnm_etc_issue_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/issue.net auditctl
oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_net_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/hosts auditctl
oval:ssg-test_arnm_etc_hosts_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_hosts_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/sysconfig/network auditctl
oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_sysconfig_network_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit augenrules 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
Machine class | Node name | Os name | Os release | Os version | Processor type |
---|
x86_64 | rhel9.rock.lab | Linux | 5.14.0-284.18.1.el9_2.x86_64 | #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023 | x86_64 |
audit auditctl 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events mediumCCE-83713-8
Record Attempts to Alter Process and Session Initiation Information
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_session_events |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_session_events:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83713-8 References:
BP28(R73), A.3.SEC-RHEL1, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, 0582, 0584, 05885, 0586, 0846, 0957, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, 4.1.3.11 |
Description | The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session |
Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules utmp
oval:ssg-test_arse_utmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_utmp_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$ | 1 |
audit augenrules btmp
oval:ssg-test_arse_btmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_btmp_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$ | 1 |
audit augenrules wtmp
oval:ssg-test_arse_wtmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_wtmp_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl utmp
oval:ssg-test_arse_utmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_utmp_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$ | 1 |
audit auditctl btmp
oval:ssg-test_arse_btmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_btmp_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$ | 1 |
audit auditctl wtmp
oval:ssg-test_arse_wtmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_wtmp_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$ | 1 |
Record Events When Executables Are Run As Another Userxccdf_org.ssgproject.content_rule_audit_rules_suid_auid_privilege_function mediumCCE-86368-8
Record Events When Executables Are Run As Another User
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_suid_auid_privilege_function |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_suid_auid_privilege_function:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86368-8 References:
4.1.3.2 |
Description | Verify the system generates an audit record when actions are run as another user.
sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user.
If audit is using the "auditctl" tool to load the rules, run the following command:
$ sudo grep execve /etc/audit/audit.rules
If audit is using the "augenrules" tool to load the rules, run the following command:
$ sudo grep -r execve /etc/audit/rules.d
-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation
-a always,exit -F arch=b64 S execve -C euid!=uid -F auid!=unset -k user_emulation
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. |
Rationale | Creating an audit log of users with temporary elevated privileges and the
operation(s) they performed is essential to reporting. Administrators will
want to correlate the events written to the audit trail with the records
written to sudo's logfile to verify if unauthorized commands have
been executed.
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have
compromised information system accounts, is a serious and ongoing concern
and can have significant adverse impacts on organizations. Auditing the use
of privileged functions is one way to detect such misuse and identify the
risk from insider threats and the advanced persistent threat. |
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit uid privileged function
oval:ssg-test_32bit_uid_auid_privileged_function_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_uid_auid_privileged_function_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit uid privileged function
oval:ssg-test_64bit_uid_auid_privileged_function_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_uid_auid_privileged_function_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit uid privileged function
oval:ssg-test_32bit_uid_auid_privileged_function_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_uid_auid_privileged_function_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit uid privileged_function
oval:ssg-test_64bit_uid_auid_privileged_function_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_uid_auid_privileged_function_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions mediumCCE-83729-4
Ensure auditd Collects System Administrator Actions
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_sysadmin_actions:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83729-4 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(7)(b), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.2, Req-10.2.5.b, 10.2.1.5, 10.2.2, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000509-CTR-001305, 4.1.3.1 |
Description | At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d :
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions |
Rationale | The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes. |
|
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit augenrules sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-83722-9
Record Events that Modify User/Group Information - /etc/group
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_group:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83722-9 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, 4.1.3.8 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification |
Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules group
oval:ssg-test_audit_rules_usergroup_modification_group_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_augen:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit group
oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-83723-7
Record Events that Modify User/Group Information - /etc/gshadow
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_gshadow:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83723-7 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, 4.1.3.8 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification |
Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_augen:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-83712-0
Record Events that Modify User/Group Information - /etc/security/opasswd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_opasswd:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83712-0 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, 4.1.3.8 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_augen:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-83714-6
Record Events that Modify User/Group Information - /etc/passwd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_passwd:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83714-6 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, 4.1.3.8 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification |
Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_augen:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-83725-2
Record Events that Modify User/Group Information - /etc/shadow
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_shadow:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83725-2 References:
BP28(R73), A.3.SEC-RHEL7, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, 4.1.3.8 |
Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification |
Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_augen:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Attempts to perform maintenance activitiesxccdf_org.ssgproject.content_rule_audit_sudo_log_events mediumCCE-86433-0
Record Attempts to perform maintenance activities
Rule ID | xccdf_org.ssgproject.content_rule_audit_sudo_log_events |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_sudo_log_events:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86433-0 References:
A.3.SEC-RHEL7, CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 4.1.3.3 |
Description | The Red Hat Enterprise Linux 9 operating system must generate audit records for
privileged activities, nonlocal maintenance, diagnostic sessions and
other system-level access.
Verify the operating system audits activities performed during nonlocal
maintenance and diagnostic sessions. Run the following command:
$ sudo auditctl -l | grep sudo.log
-w /var/log/sudo.log -p wa -k maintenance |
Rationale | If events associated with nonlocal administrative access or diagnostic
sessions are not logged, a major tool for assessing and investigating
attacks would not be available.
This requirement addresses auditing-related issues associated with
maintenance tools used specifically for diagnostic and repair actions
on organizational information systems.
Nonlocal maintenance and diagnostic activities are those activities
conducted by individuals communicating through a network, either an
external network (e.g., the internet) or an internal network. Local
maintenance and diagnostic activities are those activities carried
out by individuals physically present at the information system or
information system component and not communicating across a network
connection.
This requirement applies to hardware/software diagnostic test
equipment or tools. This requirement does not cover hardware/software
components that may support information system maintenance, yet are a
part of the system, for example, the software implementing "ping,"
"ls," "ipconfig," or the hardware and software implementing the
monitoring port of an Ethernet switch. |
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudo_log
oval:ssg-test_arle_sudo_log_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_sudo_log_augenrules:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/var\/log\/sudo.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudo_log
oval:ssg-test_arle_sudo_log_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_sudo_log_auditctl:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/audit/audit.rules | ^\-w[\s]+\/var\/log\/sudo.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
System Audit Logs Must Have Mode 0750 or Less Permissivexccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit mediumCCE-83734-4
System Audit Logs Must Have Mode 0750 or Less Permissive
Rule ID | xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-directory_permissions_var_log_audit:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83734-4 References:
A.3.SEC-RHEL2, 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, CCI-000162, CCI-000163, CCI-000164, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R6.5, CM-6(a), AC-6(1), AU-9, DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, 4.1.4.4 |
Description |
If log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0750 /var/log/audit
Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0700 /var/log/audit |
Rationale | If users can write to audit logs, audit trails can be modified or destroyed. |
OVAL test results details
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_group = root |
log_group is set
oval:ssg-test_auditd_conf_log_group_is_set:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_group = root |
/var/log/audit files mode 0750
oval:ssg-test_dir_permissions_audit_log-non_root:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_log_directory-non_root:obj:1 of type
file_object
Behaviors | Path | Filename | Filter |
---|
/var/log/audit/audit.log | /var/log/audit |
| no value | no value | oval:ssg-state_not_mode_0750:ste:1 |
/var/log/audit mode 0700
oval:ssg-test_dir_permissions_audit_log:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_log_directory:obj:1 of type
file_object
Behaviors | Path | Filename | Filter |
---|
/var/log/audit/audit.log | /var/log/audit |
| no value | no value | oval:ssg-state_not_mode_0700:ste:1 |
/var/log/audit mode 0700
oval:ssg-test_dir_permissions_var_log_audit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_directory:obj:1 of type
file_object
Behaviors | Path | Filename | Filter |
---|
no value | /var/log/audit | no value | oval:ssg-state_not_mode_0700:ste:1 |
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_group = root |
log_group is set
oval:ssg-test_auditd_conf_log_group_is_set:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_group = root |
/var/log/audit files mode 0750
oval:ssg-test_dir_permissions_var_log_audit-non_root:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_directory-non_root:obj:1 of type
file_object
Behaviors | Path | Filename | Filter |
---|
no value | /var/log/audit | no value | oval:ssg-state_not_mode_0750:ste:1 |
System Audit Logs Must Be Group Owned By Rootxccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit mediumCCE-89603-5
System Audit Logs Must Be Group Owned By Root
Rule ID | xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_group_ownership_var_log_audit:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-89603-5 References:
A.3.SEC-RHEL2, 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, 4.1.4.3 |
Description | All audit logs must be group owned by root user. The path for audit log can
be configured via log_file parameter in /etc/audit/auditd.conf
or, by default, the path for audit log is /var/log/audit/ .
To properly set the group owner of /var/log/audit/* , run the command:
$ sudo chgrp root /var/log/audit/*
If log_group in /etc/audit/auditd.conf is set to a group other
than the root group account, change the group ownership of the audit logs
to this specific group. |
Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality. |
OVAL test results details
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
audit log files gid root
oval:ssg-test_group_ownership_audit_log_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_audit_log_files:obj:1 of type
file_object
Filepath | Filter |
---|
/var/log/audit/audit.log | oval:ssg-state_group_owner_not_root_var_log_audit:ste:1 |
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_group = root |
log_group is set
oval:ssg-test_auditd_conf_log_group_is_set:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_group = root |
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
audit log files gid root
oval:ssg-test_group_ownership_default_audit_log_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_default_audit_log_files:obj:1 of type
file_object
Filepath | Filter |
---|
/var/log/audit/audit.log | oval:ssg-state_group_owner_not_root_var_log_audit:ste:1 |
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_group = root |
log_group is set
oval:ssg-test_auditd_conf_log_group_is_set:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_group = root |
Audit Configuration Files Must Be Owned By Group rootxccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration mediumCCE-86446-2
Audit Configuration Files Must Be Owned By Group root
Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupownership_audit_configuration:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86446-2 References:
A.3.SEC-RHEL4, CCI-000171, SRG-OS-000063-GPOS-00032, 4.1.4.7 |
Description | All audit configuration files must be owned by group root.
chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* |
Rationale | Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
to prevent the auditing of critical events.
Misconfigured audits may degrade the system's performance by
overwhelming the audit log. Misconfigured audits may also make it more
difficult to establish, correlate, and investigate the events relating
to an incident or identify those responsible for one. |
OVAL test results details
Testing group ownership of /etc/audit/
oval:ssg-test_file_groupownership_audit_configuration_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_audit_configuration_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/audit | ^audit(\.rules|d\.conf)$ | oval:ssg-symlink_file_groupownership_audit_configuration_uid_0:ste:1 | oval:ssg-state_file_groupownership_audit_configuration_gid_0_0:ste:1 |
Testing group ownership of /etc/audit/rules.d/
oval:ssg-test_file_groupownership_audit_configuration_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_audit_configuration_1:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/audit/rules.d | ^.*\.rules$ | oval:ssg-symlink_file_groupownership_audit_configuration_uid_0:ste:1 | oval:ssg-state_file_groupownership_audit_configuration_gid_0_1:ste:1 |
Audit Configuration Files Must Be Owned By Rootxccdf_org.ssgproject.content_rule_file_ownership_audit_configuration mediumCCE-86445-4
Audit Configuration Files Must Be Owned By Root
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_ownership_audit_configuration:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86445-4 References:
A.3.SEC-RHEL4, CCI-000171, SRG-OS-000063-GPOS-00032, 4.1.4.6 |
Description | All audit configuration files must be owned by root user.
To properly set the owner of /etc/audit/ , run the command:
$ sudo chown root /etc/audit/
To properly set the owner of /etc/audit/rules.d/ , run the command:
$ sudo chown root /etc/audit/rules.d/ |
Rationale | Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
to prevent the auditing of critical events.
Misconfigured audits may degrade the system's performance by
overwhelming the audit log. Misconfigured audits may also make it more
difficult to establish, correlate, and investigate the events relating
to an incident or identify those responsible for one. |
OVAL test results details
Testing user ownership of /etc/audit/
oval:ssg-test_file_ownership_audit_configuration_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_audit_configuration_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/audit | ^audit(\.rules|d\.conf)$ | oval:ssg-symlink_file_ownership_audit_configuration_uid_0:ste:1 | oval:ssg-state_file_ownership_audit_configuration_uid_0_0:ste:1 |
Testing user ownership of /etc/audit/rules.d/
oval:ssg-test_file_ownership_audit_configuration_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_audit_configuration_1:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/audit/rules.d | ^.*\.rules$ | oval:ssg-symlink_file_ownership_audit_configuration_uid_0:ste:1 | oval:ssg-state_file_ownership_audit_configuration_uid_0_1:ste:1 |
System Audit Logs Must Be Owned By Rootxccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig mediumCCE-89952-6
System Audit Logs Must Be Owned By Root
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_ownership_var_log_audit_stig:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-89952-6 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, 4.1.4.2 |
Description | All audit logs must be owned by root user. The path for audit log can be
configured via log_file parameter in /etc/audit/auditd.conf
or by default, the path for audit log is /var/log/audit/ .
To properly set the owner of /var/log/audit/* , run the command:
$ sudo chown root /var/log/audit/* |
Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality. |
OVAL test results details
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
audit log files uid root
oval:ssg-test_user_ownership_audit_log_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_user_ownership_audit_log_files:obj:1 of type
file_object
Filepath | Filter |
---|
/var/log/audit/audit.log | oval:ssg-state_owner_not_root_var_log_audit:ste:1 |
/var/log/audit files uid root
oval:ssg-test_user_ownership_var_log_audit_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_user_ownership_var_log_audit_files:obj:1 of type
file_object
Behaviors | Path | Filename | Filter |
---|
no value | /var/log/audit | ^.*$ | oval:ssg-state_owner_not_root_var_log_audit:ste:1 |
Audit Configuration Files Permissions are 640 or More Restrictivexccdf_org.ssgproject.content_rule_file_permissions_audit_configuration mediumCCE-88002-1
Audit Configuration Files Permissions are 640 or More Restrictive
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_audit_configuration:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-88002-1 References:
A.3.SEC-RHEL4, 4.1.4.5 |
Description | All audit configuration files permissions must be 640 or more restrictive.
chmod 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* |
Rationale | Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
to prevent the auditing of critical events.
Misconfigured audits may degrade the system's performance by
overwhelming the audit log. Misconfigured audits may also make it more
difficult to establish, correlate, and investigate the events relating
to an incident or identify those responsible for one. |
OVAL test results details
Testing mode of /etc/audit/
oval:ssg-test_file_permissions_audit_configuration_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_audit_configuration_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/audit | .*audit\(\.rules\|d\.conf\)$ | oval:ssg-exclude_symlinks__audit_configuration:ste:1 | oval:ssg-state_file_permissions_audit_configuration_0_mode_0640or_stricter_:ste:1 |
Testing mode of /etc/audit/rules.d/
oval:ssg-test_file_permissions_audit_configuration_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_audit_configuration_1:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/audit/rules.d | .*\.rules$ | oval:ssg-exclude_symlinks__audit_configuration:ste:1 | oval:ssg-state_file_permissions_audit_configuration_1_mode_0640or_stricter_:ste:1 |
System Audit Logs Must Have Mode 0640 or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_var_log_audit mediumCCE-83720-3
System Audit Logs Must Have Mode 0640 or Less Permissive
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_var_log_audit:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83720-3 References:
A.3.SEC-RHEL2, 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5, 10.3.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, SRG-APP-000118-CTR-000240, 4.1.4.1 |
Description |
Determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Configure the audit log to be protected from unauthorized read access by setting the correct
permissive mode with the following command:
$ sudo chmod 0600 audit_log_file
By default, audit_log_file is "/var/log/audit/audit.log". |
Rationale | If users can write to audit logs, audit trails can be modified or destroyed. |
OVAL test results details
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
audit log files mode 0600
oval:ssg-test_file_permissions_audit_log:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_log_files:obj:1 of type
file_object
Filepath | Filter |
---|
/var/log/audit/audit.log | oval:ssg-state_not_mode_0600:ste:1 |
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
default audit log files mode 0600
oval:ssg-test_file_permissions_default_audit_log:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_default_log_files:obj:1 of type
file_object
Filepath | Filter |
---|
/var/log/audit/audit.log | oval:ssg-state_not_mode_0600:ste:1 |
Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct mediumCCE-83698-1
Configure auditd mail_acct Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_action_mail_acct:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83698-1 References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000139, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(1), AU-5(a), AU-5(2), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, 10.5.1, SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134, 4.1.2.3 |
Description | The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = root |
Rationale | Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action. |
OVAL test results details
email account for actions
oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | action_mail_acct = root |
Configure auditd admin_space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action mediumCCE-83700-5
Configure auditd admin_space_left Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_admin_space_left_action:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83700-5 References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000140, CCI-001343, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 10.5.1, SRG-OS-000343-GPOS-00134, 4.1.2.3 |
Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf . Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt . For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
Rationale | Administrators should be made aware of an inability to record
audit records. If a separate partition or logical volume of adequate size
is used, running low on space for audit records should never occur. |
|
|
|
OVAL test results details
space left action
oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | admin_space_left_action = SUSPEND |
Configure auditd Max Log File Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file mediumCCE-83683-3
Configure auditd Max Log File Size
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_max_log_file:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83683-3 References:
1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, CIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AU-11, CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 10.5.1, 4.1.2.1 |
Description | Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf . Add or modify the following line, substituting
the correct value of 6 for STOREMB:
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data. |
Rationale | The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum
log file size and the number of logs retained. |
OVAL test results details
max log file size
oval:ssg-test_auditd_data_retention_max_log_file:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | max_log_file = 8 |
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action mediumCCE-83701-3
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_max_log_file_action:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83701-3 References:
A.3.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 10.5.1, SRG-OS-000047-GPOS-00023, 4.1.2.2 |
Description | The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd , add or correct the line in /etc/audit/auditd.conf :
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man
page. These include:
ignore syslog suspend rotate keep_logs
Set the ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive. |
Rationale | Automatically rotating logs (by setting this to rotate )
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs can be employed. |
|
|
|
OVAL test results details
admin space left action
oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | max_log_file_action = ROTATE |
Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-83703-9
Configure auditd space_left Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_space_left_action:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83703-9 References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 10.5.1, SRG-OS-000343-GPOS-00134, 4.1.2.3 |
Description | The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf . Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page.
These include:
syslog email exec suspend single halt
Set this to email (instead of the default,
which is suspend ) as it is more likely to get prompt attention. Acceptable values
also include suspend , single , and halt . |
Rationale | Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption. |
|
|
|
OVAL test results details
space left action
oval:ssg-test_auditd_data_retention_space_left_action:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/audit/auditd.conf | space_left_action = SYSLOG |
Ensure the audit Subsystem is Installedxccdf_org.ssgproject.content_rule_package_audit_installed mediumCCE-83649-4
Ensure the audit Subsystem is Installed
Rule ID | xccdf_org.ssgproject.content_rule_package_audit_installed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_audit_installed:def:1 |
Time | 2023-11-27T20:52:22+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83649-4 References:
BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.1, 10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, 4.1.1.1 |
Description | The audit package should be installed. |
Rationale | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. |
OVAL test results details
package audit is installed
oval:ssg-test_package_audit_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
audit | x86_64 | (none) | 103.el9 | 3.0.7 | 0:3.0.7-103.el9 | 199e2f91fd431d51 | audit-0:3.0.7-103.el9.x86_64 |
Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled mediumCCE-90829-3
Enable auditd Service
Rule ID | xccdf_org.ssgproject.content_rule_service_auditd_enabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-service_auditd_enabled:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90829-3 References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, 10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, 4.1.1.4 |
Description | The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service |
Rationale | Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. |
OVAL test results details
package audit is installed
oval:ssg-test_service_auditd_package_audit_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
audit | x86_64 | (none) | 103.el9 | 3.0.7 | 0:3.0.7-103.el9 | 199e2f91fd431d51 | audit-0:3.0.7-103.el9.x86_64 |
Test that the auditd service is running
oval:ssg-test_service_running_auditd:tst:1
true
Following items have been found on the system:
Unit | Property | Value |
---|
auditd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_auditd:tst:1
true
Following items have been found on the system:
Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
---|
multi-user.target | basic.target | sysinit.target | systemd-network-generator.service | sys-fs-fuse-connections.mount | lvm2-lvmpolld.socket | kmod-static-nodes.service | systemd-tmpfiles-setup.service | systemd-pcrphase-sysinit.service | systemd-random-seed.service | integritysetup.target | lvm2-monitor.service | selinux-autorelabel-mark.service | dev-mqueue.mount | systemd-pcrphase.service | nis-domainname.service | systemd-journald.service | systemd-update-utmp.service | systemd-sysusers.service | systemd-tmpfiles-setup-dev.service | cryptsetup.target | dev-hugepages.mount | iscsi-onboot.service | systemd-firstboot.service | systemd-sysctl.service | systemd-udevd.service | plymouth-read-write.service | systemd-journal-catalog-update.service | systemd-machine-id-commit.service | proc-sys-fs-binfmt_misc.automount | systemd-repart.service | veritysetup.target | swap.target | dev-mapper-rhel\x2dswap.swap | sys-kernel-tracing.mount | systemd-ask-password-console.path | systemd-update-done.service | multipathd.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-hwdb-update.service | sys-kernel-config.mount | dracut-shutdown.service | systemd-journal-flush.service | local-fs.target | boot.mount | boot-efi.mount | -.mount | ostree-remount.service | systemd-remount-fs.service | plymouth-start.service | systemd-binfmt.service | ldconfig.service | systemd-udev-trigger.service | systemd-boot-system-token.service | slices.target | system.slice | -.slice | sockets.target | systemd-journald.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | cups.socket | iscsid.socket | iscsiuio.socket | systemd-udevd-control.socket | dbus.socket | dm-event.socket | systemd-coredump.socket | systemd-initctl.socket | multipathd.socket | microcode.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | dnf-makecache.timer | mlocate-updatedb.timer | low-memory-monitor.service | paths.target | nvmefc-boot-connections.service | chronyd.service | avahi-daemon.service | mcelog.service | cups.service | firewalld.service | rsyslog.service | irqbalance.service | plymouth-quit.service | crond.service | kdump.service | sshd.service | tuned.service | sssd.service | insights-client-boot.service | systemd-ask-password-wall.path | mdmonitor.service | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | libstoragemgmt.service | auditd.service | rhsmcertd.service | remote-fs.target | iscsi.service | pmlogger.service | ModemManager.service | smartd.service | atd.service | getty.target | getty@tty1.service | ostree-readonly-sysroot-migration.service | vmtoolsd.service | pmie.service | NetworkManager.service | pmcd.service | cups.path | systemd-logind.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_auditd_socket:tst:1
false
Following items have been found on the system:
Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
---|
multi-user.target | basic.target | sysinit.target | systemd-network-generator.service | sys-fs-fuse-connections.mount | lvm2-lvmpolld.socket | kmod-static-nodes.service | systemd-tmpfiles-setup.service | systemd-pcrphase-sysinit.service | systemd-random-seed.service | integritysetup.target | lvm2-monitor.service | selinux-autorelabel-mark.service | dev-mqueue.mount | systemd-pcrphase.service | nis-domainname.service | systemd-journald.service | systemd-update-utmp.service | systemd-sysusers.service | systemd-tmpfiles-setup-dev.service | cryptsetup.target | dev-hugepages.mount | iscsi-onboot.service | systemd-firstboot.service | systemd-sysctl.service | systemd-udevd.service | plymouth-read-write.service | systemd-journal-catalog-update.service | systemd-machine-id-commit.service | proc-sys-fs-binfmt_misc.automount | systemd-repart.service | veritysetup.target | swap.target | dev-mapper-rhel\x2dswap.swap | sys-kernel-tracing.mount | systemd-ask-password-console.path | systemd-update-done.service | multipathd.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-hwdb-update.service | sys-kernel-config.mount | dracut-shutdown.service | systemd-journal-flush.service | local-fs.target | boot.mount | boot-efi.mount | -.mount | ostree-remount.service | systemd-remount-fs.service | plymouth-start.service | systemd-binfmt.service | ldconfig.service | systemd-udev-trigger.service | systemd-boot-system-token.service | slices.target | system.slice | -.slice | sockets.target | systemd-journald.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | cups.socket | iscsid.socket | iscsiuio.socket | systemd-udevd-control.socket | dbus.socket | dm-event.socket | systemd-coredump.socket | systemd-initctl.socket | multipathd.socket | microcode.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | dnf-makecache.timer | mlocate-updatedb.timer | low-memory-monitor.service | paths.target | nvmefc-boot-connections.service | chronyd.service | avahi-daemon.service | mcelog.service | cups.service | firewalld.service | rsyslog.service | irqbalance.service | plymouth-quit.service | crond.service | kdump.service | sshd.service | tuned.service | sssd.service | insights-client-boot.service | systemd-ask-password-wall.path | mdmonitor.service | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | libstoragemgmt.service | auditd.service | rhsmcertd.service | remote-fs.target | iscsi.service | pmlogger.service | ModemManager.service | smartd.service | atd.service | getty.target | getty@tty1.service | ostree-readonly-sysroot-migration.service | vmtoolsd.service | pmie.service | NetworkManager.service | pmcd.service | cups.path | systemd-logind.service | plymouth-quit-wait.service |
Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_argument lowCCE-83651-0
Enable Auditing for Processes Which Start Prior to the Audit Daemon
Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_argument |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-grub2_audit_argument:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-83651-0 References:
1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.3, 10.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095, 4.1.1.2 |
Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit=1 is added as a kernel command line
argument to newly installed kernels, add audit=1 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit=1 ..."
Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit=1" |
Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot. |
|
|
|
OVAL test results details
check kernel command line parameters for audit=1 for all boot entries.
oval:ssg-test_grub2_audit_entries:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/boot/loader/entries/90f4efbdae0b4b6f816a7f76181fb826-5.14.0-284.18.1.el9_2.x86_64.conf | options root=/dev/mapper/rhel-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet $tuned_params |
/boot/loader/entries/90f4efbdae0b4b6f816a7f76181fb826-5.14.0-162.6.1.el9_1.x86_64.conf | options root=/dev/mapper/rhel-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet $tuned_params |
check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_audit_argument:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/default/grub | GRUB_CMDLINE_LINUX="crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet" |
check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_audit_argument_default:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_default:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
Extend Audit Backlog Limit for the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument lowCCE-83652-8
Extend Audit Backlog Limit for the Audit Daemon
Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-grub2_audit_backlog_limit_argument:def:1 |
Time | 2023-11-27T20:52:24+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-83652-8 References:
CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001849, CCI-002884, CM-6(a), FAU_STG.1, FAU_STG.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, 4.1.1.3 |
Description | To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit_backlog_limit=8192 is added as a kernel command line
argument to newly installed kernels, add audit_backlog_limit=8192 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit_backlog_limit=8192" |
Rationale | audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken. |
|
|
|
OVAL test results details
check kernel command line parameters for audit_backlog_limit=8192 for all boot entries.
oval:ssg-test_grub2_audit_backlog_limit_entries:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/boot/loader/entries/90f4efbdae0b4b6f816a7f76181fb826-5.14.0-284.18.1.el9_2.x86_64.conf | options root=/dev/mapper/rhel-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet $tuned_params |
/boot/loader/entries/90f4efbdae0b4b6f816a7f76181fb826-5.14.0-162.6.1.el9_1.x86_64.conf | options root=/dev/mapper/rhel-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet $tuned_params |
check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_audit_backlog_limit_argument:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/default/grub | GRUB_CMDLINE_LINUX="crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet" |
check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_audit_backlog_limit_argument_default:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_backlog_limit_argument_default:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
Verify /boot/grub2/grub.cfg Group Ownershipxccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg mediumCCE-83848-2
Verify /boot/grub2/grub.cfg Group Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83848-2 References:
A.6.SEC-RHEL2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, 2.2.6, SRG-OS-000480-GPOS-00227, 1.4.2 |
Description | The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/grub2/grub.cfg , run the command:
$ sudo chgrp root /boot/grub2/grub.cfg |
Rationale | The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway. |
Verify /boot/grub2/user.cfg Group Ownershipxccdf_org.ssgproject.content_rule_file_groupowner_user_cfg mediumCCE-86010-6
Verify /boot/grub2/user.cfg Group Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86010-6 References:
A.6.SEC-RHEL2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, SRG-OS-000480-GPOS-00227, 1.4.2 |
Description | The file /boot/grub2/user.cfg should be group-owned by the root
group to prevent reading or modification of the file.
To properly set the group owner of /boot/grub2/user.cfg , run the command:
$ sudo chgrp root /boot/grub2/user.cfg |
Rationale | The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway. Non-root users who read the boot parameters
may be able to identify weaknesses in security upon boot and be able to exploit them. |
Verify /boot/grub2/grub.cfg User Ownershipxccdf_org.ssgproject.content_rule_file_owner_grub2_cfg mediumCCE-83845-8
Verify /boot/grub2/grub.cfg User Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83845-8 References:
A.6.SEC-RHEL2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, 2.2.6, 1.4.2 |
Description | The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/grub2/grub.cfg , run the command:
$ sudo chown root /boot/grub2/grub.cfg |
Rationale | Only root should be able to modify important boot parameters. |
Verify /boot/grub2/user.cfg User Ownershipxccdf_org.ssgproject.content_rule_file_owner_user_cfg mediumCCE-86016-3
Verify /boot/grub2/user.cfg User Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_user_cfg |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86016-3 References:
A.6.SEC-RHEL2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, 1.4.2 |
Description | The file /boot/grub2/user.cfg should be owned by the root
user to prevent reading or modification of the file.
To properly set the owner of /boot/grub2/user.cfg , run the command:
$ sudo chown root /boot/grub2/user.cfg |
Rationale | Only root should be able to modify important boot parameters. Also, non-root users who read
the boot parameters may be able to identify weaknesses in security upon boot and be able to
exploit them. |
Verify /boot/grub2/grub.cfg Permissionsxccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg mediumCCE-83846-6
Verify /boot/grub2/grub.cfg Permissions
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83846-6 References:
A.6.SEC-RHEL2, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 1.4.2 |
Description | File permissions for /boot/grub2/grub.cfg should be set to 600.
To properly set the permissions of /boot/grub2/grub.cfg , run the command:
$ sudo chmod 600 /boot/grub2/grub.cfg |
Rationale | Proper permissions ensure that only the root user can modify important boot
parameters. |
Verify /boot/grub2/user.cfg Permissionsxccdf_org.ssgproject.content_rule_file_permissions_user_cfg mediumCCE-86025-4
Verify /boot/grub2/user.cfg Permissions
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_user_cfg |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86025-4 References:
A.6.SEC-RHEL2, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 1.4.2 |
Description | File permissions for /boot/grub2/user.cfg should be set to 600.
To properly set the permissions of /boot/grub2/user.cfg , run the command:
$ sudo chmod 600 /boot/grub2/user.cfg |
Rationale | Proper permissions ensure that only the root user can read or modify important boot
parameters. |
Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password highCCE-83849-0
Set Boot Loader Password in grub2
Rule ID | xccdf_org.ssgproject.content_rule_grub2_password |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:52:47+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-83849-0 References:
BP28(R17), A.8.SEC-RHEL7, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, 1.4.1 |
Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-setpassword
When prompted, enter the password that was selected.
|
Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Ensure Log Files Are Owned By Appropriate Groupxccdf_org.ssgproject.content_rule_rsyslog_files_groupownership mediumCCE-83834-2
Ensure Log Files Are Owned By Appropriate Group
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-rsyslog_files_groupownership:def:1 |
Time | 2023-11-27T20:52:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83834-2 References:
BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2, 4.2.3 |
Description | The group-owner of all log files written by
rsyslog should be
root .
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log .
For each log file LOGFILE referenced in /etc/rsyslog.conf ,
run the following command to inspect the file's group owner:
$ ls -l LOGFILE
If the owner is not
root ,
run the following command to
correct this:
$ sudo chgrp root LOGFILE |
Rationale | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. |
OVAL test results details
System log files have appropriate groupowner set
oval:ssg-test_rsyslog_files_groupownership:tst:1
true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/var/log/maillog | regular | 0 | 0 | 0 | rw------- |
/var/log/cron | regular | 0 | 0 | 328 | rw------- |
/var/log/spooler | regular | 0 | 0 | 0 | rw------- |
/var/log/boot.log | regular | 0 | 0 | 2495 | rw------- |
/var/log/secure | regular | 0 | 0 | 1322 | rw------- |
/var/log/messages | regular | 0 | 0 | 24485 | rw------- |
Ensure Log Files Are Owned By Appropriate Userxccdf_org.ssgproject.content_rule_rsyslog_files_ownership mediumCCE-83946-4
Ensure Log Files Are Owned By Appropriate User
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_files_ownership |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-rsyslog_files_ownership:def:1 |
Time | 2023-11-27T20:52:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83946-4 References:
BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2, 4.2.3 |
Description | The owner of all log files written by
rsyslog should be
root .
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log .
For each log file LOGFILE referenced in /etc/rsyslog.conf ,
run the following command to inspect the file's owner:
$ ls -l LOGFILE
If the owner is not
root ,
run the following command to
correct this:
$ sudo chown root LOGFILE |
Rationale | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. |
OVAL test results details
System log files have appropriate owner set
oval:ssg-test_rsyslog_files_ownership:tst:1
true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/var/log/maillog | regular | 0 | 0 | 0 | rw------- |
/var/log/cron | regular | 0 | 0 | 328 | rw------- |
/var/log/spooler | regular | 0 | 0 | 0 | rw------- |
/var/log/boot.log | regular | 0 | 0 | 2495 | rw------- |
/var/log/secure | regular | 0 | 0 | 1322 | rw------- |
/var/log/messages | regular | 0 | 0 | 24485 | rw------- |
Ensure System Log Files Have Correct Permissionsxccdf_org.ssgproject.content_rule_rsyslog_files_permissions mediumCCE-83689-0
Ensure System Log Files Have Correct Permissions
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_files_permissions |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-rsyslog_files_permissions:def:1 |
Time | 2023-11-27T20:52:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83689-0 References:
BP28(R36), CCI-001314, 0988, 1405, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2, 4.2.3 |
Description | The file permissions for all log files written by rsyslog should
be set to 640, or more restrictive. These log files are determined by the
second part of each Rule line in /etc/rsyslog.conf and typically
all appear in /var/log . For each log file LOGFILE
referenced in /etc/rsyslog.conf , run the following command to
inspect the file's permissions:
$ ls -l LOGFILE
If the permissions are not 640 or more restrictive, run the following
command to correct this:
$ sudo chmod 640 LOGFILE " |
Rationale | Log files can contain valuable information regarding system
configuration. If the system log files are not protected unauthorized
users could change the logged data, eliminating their forensic value. |
OVAL test results details
System log files have appropriate permissions set
oval:ssg-test_rsyslog_files_permissions:tst:1
true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/var/log/maillog | regular | 0 | 0 | 0 | rw------- |
/var/log/cron | regular | 0 | 0 | 328 | rw------- |
/var/log/spooler | regular | 0 | 0 | 0 | rw------- |
/var/log/boot.log | regular | 0 | 0 | 2495 | rw------- |
/var/log/secure | regular | 0 | 0 | 1322 | rw------- |
/var/log/messages | regular | 0 | 0 | 24485 | rw------- |
Enable systemd-journald Servicexccdf_org.ssgproject.content_rule_service_systemd-journald_enabled mediumCCE-85941-3
Enable systemd-journald Service
Rule ID | xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-service_systemd-journald_enabled:def:1 |
Time | 2023-11-27T20:52:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-85941-3 References:
CCI-001665, SC-24, SRG-OS-000269-GPOS-00103, 4.2.2.2 |
Description | The systemd-journald service is an essential component of
systemd.
The systemd-journald service can be enabled with the following command:
$ sudo systemctl enable systemd-journald.service |
Rationale | In the event of a system failure, Red Hat Enterprise Linux 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes. |
OVAL test results details
package systemd is installed
oval:ssg-test_service_systemd-journald_package_systemd_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
systemd | x86_64 | (none) | 14.el9_2.1 | 252 | 0:252-14.el9_2.1 | 199e2f91fd431d51 | systemd-0:252-14.el9_2.1.x86_64 |
Test that the systemd-journald service is running
oval:ssg-test_service_running_systemd-journald:tst:1
true
Following items have been found on the system:
Unit | Property | Value |
---|
systemd-journald.socket | ActiveState | active |
systemd-journald.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_systemd-journald:tst:1
true
Following items have been found on the system:
Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
---|
multi-user.target | basic.target | sysinit.target | systemd-network-generator.service | sys-fs-fuse-connections.mount | lvm2-lvmpolld.socket | kmod-static-nodes.service | systemd-tmpfiles-setup.service | systemd-pcrphase-sysinit.service | systemd-random-seed.service | integritysetup.target | lvm2-monitor.service | selinux-autorelabel-mark.service | dev-mqueue.mount | systemd-pcrphase.service | nis-domainname.service | systemd-journald.service | systemd-update-utmp.service | systemd-sysusers.service | systemd-tmpfiles-setup-dev.service | cryptsetup.target | dev-hugepages.mount | iscsi-onboot.service | systemd-firstboot.service | systemd-sysctl.service | systemd-udevd.service | plymouth-read-write.service | systemd-journal-catalog-update.service | systemd-machine-id-commit.service | proc-sys-fs-binfmt_misc.automount | systemd-repart.service | veritysetup.target | swap.target | dev-mapper-rhel\x2dswap.swap | sys-kernel-tracing.mount | systemd-ask-password-console.path | systemd-update-done.service | multipathd.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-hwdb-update.service | sys-kernel-config.mount | dracut-shutdown.service | systemd-journal-flush.service | local-fs.target | boot.mount | boot-efi.mount | -.mount | ostree-remount.service | systemd-remount-fs.service | plymouth-start.service | systemd-binfmt.service | ldconfig.service | systemd-udev-trigger.service | systemd-boot-system-token.service | slices.target | system.slice | -.slice | sockets.target | systemd-journald.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | cups.socket | iscsid.socket | iscsiuio.socket | systemd-udevd-control.socket | dbus.socket | dm-event.socket | systemd-coredump.socket | systemd-initctl.socket | multipathd.socket | microcode.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | dnf-makecache.timer | mlocate-updatedb.timer | low-memory-monitor.service | paths.target | nvmefc-boot-connections.service | chronyd.service | avahi-daemon.service | mcelog.service | cups.service | firewalld.service | rsyslog.service | irqbalance.service | plymouth-quit.service | crond.service | kdump.service | sshd.service | tuned.service | sssd.service | insights-client-boot.service | systemd-ask-password-wall.path | mdmonitor.service | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | libstoragemgmt.service | auditd.service | rhsmcertd.service | remote-fs.target | iscsi.service | pmlogger.service | ModemManager.service | smartd.service | atd.service | getty.target | getty@tty1.service | ostree-readonly-sysroot-migration.service | vmtoolsd.service | pmie.service | NetworkManager.service | pmcd.service | cups.path | systemd-logind.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_systemd-journald_socket:tst:1
true
Following items have been found on the system:
Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
---|
multi-user.target | basic.target | sysinit.target | systemd-network-generator.service | sys-fs-fuse-connections.mount | lvm2-lvmpolld.socket | kmod-static-nodes.service | systemd-tmpfiles-setup.service | systemd-pcrphase-sysinit.service | systemd-random-seed.service | integritysetup.target | lvm2-monitor.service | selinux-autorelabel-mark.service | dev-mqueue.mount | systemd-pcrphase.service | nis-domainname.service | systemd-journald.service | systemd-update-utmp.service | systemd-sysusers.service | systemd-tmpfiles-setup-dev.service | cryptsetup.target | dev-hugepages.mount | iscsi-onboot.service | systemd-firstboot.service | systemd-sysctl.service | systemd-udevd.service | plymouth-read-write.service | systemd-journal-catalog-update.service | systemd-machine-id-commit.service | proc-sys-fs-binfmt_misc.automount | systemd-repart.service | veritysetup.target | swap.target | dev-mapper-rhel\x2dswap.swap | sys-kernel-tracing.mount | systemd-ask-password-console.path | systemd-update-done.service | multipathd.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-hwdb-update.service | sys-kernel-config.mount | dracut-shutdown.service | systemd-journal-flush.service | local-fs.target | boot.mount | boot-efi.mount | -.mount | ostree-remount.service | systemd-remount-fs.service | plymouth-start.service | systemd-binfmt.service | ldconfig.service | systemd-udev-trigger.service | systemd-boot-system-token.service | slices.target | system.slice | -.slice | sockets.target | systemd-journald.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | cups.socket | iscsid.socket | iscsiuio.socket | systemd-udevd-control.socket | dbus.socket | dm-event.socket | systemd-coredump.socket | systemd-initctl.socket | multipathd.socket | microcode.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | dnf-makecache.timer | mlocate-updatedb.timer | low-memory-monitor.service | paths.target | nvmefc-boot-connections.service | chronyd.service | avahi-daemon.service | mcelog.service | cups.service | firewalld.service | rsyslog.service | irqbalance.service | plymouth-quit.service | crond.service | kdump.service | sshd.service | tuned.service | sssd.service | insights-client-boot.service | systemd-ask-password-wall.path | mdmonitor.service | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | libstoragemgmt.service | auditd.service | rhsmcertd.service | remote-fs.target | iscsi.service | pmlogger.service | ModemManager.service | smartd.service | atd.service | getty.target | getty@tty1.service | ostree-readonly-sysroot-migration.service | vmtoolsd.service | pmie.service | NetworkManager.service | pmcd.service | cups.path | systemd-logind.service | plymouth-quit-wait.service |
Ensure journald is configured to compress large log filesxccdf_org.ssgproject.content_rule_journald_compress mediumCCE-85931-4
Ensure journald is configured to compress large log files
Rule ID | xccdf_org.ssgproject.content_rule_journald_compress |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-journald_compress:def:1 |
Time | 2023-11-27T20:52:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-85931-4 References:
4.2.2.3 |
Description | The journald system can compress large log files to avoid fill the system disk. |
Rationale | Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full. |
|
|
OVAL test results details
tests the value of Compress setting in the /etc/systemd/journald.conf file
oval:ssg-test_journald_compress:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_journald_compress:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/systemd/journald.conf | ^[ \t]*Compress=(.+?)[ \t]*(?:$|#) | 1 |
Ensure journald is configured to send logs to rsyslogxccdf_org.ssgproject.content_rule_journald_forward_to_syslog mediumCCE-85996-7
Ensure journald is configured to send logs to rsyslog
Rule ID | xccdf_org.ssgproject.content_rule_journald_forward_to_syslog |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-journald_forward_to_syslog:def:1 |
Time | 2023-11-27T20:52:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-85996-7 References:
4.2.1.3 |
Description | Data from journald may be stored in volatile memory or persisted locally.
Utilities exist to accept remote export of journald logs. |
Rationale | Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. |
|
|
OVAL test results details
tests the value of ForwardToSyslog setting in the /etc/systemd/journald.conf file
oval:ssg-test_journald_forward_to_syslog:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_journald_forward_to_syslog:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/systemd/journald.conf | ^[ \t]*ForwardToSyslog=(.+?)[ \t]*(?:$|#) | 1 |
Ensure journald is configured to write log files to persistent diskxccdf_org.ssgproject.content_rule_journald_storage mediumCCE-86046-0
Ensure journald is configured to write log files to persistent disk
Rule ID | xccdf_org.ssgproject.content_rule_journald_storage |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-journald_storage:def:1 |
Time | 2023-11-27T20:52:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86046-0 References:
4.2.2.4 |
Description | The journald system may store log files in volatile memory or locally on disk.
If the logs are only stored in volatile memory they will we lost upon reboot. |
Rationale | Log files contain valuable data and need to be persistent to aid in possible investigations. |
|
|
OVAL test results details
tests the value of Storage setting in the /etc/systemd/journald.conf file
oval:ssg-test_journald_storage:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_journald_storage:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/systemd/journald.conf | ^[ \t]*Storage=(.+?)[ \t]*(?:$|#) | 1 |
Disable systemd-journal-remote Socketxccdf_org.ssgproject.content_rule_socket_systemd-journal-remote_disabled mediumCCE-87606-0
Disable systemd-journal-remote Socket
Rule ID | xccdf_org.ssgproject.content_rule_socket_systemd-journal-remote_disabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-socket_systemd-journal-remote_disabled:def:1 |
Time | 2023-11-27T20:52:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87606-0 References:
4.2.2.1.4 |
Description | Journald supports the ability to receive messages from remote hosts,
thus acting as a log server. Clients should not receive data from
other hosts.
NOTE:
The same package, systemd-journal-remote , is used for both sending
logs to remote hosts and receiving incoming logs.
With regards to receiving logs, there are two Systemd unit files;
systemd-journal-remote.socket and systemd-journal-remote.service. |
Rationale | If a client is configured to also receive data, thus turning it into
a server, the client system is acting outside it's operational boundary. |
OVAL test results details
Test that the property LoadState from the systemd-journal-remote.socket is masked
oval:ssg-test_socket_loadstate_is_masked_systemd-journal-remote:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_socket_loadstate_is_masked_systemd-journal-remote:obj:1 of type
systemdunitproperty_object
Unit | Property |
---|
^systemd-journal-remote.socket$ | LoadState |
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_nolisten mediumCCE-83995-1
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_nolisten |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-rsyslog_nolisten:def:1 |
Time | 2023-11-27T20:52:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83995-1 References:
1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, MEA02.01, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.2.3.4, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.8, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 4.2.1.7 |
Description | The rsyslog daemon should not accept remote messages unless the system acts as a log
server. To ensure that it is not listening on the network, ensure any of the following lines
are not found in rsyslog configuration files.
If using legacy syntax:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port
If using RainerScript syntax:
module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")
|
Rationale | Any process which receives messages from the network incurs some risk of receiving malicious
messages. This risk can be eliminated for rsyslog by configuring it not to listen on the
network. |
OVAL test results details
rsyslog configuration files don't contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun | $ModLoad imtcp | $ModLoad imudp | $ModLoad imrelp
oval:ssg-test_rsyslog_nolisten_legacy:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_rsyslog_nolisten_legacy:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^\/etc\/rsyslog(\.conf|\.d\/.*\.conf)$ | ^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp)) | 1 |
rsyslog configuration files don't use imtcp or imudp modules
oval:ssg-test_rsyslog_nolisten_rainerscript:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_rsyslog_nolisten_rainerscript:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^\/etc\/rsyslog(\.conf|\.d\/.*\.conf)$ | ^\s*(?:module|input)\((?:load|type)="(imtcp|imudp)".*$ | 1 |
Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed mediumCCE-84063-7
Ensure rsyslog is Installed
Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog_installed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_rsyslog_installed:def:1 |
Time | 2023-11-27T20:52:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84063-7 References:
1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, 4.2.1.1 |
Description | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ sudo dnf install rsyslog |
Rationale | The rsyslog package provides the rsyslog daemon, which provides
system logging services. |
OVAL test results details
package rsyslog is installed
oval:ssg-test_package_rsyslog_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
rsyslog | x86_64 | (none) | 113.el9_2 | 8.2102.0 | 0:8.2102.0-113.el9_2 | 199e2f91fd431d51 | rsyslog-0:8.2102.0-113.el9_2.x86_64 |
Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled mediumCCE-83989-4
Enable rsyslog Service
Rule ID | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-service_rsyslog_enabled:def:1 |
Time | 2023-11-27T20:52:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83989-4 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227, 4.2.1.2 |
Description | The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 9.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service |
Rationale | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. |
OVAL test results details
package rsyslog is installed
oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
rsyslog | x86_64 | (none) | 113.el9_2 | 8.2102.0 | 0:8.2102.0-113.el9_2 | 199e2f91fd431d51 | rsyslog-0:8.2102.0-113.el9_2.x86_64 |
Test that the rsyslog service is running
oval:ssg-test_service_running_rsyslog:tst:1
true
Following items have been found on the system:
Unit | Property | Value |
---|
rsyslog.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_rsyslog:tst:1
true
Following items have been found on the system:
Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
---|
multi-user.target | basic.target | sysinit.target | systemd-network-generator.service | sys-fs-fuse-connections.mount | lvm2-lvmpolld.socket | kmod-static-nodes.service | systemd-tmpfiles-setup.service | systemd-pcrphase-sysinit.service | systemd-random-seed.service | integritysetup.target | lvm2-monitor.service | selinux-autorelabel-mark.service | dev-mqueue.mount | systemd-pcrphase.service | nis-domainname.service | systemd-journald.service | systemd-update-utmp.service | systemd-sysusers.service | systemd-tmpfiles-setup-dev.service | cryptsetup.target | dev-hugepages.mount | iscsi-onboot.service | systemd-firstboot.service | systemd-sysctl.service | systemd-udevd.service | plymouth-read-write.service | systemd-journal-catalog-update.service | systemd-machine-id-commit.service | proc-sys-fs-binfmt_misc.automount | systemd-repart.service | veritysetup.target | swap.target | dev-mapper-rhel\x2dswap.swap | sys-kernel-tracing.mount | systemd-ask-password-console.path | systemd-update-done.service | multipathd.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-hwdb-update.service | sys-kernel-config.mount | dracut-shutdown.service | systemd-journal-flush.service | local-fs.target | boot.mount | boot-efi.mount | -.mount | ostree-remount.service | systemd-remount-fs.service | plymouth-start.service | systemd-binfmt.service | ldconfig.service | systemd-udev-trigger.service | systemd-boot-system-token.service | slices.target | system.slice | -.slice | sockets.target | systemd-journald.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | cups.socket | iscsid.socket | iscsiuio.socket | systemd-udevd-control.socket | dbus.socket | dm-event.socket | systemd-coredump.socket | systemd-initctl.socket | multipathd.socket | microcode.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | dnf-makecache.timer | mlocate-updatedb.timer | low-memory-monitor.service | paths.target | nvmefc-boot-connections.service | chronyd.service | avahi-daemon.service | mcelog.service | cups.service | firewalld.service | rsyslog.service | irqbalance.service | plymouth-quit.service | crond.service | kdump.service | sshd.service | tuned.service | sssd.service | insights-client-boot.service | systemd-ask-password-wall.path | mdmonitor.service | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | libstoragemgmt.service | auditd.service | rhsmcertd.service | remote-fs.target | iscsi.service | pmlogger.service | ModemManager.service | smartd.service | atd.service | getty.target | getty@tty1.service | ostree-readonly-sysroot-migration.service | vmtoolsd.service | pmie.service | NetworkManager.service | pmcd.service | cups.path | systemd-logind.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1
false
Following items have been found on the system:
Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
---|
multi-user.target | basic.target | sysinit.target | systemd-network-generator.service | sys-fs-fuse-connections.mount | lvm2-lvmpolld.socket | kmod-static-nodes.service | systemd-tmpfiles-setup.service | systemd-pcrphase-sysinit.service | systemd-random-seed.service | integritysetup.target | lvm2-monitor.service | selinux-autorelabel-mark.service | dev-mqueue.mount | systemd-pcrphase.service | nis-domainname.service | systemd-journald.service | systemd-update-utmp.service | systemd-sysusers.service | systemd-tmpfiles-setup-dev.service | cryptsetup.target | dev-hugepages.mount | iscsi-onboot.service | systemd-firstboot.service | systemd-sysctl.service | systemd-udevd.service | plymouth-read-write.service | systemd-journal-catalog-update.service | systemd-machine-id-commit.service | proc-sys-fs-binfmt_misc.automount | systemd-repart.service | veritysetup.target | swap.target | dev-mapper-rhel\x2dswap.swap | sys-kernel-tracing.mount | systemd-ask-password-console.path | systemd-update-done.service | multipathd.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-hwdb-update.service | sys-kernel-config.mount | dracut-shutdown.service | systemd-journal-flush.service | local-fs.target | boot.mount | boot-efi.mount | -.mount | ostree-remount.service | systemd-remount-fs.service | plymouth-start.service | systemd-binfmt.service | ldconfig.service | systemd-udev-trigger.service | systemd-boot-system-token.service | slices.target | system.slice | -.slice | sockets.target | systemd-journald.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | cups.socket | iscsid.socket | iscsiuio.socket | systemd-udevd-control.socket | dbus.socket | dm-event.socket | systemd-coredump.socket | systemd-initctl.socket | multipathd.socket | microcode.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | dnf-makecache.timer | mlocate-updatedb.timer | low-memory-monitor.service | paths.target | nvmefc-boot-connections.service | chronyd.service | avahi-daemon.service | mcelog.service | cups.service | firewalld.service | rsyslog.service | irqbalance.service | plymouth-quit.service | crond.service | kdump.service | sshd.service | tuned.service | sssd.service | insights-client-boot.service | systemd-ask-password-wall.path | mdmonitor.service | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | libstoragemgmt.service | auditd.service | rhsmcertd.service | remote-fs.target | iscsi.service | pmlogger.service | ModemManager.service | smartd.service | atd.service | getty.target | getty@tty1.service | ostree-readonly-sysroot-migration.service | vmtoolsd.service | pmie.service | NetworkManager.service | pmcd.service | cups.path | systemd-logind.service | plymouth-quit-wait.service |
Ensure rsyslog Default File Permissions Configuredxccdf_org.ssgproject.content_rule_rsyslog_filecreatemode mediumCCE-88322-3
Ensure rsyslog Default File Permissions Configured
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-rsyslog_filecreatemode:def:1 |
Time | 2023-11-27T20:52:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-88322-3 References:
4.2.1.4 |
Description | rsyslog will create logfiles that do not already exist on the system.
This settings controls what permissions will be applied to these newly
created files. |
Rationale | It is important to ensure that log files have the correct permissions
to ensure that sensitive data is archived and protected. |
|
|
OVAL test results details
rsyslog FileCreateMode is configured in only one place
oval:ssg-tst_filecreatemode_declared:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_filecreatemode:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^\/etc\/rsyslog(\.conf|\.d\/.*\.conf)$ | ^\$FileCreateMode\s+(\d+) | 1 |
Test if FileCreateMode value is valid
oval:ssg-tst_filecreatemode_valid:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_filecreatemode_dec:obj:1 of type
variable_object
Var ref |
---|
oval:ssg-var_filecreatemode_dec:var:1 |
Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-90833-5
Verify firewalld Enabled
Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-service_firewalld_enabled:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90833-5 References:
A.8.SEC-RHEL3, 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, CCI-000366, CCI-000382, CCI-002314, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232, 3.4.1.2 |
Description |
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service |
Rationale | Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols. |
OVAL test results details
package firewalld is installed
oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
firewalld | noarch | (none) | 1.el9 | 1.2.1 | 0:1.2.1-1.el9 | 199e2f91fd431d51 | firewalld-0:1.2.1-1.el9.noarch |
Test that the firewalld service is running
oval:ssg-test_service_running_firewalld:tst:1
true
Following items have been found on the system:
Unit | Property | Value |
---|
firewalld.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_firewalld:tst:1
true
Following items have been found on the system:
Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
---|
multi-user.target | basic.target | sysinit.target | systemd-network-generator.service | sys-fs-fuse-connections.mount | lvm2-lvmpolld.socket | kmod-static-nodes.service | systemd-tmpfiles-setup.service | systemd-pcrphase-sysinit.service | systemd-random-seed.service | integritysetup.target | lvm2-monitor.service | selinux-autorelabel-mark.service | dev-mqueue.mount | systemd-pcrphase.service | nis-domainname.service | systemd-journald.service | systemd-update-utmp.service | systemd-sysusers.service | systemd-tmpfiles-setup-dev.service | cryptsetup.target | dev-hugepages.mount | iscsi-onboot.service | systemd-firstboot.service | systemd-sysctl.service | systemd-udevd.service | plymouth-read-write.service | systemd-journal-catalog-update.service | systemd-machine-id-commit.service | proc-sys-fs-binfmt_misc.automount | systemd-repart.service | veritysetup.target | swap.target | dev-mapper-rhel\x2dswap.swap | sys-kernel-tracing.mount | systemd-ask-password-console.path | systemd-update-done.service | multipathd.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-hwdb-update.service | sys-kernel-config.mount | dracut-shutdown.service | systemd-journal-flush.service | local-fs.target | boot.mount | boot-efi.mount | -.mount | ostree-remount.service | systemd-remount-fs.service | plymouth-start.service | systemd-binfmt.service | ldconfig.service | systemd-udev-trigger.service | systemd-boot-system-token.service | slices.target | system.slice | -.slice | sockets.target | systemd-journald.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | cups.socket | iscsid.socket | iscsiuio.socket | systemd-udevd-control.socket | dbus.socket | dm-event.socket | systemd-coredump.socket | systemd-initctl.socket | multipathd.socket | microcode.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | dnf-makecache.timer | mlocate-updatedb.timer | low-memory-monitor.service | paths.target | nvmefc-boot-connections.service | chronyd.service | avahi-daemon.service | mcelog.service | cups.service | firewalld.service | rsyslog.service | irqbalance.service | plymouth-quit.service | crond.service | kdump.service | sshd.service | tuned.service | sssd.service | insights-client-boot.service | systemd-ask-password-wall.path | mdmonitor.service | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | libstoragemgmt.service | auditd.service | rhsmcertd.service | remote-fs.target | iscsi.service | pmlogger.service | ModemManager.service | smartd.service | atd.service | getty.target | getty@tty1.service | ostree-readonly-sysroot-migration.service | vmtoolsd.service | pmie.service | NetworkManager.service | pmcd.service | cups.path | systemd-logind.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_firewalld_socket:tst:1
false
Following items have been found on the system:
Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
---|
multi-user.target | basic.target | sysinit.target | systemd-network-generator.service | sys-fs-fuse-connections.mount | lvm2-lvmpolld.socket | kmod-static-nodes.service | systemd-tmpfiles-setup.service | systemd-pcrphase-sysinit.service | systemd-random-seed.service | integritysetup.target | lvm2-monitor.service | selinux-autorelabel-mark.service | dev-mqueue.mount | systemd-pcrphase.service | nis-domainname.service | systemd-journald.service | systemd-update-utmp.service | systemd-sysusers.service | systemd-tmpfiles-setup-dev.service | cryptsetup.target | dev-hugepages.mount | iscsi-onboot.service | systemd-firstboot.service | systemd-sysctl.service | systemd-udevd.service | plymouth-read-write.service | systemd-journal-catalog-update.service | systemd-machine-id-commit.service | proc-sys-fs-binfmt_misc.automount | systemd-repart.service | veritysetup.target | swap.target | dev-mapper-rhel\x2dswap.swap | sys-kernel-tracing.mount | systemd-ask-password-console.path | systemd-update-done.service | multipathd.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-hwdb-update.service | sys-kernel-config.mount | dracut-shutdown.service | systemd-journal-flush.service | local-fs.target | boot.mount | boot-efi.mount | -.mount | ostree-remount.service | systemd-remount-fs.service | plymouth-start.service | systemd-binfmt.service | ldconfig.service | systemd-udev-trigger.service | systemd-boot-system-token.service | slices.target | system.slice | -.slice | sockets.target | systemd-journald.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | cups.socket | iscsid.socket | iscsiuio.socket | systemd-udevd-control.socket | dbus.socket | dm-event.socket | systemd-coredump.socket | systemd-initctl.socket | multipathd.socket | microcode.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | dnf-makecache.timer | mlocate-updatedb.timer | low-memory-monitor.service | paths.target | nvmefc-boot-connections.service | chronyd.service | avahi-daemon.service | mcelog.service | cups.service | firewalld.service | rsyslog.service | irqbalance.service | plymouth-quit.service | crond.service | kdump.service | sshd.service | tuned.service | sssd.service | insights-client-boot.service | systemd-ask-password-wall.path | mdmonitor.service | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | libstoragemgmt.service | auditd.service | rhsmcertd.service | remote-fs.target | iscsi.service | pmlogger.service | ModemManager.service | smartd.service | atd.service | getty.target | getty@tty1.service | ostree-readonly-sysroot-migration.service | vmtoolsd.service | pmie.service | NetworkManager.service | pmcd.service | cups.path | systemd-logind.service | plymouth-quit-wait.service |
Configure Firewalld to Restrict Loopback Trafficxccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted mediumCCE-86137-7
Configure Firewalld to Restrict Loopback Traffic
Rule ID | xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-firewalld_loopback_traffic_restricted:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86137-7 References:
A.8.SEC-RHEL3, 3.4.2.4 |
Description | Configure firewalld to restrict loopback traffic to the lo interface.
The loopback traffic must be trusted by assigning the lo interface to the
firewalld trusted zone. However, the loopback traffic must be restricted
to the loopback interface as an anti-spoofing measure.
To configure firewalld to restrict loopback traffic to the lo interface,
run the following commands:
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
To ensure firewalld settings are applied in runtime, run the following command:
firewall-cmd --reload |
Rationale | Loopback traffic is generated between processes on machine and is typically critical to
operation of the system. The loopback interface is the only place that loopback network
traffic should be seen, all other interfaces should ignore traffic on this network as an
anti-spoofing measure. |
|
|
OVAL test results details
there is no equivalent file for trusted zone defined by the administrator
oval:ssg-test_firewalld_trusted_zone_not_overridden:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_customized_trusted_zone_file:obj:1 of type
file_object
Filepath |
---|
/etc/firewalld/zones/trusted.xml |
default trusted zone has rich-rule to restrict loopback source
oval:ssg-test_firewalld_loopback_restricted_source_usr:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_loopback_restricted_source_usr:obj:1 of type
xmlfilecontent_object
Filepath | Xpath |
---|
/usr/lib/firewalld/zones/trusted.xml | /zone/rule/source[@address='127.0.0.1' or @address='::1'] |
default trusted zone has rich-rule to restrict loopback destination
oval:ssg-test_firewalld_loopback_restricted_destination_usr:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_loopback_restricted_destination_usr:obj:1 of type
xmlfilecontent_object
Filepath | Xpath |
---|
/usr/lib/firewalld/zones/trusted.xml | /zone/rule/destination[@address='127.0.0.1' or @address='::1' and @invert='True'] |
default trusted zone has rich-rule to restrict loopback traffic
oval:ssg-test_firewalld_loopback_restricted_policy_usr:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_loopback_restricted_policy_usr:obj:1 of type
xmlfilecontent_object
Filepath | Xpath |
---|
/usr/lib/firewalld/zones/trusted.xml | /zone/rule/drop |
custom trusted zone has rich-rule to restrict loopback source
oval:ssg-test_firewalld_loopback_restricted_source_etc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_loopback_restricted_source_etc:obj:1 of type
xmlfilecontent_object
Filepath | Xpath |
---|
/etc/firewalld/zones/trusted.xml | /zone/rule/source[@address='127.0.0.1' or @address='::1'] |
custom trusted zone has rich-rule to restrict loopback destination
oval:ssg-test_firewalld_loopback_restricted_destination_etc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_loopback_restricted_destination_etc:obj:1 of type
xmlfilecontent_object
Filepath | Xpath |
---|
/etc/firewalld/zones/trusted.xml | /zone/rule/destination[@address='127.0.0.1' or @address='::1' and @invert='True'] |
custom trusted zone has rich-rule to restrict loopback traffic
oval:ssg-test_firewalld_loopback_restricted_policy_etc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_loopback_restricted_policy_etc:obj:1 of type
xmlfilecontent_object
Filepath | Xpath |
---|
/etc/firewalld/zones/trusted.xml | /zone/rule/drop |
Configure Firewalld to Trust Loopback Trafficxccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted mediumCCE-86116-1
Configure Firewalld to Trust Loopback Traffic
Rule ID | xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-firewalld_loopback_traffic_trusted:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86116-1 References:
A.8.SEC-RHEL3, 3.4.2.4 |
Description | Assign loopback interface to the firewalld trusted zone in order to
explicitly allow the loopback traffic in the system.
To configure firewalld to trust loopback traffic, run the following command:
sudo firewall-cmd --permanent --zone=trusted --add-interface=lo
To ensure firewalld settings are applied in runtime, run the following command:
firewall-cmd --reload |
Rationale | Loopback traffic is generated between processes on machine and is typically critical to
operation of the system. The loopback interface is the only place that loopback network
traffic should be seen, all other interfaces should ignore traffic on this network as an
anti-spoofing measure. |
|
|
OVAL test results details
lo interface is assigned to the trusted zone by default
oval:ssg-test_firewalld_lo_interface_trusted_usr:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_lo_interface_trusted_usr:obj:1 of type
xmlfilecontent_object
Filepath | Xpath |
---|
/usr/lib/firewalld/zones/trusted.xml | /zone/interface[@name='lo'] |
there is no equivalent file for trusted zone defined by the administrator
oval:ssg-test_firewalld_trusted_zone_not_overridden:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_customized_trusted_zone_file:obj:1 of type
file_object
Filepath |
---|
/etc/firewalld/zones/trusted.xml |
lo interface is assigned to the custom trusted zone in /etc/firewalld/zones
oval:ssg-test_firewalld_lo_interface_trusted_etc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_lo_interface_trusted_etc:obj:1 of type
xmlfilecontent_object
Filepath | Xpath |
---|
/etc/firewalld/zones/trusted.xml | /zone/interface[@name='lo'] |
Set Default firewalld Zone for Incoming Packetsxccdf_org.ssgproject.content_rule_set_firewalld_default_zone mediumCCE-84023-1
Set Default firewalld Zone for Incoming Packets
Rule ID | xccdf_org.ssgproject.content_rule_set_firewalld_default_zone |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-set_firewalld_default_zone:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84023-1 References:
A.8.SEC-RHEL3, 11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.3, 3.4.7, 3.13.6, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 1416, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CA-3(5), CM-7(b), SC-7(23), CM-6(a), PR.IP-1, PR.PT-3, FMT_MOF_EXT.1, Req-1.4, 1.5.1, SRG-OS-000480-GPOS-00227, 3.4.2.1 |
Description | To set the default zone to drop for
the built-in default zone which processes incoming IPv4 and IPv6 packets,
modify the following line in
/etc/firewalld/firewalld.conf to be:
DefaultZone=drop |
Rationale | In firewalld the default zone is applied only after all
the applicable rules in the table are examined for a match. Setting the
default zone to drop implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted. |
Warnings | warning
To prevent denying any access to the system, automatic remediation
of this control is not available. Remediation must be automated as
a component of machine provisioning, or followed manually as outlined
above. |
OVAL test results details
Check /etc/firewalld/firewalld.conf DefaultZone for drop
oval:ssg-test_firewalld_input_drop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_firewalld_input_drop:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/firewalld/firewalld.conf | ^DefaultZone=drop$ | 1 |
Configure Accepting Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra mediumCCE-84120-5
Configure Accepting Router Advertisements on All IPv6 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84120-5 References:
A.8.SEC-RHEL6, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.3.9 |
Description | To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.all.accept_ra = 0 |
Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
|
|
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
|
net.ipv6.conf.all.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
|
net.ipv6.conf.all.accept_ra static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.all.accept_ra | 1 |
Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-84125-4
Disable Accepting ICMP Redirects for All IPv6 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84125-4 References:
BP28(R22), A.8.SEC-RHEL6, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.3.2 |
Description | To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.all.accept_redirects = 0 |
Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
|
|
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1
|
net.ipv6.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1
|
net.ipv6.conf.all.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.all.accept_redirects | 1 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-84131-2
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84131-2 References:
BP28(R22), A.8.SEC-RHEL6, 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.1 |
Description | To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.all.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
|
|
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
|
net.ipv6.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
|
net.ipv6.conf.all.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.all.accept_source_route | 0 |
Disable Kernel Parameter for IPv6 Forwardingxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding mediumCCE-84114-8
Disable Kernel Parameter for IPv6 Forwarding
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_forwarding:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84114-8 References:
1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.2.1 |
Description | To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.all.forwarding = 0 |
Rationale | IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers. |
|
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.forwarding static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1
|
net.ipv6.conf.all.forwarding static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1
|
net.ipv6.conf.all.forwarding static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.forwarding set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_runtime:tst:1
true
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.all.forwarding | 0 |
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra mediumCCE-84124-7
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84124-7 References:
A.8.SEC-RHEL6, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.3.9 |
Description | To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.default.accept_ra = 0 |
Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
|
|
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
|
net.ipv6.conf.default.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
|
net.ipv6.conf.default.accept_ra static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.default.accept_ra | 1 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-84113-0
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84113-0 References:
BP28(R22), A.8.SEC-RHEL6, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.3.2 |
Description | To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.default.accept_redirects = 0 |
Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
|
|
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1
|
net.ipv6.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1
|
net.ipv6.conf.default.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.default.accept_redirects | 1 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-84130-4
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84130-4 References:
BP28(R22), A.8.SEC-RHEL6, 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.1 |
Description | To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.default.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
|
|
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
|
net.ipv6.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
|
net.ipv6.conf.default.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
Name | Value |
---|
net.ipv6.conf.default.accept_source_route | 0 |
Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-84011-6
Disable Accepting ICMP Redirects for All IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84011-6 References:
BP28(R22), A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.3.2 |
Description | To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.accept_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be
disabled unless absolutely required." |
|
|
|
OVAL test results details
net.ipv4.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1
|
net.ipv4.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1
|
net.ipv4.conf.all.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.all.accept_redirects | 1 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-84001-7
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84001-7 References:
BP28(R22), A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.1 |
Description | To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
|
|
|
OVAL test results details
net.ipv4.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
|
net.ipv4.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
|
net.ipv4.conf.all.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.all.accept_source_route | 0 |
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians unknownCCE-84000-9
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-84000-9 References:
A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.4 |
Description | To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.log_martians = 1 |
Rationale | The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected. |
|
|
|
OVAL test results details
net.ipv4.conf.all.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
|
net.ipv4.conf.all.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
|
net.ipv4.conf.all.log_martians static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.all.log_martians | 0 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-84008-2
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84008-2 References:
BP28(R22), A.8.SEC-RHEL6, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.7 |
Description | To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.rp_filter = 1 |
Rationale | Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. |
|
|
|
OVAL test results details
net.ipv4.conf.all.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
|
net.ipv4.conf.all.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
|
net.ipv4.conf.all.rp_filter static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.rp_filter set to 1 or 2
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.all.rp_filter | 0 |
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects mediumCCE-84016-5
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84016-5 References:
BP28(R22), A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001503, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.3 |
Description | To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.secure_redirects = 0 |
Rationale | Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required. |
|
|
|
OVAL test results details
net.ipv4.conf.all.secure_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1
|
net.ipv4.conf.all.secure_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1
|
net.ipv4.conf.all.secure_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.all.secure_redirects | 1 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-84003-3
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84003-3 References:
BP28(R22), A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.2 |
Description | To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.accept_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should
be disabled unless absolutely required. |
|
|
|
OVAL test results details
net.ipv4.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1
|
net.ipv4.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1
|
net.ipv4.conf.default.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.default.accept_redirects | 1 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-84007-4
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84007-4 References:
BP28(R22), A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.1 |
Description | To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required, such as when
IPv4 forwarding is enabled and the system is legitimately functioning as a
router. |
OVAL test results details
net.ipv4.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
|
net.ipv4.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
|
net.ipv4.conf.default.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_pkg_correct:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/usr/lib/sysctl.d/50-default.conf | net.ipv4.conf.default.accept_source_route = 0 |
kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.default.accept_source_route | 0 |
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians unknownCCE-84014-0
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-84014-0 References:
A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.4 |
Description | To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.log_martians = 1 |
Rationale | The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected. |
|
|
|
OVAL test results details
net.ipv4.conf.default.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
|
net.ipv4.conf.default.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
|
net.ipv4.conf.default.log_martians static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.default.log_martians | 0 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-84009-0
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84009-0 References:
BP28(R22), A.8.SEC-RHEL6, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.7 |
Description | To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.rp_filter = 1 |
Rationale | Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. |
|
|
|
OVAL test results details
net.ipv4.conf.default.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
|
net.ipv4.conf.default.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
|
net.ipv4.conf.default.rp_filter static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_pkg_correct:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/usr/lib/sysctl.d/50-redhat.conf | net.ipv4.conf.default.rp_filter = 1 |
/usr/lib/sysctl.d/50-default.conf | net.ipv4.conf.default.rp_filter = 2 |
kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_runtime:tst:1
true
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.default.rp_filter | 1 |
Configure Kernel Parameter for Accepting Secure Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects mediumCCE-84019-9
Configure Kernel Parameter for Accepting Secure Redirects By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84019-9 References:
BP28(R22), A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.3 |
Description | To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.secure_redirects = 0 |
Rationale | Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required. |
|
|
|
OVAL test results details
net.ipv4.conf.default.secure_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1
|
net.ipv4.conf.default.secure_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1
|
net.ipv4.conf.default.secure_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.default.secure_redirects | 1 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-84004-1
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84004-1 References:
A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.5 |
Description | To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.icmp_echo_ignore_broadcasts = 1 |
Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast
addresses makes the system slightly more difficult to enumerate on the network. |
|
|
|
OVAL test results details
net.ipv4.icmp_echo_ignore_broadcasts static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
|
net.ipv4.icmp_echo_ignore_broadcasts static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
|
net.ipv4.icmp_echo_ignore_broadcasts static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:tst:1
true
Following items have been found on the system:
Name | Value |
---|
net.ipv4.icmp_echo_ignore_broadcasts | 1 |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses unknownCCE-84015-7
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1 |
Time | 2023-11-27T20:52:51+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-84015-7 References:
BP28(R22), A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, Req-1.4.3, SRG-OS-000480-GPOS-00227, 3.3.6 |
Description | To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.icmp_ignore_bogus_error_responses = 1 |
Rationale | Ignoring bogus ICMP error responses reduces
log size, although some activity would not be logged. |
|
|
|
OVAL test results details
net.ipv4.icmp_ignore_bogus_error_responses static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
|
net.ipv4.icmp_ignore_bogus_error_responses static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
|
net.ipv4.icmp_ignore_bogus_error_responses static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:tst:1
true
Following items have been found on the system:
Name | Value |
---|
net.ipv4.icmp_ignore_bogus_error_responses | 1 |
Enable Kernel Parameter to Use TCP Syncookies on Network Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-84006-6
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1 |
Time | 2023-11-27T20:52:52+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84006-6 References:
BP28(R22), A.8.SEC-RHEL6, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001095, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.1, SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071, 3.3.8 |
Description | To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.tcp_syncookies = 1 |
Rationale | A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests. |
|
|
|
OVAL test results details
net.ipv4.tcp_syncookies static configuration
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_tcp_syncookies:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
|
net.ipv4.tcp_syncookies static configuration
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_tcp_syncookies:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
|
net.ipv4.tcp_syncookies static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_runtime:tst:1
true
Following items have been found on the system:
Name | Value |
---|
net.ipv4.tcp_syncookies | 1 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-83997-7
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1 |
Time | 2023-11-27T20:52:52+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83997-7 References:
BP28(R22), A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, 1.4.2, SRG-OS-000480-GPOS-00227, 3.2.2 |
Description | To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.send_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
|
|
|
OVAL test results details
net.ipv4.conf.all.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1
|
net.ipv4.conf.all.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1
|
net.ipv4.conf.all.send_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.all.send_redirects | 1 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-83999-3
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1 |
Time | 2023-11-27T20:52:52+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83999-3 References:
BP28(R22), A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.2.2 |
Description | To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.send_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
|
|
|
OVAL test results details
net.ipv4.conf.default.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1
|
net.ipv4.conf.default.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1
|
net.ipv4.conf.default.send_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_runtime:tst:1
false
Following items have been found on the system:
Name | Value |
---|
net.ipv4.conf.default.send_redirects | 1 |
Disable Kernel Parameter for IP Forwarding on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward mediumCCE-83998-5
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_net_ipv4_ip_forward:def:1 |
Time | 2023-11-27T20:52:52+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83998-5 References:
BP28(R22), A.8.SEC-RHEL6, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.1, Req-1.3.2, 1.4.2, SRG-OS-000480-GPOS-00227, 3.2.1 |
Description | To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.ip_forward = 0 |
Rationale | Routing protocol daemons are typically used on routers to exchange
network topology information with other routers. If this capability is used when
not required, system network information may be unnecessarily transmitted across
the network. |
Warnings | warning
Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking.
Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in
profiles or benchmarks that target usage of IPv4 forwarding. |
|
|
OVAL test results details
net.ipv4.ip_forward static configuration
oval:ssg-test_sysctl_net_ipv4_ip_forward_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_ip_forward:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_ip_forward:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_ip_forward:obj:1
|
net.ipv4.ip_forward static configuration
oval:ssg-test_sysctl_net_ipv4_ip_forward_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_ip_forward:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_ip_forward:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_ip_forward:obj:1
|
net.ipv4.ip_forward static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_ip_forward_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_ip_forward:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.ip_forward set to 0
oval:ssg-test_sysctl_net_ipv4_ip_forward_runtime:tst:1
true
Following items have been found on the system:
Name | Value |
---|
net.ipv4.ip_forward | 0 |
Install nftables Packagexccdf_org.ssgproject.content_rule_package_nftables_installed mediumCCE-86378-7
Install nftables Package
Rule ID | xccdf_org.ssgproject.content_rule_package_nftables_installed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_nftables_installed:def:1 |
Time | 2023-11-27T20:52:52+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86378-7 References:
3.4.1.1 |
Description | nftables provides a new in-kernel packet classification framework that is based on a
network-specific Virtual Machine (VM) and a new nft userspace command line tool.
nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure,
the connection tracking system, NAT, userspace queuing and logging subsystem.
The nftables package can be installed with the following command:
$ sudo dnf install nftables |
Rationale | nftables is a subsystem of the Linux kernel that can protect against threats
originating from within a corporate network to include malicious mobile code and poorly
configured software on a host.
|
OVAL test results details
package nftables is installed
oval:ssg-test_package_nftables_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
nftables | x86_64 | 1 | 10.el9_1 | 1.0.4 | 1:1.0.4-10.el9_1 | 199e2f91fd431d51 | nftables-1:1.0.4-10.el9_1.x86_64 |
Verify nftables Service is Disabledxccdf_org.ssgproject.content_rule_service_nftables_disabled mediumCCE-88429-6
Verify nftables Service is Disabled
Rule ID | xccdf_org.ssgproject.content_rule_service_nftables_disabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-service_nftables_disabled:def:1 |
Time | 2023-11-27T20:52:52+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-88429-6 References:
A.8.SEC-RHEL3, 3.4.1.2 |
Description | nftables is a subsystem of the Linux kernel providing filtering and classification of network
packets/datagrams/frames and is the successor to iptables.
The nftables service can be disabled with the following command:
systemctl disable nftables |
Rationale | Running both firewalld and nftables may lead to conflict. nftables
is actually one of the backends for firewalld management tools. |
|
|
|
|
|
OVAL test results details
package nftables is removed
oval:ssg-test_service_nftables_package_nftables_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
nftables | x86_64 | 1 | 10.el9_1 | 1.0.4 | 1:1.0.4-10.el9_1 | 199e2f91fd431d51 | nftables-1:1.0.4-10.el9_1.x86_64 |
Test that the nftables service is not running
oval:ssg-test_service_not_running_nftables:tst:1
true
Following items have been found on the system:
Unit | Property | Value |
---|
nftables.service | ActiveState | inactive |
Test that the property LoadState from the service nftables is masked
oval:ssg-test_service_loadstate_is_masked_nftables:tst:1
false
Following items have been found on the system:
Unit | Property | Value |
---|
nftables.service | LoadState | loaded |
Ensure a Table Exists for Nftablesxccdf_org.ssgproject.content_rule_set_nftables_table mediumCCE-86163-3
Ensure a Table Exists for Nftables
Rule ID | xccdf_org.ssgproject.content_rule_set_nftables_table |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:52:52+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86163-3 References:
3.4.2.2 |
Description | Tables in nftables hold chains. Each table only has one address family and only applies
to packets of this family. Tables can have one of six families. |
Rationale | Nftables doesn't have any default tables. Without a table being built, nftables will not filter
network traffic.
Note: adding rules to a running nftables can cause loss of connectivity to the system. |
Warnings | warning
Adding rules to a running nftables can cause loss of connectivity to the system. |
Evaluation messagesinfo
No candidate or applicable check found. |
Disable TIPC Supportxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled lowCCE-84065-2
Disable TIPC Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kernel_module_tipc_disabled:def:1 |
Time | 2023-11-27T20:52:52+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-84065-2 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, 3.1.3 |
Description | The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf :
install tipc /bin/true |
Rationale | Disabling TIPC protects
the system against exploitation of any flaws in its implementation. |
Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded. |
|
|
|
OVAL test results details
kernel module tipc blacklisted
oval:ssg-test_kernmod_tipc_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_blacklisted:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/modprobe.d | /etc/modules-load.d | /run/modprobe.d | /run/modules-load.d | /usr/lib/modprobe.d | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+tipc$ | 1 |
kernel module tipc disabled
oval:ssg-test_kernmod_tipc_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_disabled:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/modprobe.d | /etc/modules-load.d | /run/modprobe.d | /run/modules-load.d | /usr/lib/modprobe.d | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-84066-0
Deactivate Wireless Network Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_interfaces |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:52:52+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84066-0 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-002418, CCI-002421, CCI-001443, CCI-001444, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1315, 1319, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.3, 1.4.3, SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-000481, 3.1.2 |
Description | Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
Configure the system to disable all wireless network interfaces with the following command:
$ sudo nmcli radio all off |
Rationale | The use of wireless networking can introduce many different attack vectors into
the organization's network. Common attack vectors such as malicious association
and ad hoc networks will allow an attacker to spoof a wireless access point
(AP), allowing validated systems to connect to the malicious AP and enabling the
attacker to monitor and record network traffic. These malicious APs can also
serve to create a man-in-the-middle attack or be used to create a denial of
service to valid network resources. |
Verify Group Who Owns Backup group Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group mediumCCE-83928-2
Verify Group Who Owns Backup group File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_group:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83928-2 References:
CCI-002223, AC-6 (1), Req-8.7, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.4 |
Description | To properly set the group owner of /etc/group- , run the command: $ sudo chgrp root /etc/group- |
Rationale | The /etc/group- file is a backup file of /etc/group , and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security. |
OVAL test results details
Testing group ownership of /etc/group-
oval:ssg-test_file_groupowner_backup_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_group_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/group- | oval:ssg-symlink_file_groupowner_backup_etc_group_uid_0:ste:1 | oval:ssg-state_file_groupowner_backup_etc_group_gid_0_0:ste:1 |
Verify Group Who Owns Backup gshadow Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow mediumCCE-83951-4
Verify Group Who Owns Backup gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_gshadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83951-4 References:
CCI-002223, AC-6 (1), Req-8.7, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.8 |
Description | To properly set the group owner of /etc/gshadow- , run the command: $ sudo chgrp root /etc/gshadow- |
Rationale | The /etc/gshadow- file is a backup of /etc/gshadow , and as such,
it contains group password hashes. Protection of this file is critical for system security. |
OVAL test results details
Testing group ownership of /etc/gshadow-
oval:ssg-test_file_groupowner_backup_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_gshadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/gshadow- | oval:ssg-symlink_file_groupowner_backup_etc_gshadow_uid_0:ste:1 | oval:ssg-state_file_groupowner_backup_etc_gshadow_gid_0_0:ste:1 |
Verify Group Who Owns Backup passwd Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd mediumCCE-83933-2
Verify Group Who Owns Backup passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_passwd:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83933-2 References:
CCI-002223, AC-6 (1), Req-8.7, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.2 |
Description | To properly set the group owner of /etc/passwd- , run the command: $ sudo chgrp root /etc/passwd- |
Rationale | The /etc/passwd- file is a backup file of /etc/passwd , and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security. |
OVAL test results details
Testing group ownership of /etc/passwd-
oval:ssg-test_file_groupowner_backup_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_passwd_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/passwd- | oval:ssg-symlink_file_groupowner_backup_etc_passwd_uid_0:ste:1 | oval:ssg-state_file_groupowner_backup_etc_passwd_gid_0_0:ste:1 |
Verify User Who Owns Backup shadow Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow mediumCCE-83938-1
Verify User Who Owns Backup shadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_shadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83938-1 References:
Req-8.7, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.6 |
Description | To properly set the group owner of /etc/shadow- , run the command: $ sudo chgrp root /etc/shadow- |
Rationale | The /etc/shadow- file is a backup file of /etc/shadow , and as such,
it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security. |
OVAL test results details
Testing group ownership of /etc/shadow-
oval:ssg-test_file_groupowner_backup_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_shadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/shadow- | oval:ssg-symlink_file_groupowner_backup_etc_shadow_uid_0:ste:1 | oval:ssg-state_file_groupowner_backup_etc_shadow_gid_0_0:ste:1 |
Verify Group Who Owns group Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_group mediumCCE-83945-6
Verify Group Who Owns group File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_etc_group:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83945-6 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.3 |
Description | To properly set the group owner of /etc/group , run the command: $ sudo chgrp root /etc/group |
Rationale | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |
OVAL test results details
Testing group ownership of /etc/group
oval:ssg-test_file_groupowner_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_group_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/group | oval:ssg-symlink_file_groupowner_etc_group_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_group_gid_0_0:ste:1 |
Verify Group Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow mediumCCE-83948-0
Verify Group Who Owns gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_etc_gshadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83948-0 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.7 |
Description | To properly set the group owner of /etc/gshadow , run the command: $ sudo chgrp root /etc/gshadow |
Rationale | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
OVAL test results details
Testing group ownership of /etc/gshadow
oval:ssg-test_file_groupowner_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_gshadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/gshadow | oval:ssg-symlink_file_groupowner_etc_gshadow_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_gshadow_gid_0_0:ste:1 |
Verify Group Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd mediumCCE-83950-6
Verify Group Who Owns passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_etc_passwd:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83950-6 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.1 |
Description | To properly set the group owner of /etc/passwd , run the command: $ sudo chgrp root /etc/passwd |
Rationale | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
OVAL test results details
Testing group ownership of /etc/passwd
oval:ssg-test_file_groupowner_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_passwd_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/passwd | oval:ssg-symlink_file_groupowner_etc_passwd_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_passwd_gid_0_0:ste:1 |
Verify Group Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow mediumCCE-83930-8
Verify Group Who Owns shadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_etc_shadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83930-8 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.5 |
Description | To properly set the group owner of /etc/shadow , run the command: $ sudo chgrp root /etc/shadow |
Rationale | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. |
OVAL test results details
Testing group ownership of /etc/shadow
oval:ssg-test_file_groupowner_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_shadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/shadow | oval:ssg-symlink_file_groupowner_etc_shadow_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_shadow_gid_0_0:ste:1 |
Verify User Who Owns Backup group Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_group mediumCCE-83944-9
Verify User Who Owns Backup group File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_backup_etc_group:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83944-9 References:
CCI-002223, AC-6 (1), Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.4 |
Description | To properly set the owner of /etc/group- , run the command: $ sudo chown root /etc/group- |
Rationale | The /etc/group- file is a backup file of /etc/group , and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security. |
OVAL test results details
Testing user ownership of /etc/group-
oval:ssg-test_file_owner_backup_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_group_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/group- | oval:ssg-symlink_file_owner_backup_etc_group_uid_0:ste:1 | oval:ssg-state_file_owner_backup_etc_group_uid_0_0:ste:1 |
Verify User Who Owns Backup gshadow Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow mediumCCE-83929-0
Verify User Who Owns Backup gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_backup_etc_gshadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83929-0 References:
CCI-002223, AC-6 (1), Req-8.7, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.8 |
Description | To properly set the owner of /etc/gshadow- , run the command: $ sudo chown root /etc/gshadow- |
Rationale | The /etc/gshadow- file is a backup of /etc/gshadow , and as such,
it contains group password hashes. Protection of this file is critical for system security. |
OVAL test results details
Testing user ownership of /etc/gshadow-
oval:ssg-test_file_owner_backup_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_gshadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/gshadow- | oval:ssg-symlink_file_owner_backup_etc_gshadow_uid_0:ste:1 | oval:ssg-state_file_owner_backup_etc_gshadow_uid_0_0:ste:1 |
Verify User Who Owns Backup passwd Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd mediumCCE-83947-2
Verify User Who Owns Backup passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_backup_etc_passwd:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83947-2 References:
CCI-002223, AC-6 (1), Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.2 |
Description | To properly set the owner of /etc/passwd- , run the command: $ sudo chown root /etc/passwd- |
Rationale | The /etc/passwd- file is a backup file of /etc/passwd , and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security. |
OVAL test results details
Testing user ownership of /etc/passwd-
oval:ssg-test_file_owner_backup_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_passwd_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/passwd- | oval:ssg-symlink_file_owner_backup_etc_passwd_uid_0:ste:1 | oval:ssg-state_file_owner_backup_etc_passwd_uid_0_0:ste:1 |
Verify Group Who Owns Backup shadow Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow mediumCCE-83949-8
Verify Group Who Owns Backup shadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_backup_etc_shadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83949-8 References:
CCI-002223, AC-6 (1), Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.6 |
Description | To properly set the owner of /etc/shadow- , run the command: $ sudo chown root /etc/shadow- |
Rationale | The /etc/shadow- file is a backup file of /etc/shadow , and as such,
it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security. |
OVAL test results details
Testing user ownership of /etc/shadow-
oval:ssg-test_file_owner_backup_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_shadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/shadow- | oval:ssg-symlink_file_owner_backup_etc_shadow_uid_0:ste:1 | oval:ssg-state_file_owner_backup_etc_shadow_uid_0_0:ste:1 |
Verify User Who Owns group Filexccdf_org.ssgproject.content_rule_file_owner_etc_group mediumCCE-83925-8
Verify User Who Owns group File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_group |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_etc_group:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83925-8 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.3 |
Description | To properly set the owner of /etc/group , run the command: $ sudo chown root /etc/group |
Rationale | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |
OVAL test results details
Testing user ownership of /etc/group
oval:ssg-test_file_owner_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_group_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/group | oval:ssg-symlink_file_owner_etc_group_uid_0:ste:1 | oval:ssg-state_file_owner_etc_group_uid_0_0:ste:1 |
Verify User Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_gshadow mediumCCE-83924-1
Verify User Who Owns gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_etc_gshadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83924-1 References:
BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.7 |
Description | To properly set the owner of /etc/gshadow , run the command: $ sudo chown root /etc/gshadow |
Rationale | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
OVAL test results details
Testing user ownership of /etc/gshadow
oval:ssg-test_file_owner_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_gshadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/gshadow | oval:ssg-symlink_file_owner_etc_gshadow_uid_0:ste:1 | oval:ssg-state_file_owner_etc_gshadow_uid_0_0:ste:1 |
Verify User Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_owner_etc_passwd mediumCCE-83943-1
Verify User Who Owns passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_etc_passwd:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83943-1 References:
12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.1 |
Description | To properly set the owner of /etc/passwd , run the command: $ sudo chown root /etc/passwd |
Rationale | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
OVAL test results details
Testing user ownership of /etc/passwd
oval:ssg-test_file_owner_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_passwd_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/passwd | oval:ssg-symlink_file_owner_etc_passwd_uid_0:ste:1 | oval:ssg-state_file_owner_etc_passwd_uid_0_0:ste:1 |
Verify User Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_shadow mediumCCE-83926-6
Verify User Who Owns shadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_shadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_etc_shadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83926-6 References:
BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.5 |
Description | To properly set the owner of /etc/shadow , run the command: $ sudo chown root /etc/shadow |
Rationale | The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. |
OVAL test results details
Testing user ownership of /etc/shadow
oval:ssg-test_file_owner_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_shadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/shadow | oval:ssg-symlink_file_owner_etc_shadow_uid_0:ste:1 | oval:ssg-state_file_owner_etc_shadow_uid_0_0:ste:1 |
Verify Permissions on Backup group Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group mediumCCE-83939-9
Verify Permissions on Backup group File
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_backup_etc_group:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83939-9 References:
CCI-002223, AC-6 (1), Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.4 |
Description |
To properly set the permissions of /etc/group- , run the command:
$ sudo chmod 0644 /etc/group- |
Rationale | The /etc/group- file is a backup file of /etc/group , and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security. |
OVAL test results details
Testing mode of /etc/group-
oval:ssg-test_file_permissions_backup_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_group_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/group- | oval:ssg-exclude_symlinks__backup_etc_group:ste:1 | oval:ssg-state_file_permissions_backup_etc_group_0_mode_0644or_stricter_:ste:1 |
Verify Permissions on Backup gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow mediumCCE-83942-3
Verify Permissions on Backup gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_backup_etc_gshadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83942-3 References:
CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.8 |
Description |
To properly set the permissions of /etc/gshadow- , run the command:
$ sudo chmod 0000 /etc/gshadow- |
Rationale | The /etc/gshadow- file is a backup of /etc/gshadow , and as such,
it contains group password hashes. Protection of this file is critical for system security. |
OVAL test results details
Testing mode of /etc/gshadow-
oval:ssg-test_file_permissions_backup_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_gshadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/gshadow- | oval:ssg-exclude_symlinks__backup_etc_gshadow:ste:1 | oval:ssg-state_file_permissions_backup_etc_gshadow_0_mode_0000or_stricter_:ste:1 |
Verify Permissions on Backup passwd Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd mediumCCE-83940-7
Verify Permissions on Backup passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_backup_etc_passwd:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83940-7 References:
CCI-002223, AC-6 (1), Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.2 |
Description |
To properly set the permissions of /etc/passwd- , run the command:
$ sudo chmod 0644 /etc/passwd- |
Rationale | The /etc/passwd- file is a backup file of /etc/passwd , and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security. |
OVAL test results details
Testing mode of /etc/passwd-
oval:ssg-test_file_permissions_backup_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_passwd_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/passwd- | oval:ssg-exclude_symlinks__backup_etc_passwd:ste:1 | oval:ssg-state_file_permissions_backup_etc_passwd_0_mode_0644or_stricter_:ste:1 |
Verify Permissions on Backup shadow Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow mediumCCE-83935-7
Verify Permissions on Backup shadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_backup_etc_shadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83935-7 References:
CCI-002223, AC-6 (1), Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.6 |
Description |
To properly set the permissions of /etc/shadow- , run the command:
$ sudo chmod 0000 /etc/shadow- |
Rationale | The /etc/shadow- file is a backup file of /etc/shadow , and as such,
it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security. |
OVAL test results details
Testing mode of /etc/shadow-
oval:ssg-test_file_permissions_backup_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_shadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/shadow- | oval:ssg-exclude_symlinks__backup_etc_shadow:ste:1 | oval:ssg-state_file_permissions_backup_etc_shadow_0_mode_0000or_stricter_:ste:1 |
Verify Permissions on group Filexccdf_org.ssgproject.content_rule_file_permissions_etc_group mediumCCE-83934-0
Verify Permissions on group File
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_group |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_etc_group:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83934-0 References:
BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.3 |
Description |
To properly set the permissions of /etc/passwd , run the command:
$ sudo chmod 0644 /etc/passwd |
Rationale | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |
OVAL test results details
Testing mode of /etc/group
oval:ssg-test_file_permissions_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_group_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/group | oval:ssg-exclude_symlinks__etc_group:ste:1 | oval:ssg-state_file_permissions_etc_group_0_mode_0644or_stricter_:ste:1 |
Verify Permissions on gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow mediumCCE-83921-7
Verify Permissions on gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_etc_gshadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83921-7 References:
BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.7 |
Description |
To properly set the permissions of /etc/gshadow , run the command:
$ sudo chmod 0000 /etc/gshadow |
Rationale | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
OVAL test results details
Testing mode of /etc/gshadow
oval:ssg-test_file_permissions_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_gshadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/gshadow | oval:ssg-exclude_symlinks__etc_gshadow:ste:1 | oval:ssg-state_file_permissions_etc_gshadow_0_mode_0000or_stricter_:ste:1 |
Verify Permissions on passwd Filexccdf_org.ssgproject.content_rule_file_permissions_etc_passwd mediumCCE-83931-6
Verify Permissions on passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_etc_passwd:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83931-6 References:
BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.1 |
Description |
To properly set the permissions of /etc/passwd , run the command:
$ sudo chmod 0644 /etc/passwd |
Rationale | If the /etc/passwd file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security. |
OVAL test results details
Testing mode of /etc/passwd
oval:ssg-test_file_permissions_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_passwd_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/passwd | oval:ssg-exclude_symlinks__etc_passwd:ste:1 | oval:ssg-state_file_permissions_etc_passwd_0_mode_0644or_stricter_:ste:1 |
Verify Permissions on shadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_shadow mediumCCE-83941-5
Verify Permissions on shadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_etc_shadow:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83941-5 References:
BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.5 |
Description |
To properly set the permissions of /etc/shadow , run the command:
$ sudo chmod 0000 /etc/shadow |
Rationale | The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. |
OVAL test results details
Testing mode of /etc/shadow
oval:ssg-test_file_permissions_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_shadow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/shadow | oval:ssg-exclude_symlinks__etc_shadow:ste:1 | oval:ssg-state_file_permissions_etc_shadow_0_mode_0000or_stricter_:ste:1 |
Verify that audit tools are owned by group rootxccdf_org.ssgproject.content_rule_file_groupownership_audit_binaries mediumCCE-86457-9
Verify that audit tools are owned by group root
Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_audit_binaries |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupownership_audit_binaries:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86457-9 References:
CCI-001493, CCI-001494, SRG-OS-000256-GPiOS-00097, SRG-OS-000257-GPOS-00098, 4.1.4.10 |
Description | The Red Hat Enterprise Linux 9 operating system audit tools must have the proper
ownership configured to protected against unauthorized access.
Verify it by running the following command:
$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
/sbin/auditctl root
/sbin/aureport root
/sbin/ausearch root
/sbin/autrace root
/sbin/auditd root
/sbin/audispd root
/sbin/augenrules root
Audit tools needed to successfully view and manipulate audit information
system activity and records. Audit tools include custom queries and report
generators |
Rationale | Protecting audit information also includes identifying and protecting the
tools used to view and manipulate log data. Therefore, protecting audit
tools is necessary to prevent unauthorized operation on audit information.
Operating systems providing tools to interface with audit information
will leverage user permissions and roles identifying the user accessing the
tools and the corresponding rights the user enjoys to make access decisions
regarding the access to audit tools. |
OVAL test results details
Testing group ownership of /sbin/auditctl
oval:ssg-test_file_groupownership_audit_binaries_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_audit_binaries_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/auditctl | oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_groupownership_audit_binaries_gid_0_0:ste:1 |
Testing group ownership of /sbin/aureport
oval:ssg-test_file_groupownership_audit_binaries_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_audit_binaries_1:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/aureport | oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_groupownership_audit_binaries_gid_0_1:ste:1 |
Testing group ownership of /sbin/ausearch
oval:ssg-test_file_groupownership_audit_binaries_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_audit_binaries_2:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/ausearch | oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_groupownership_audit_binaries_gid_0_2:ste:1 |
Testing group ownership of /sbin/autrace
oval:ssg-test_file_groupownership_audit_binaries_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_audit_binaries_3:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/autrace | oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_groupownership_audit_binaries_gid_0_3:ste:1 |
Testing group ownership of /sbin/auditd
oval:ssg-test_file_groupownership_audit_binaries_4:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_audit_binaries_4:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/auditd | oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_groupownership_audit_binaries_gid_0_4:ste:1 |
Testing group ownership of /sbin/audispd
oval:ssg-test_file_groupownership_audit_binaries_5:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_audit_binaries_5:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/audispd | oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_groupownership_audit_binaries_gid_0_5:ste:1 |
Testing group ownership of /sbin/augenrules
oval:ssg-test_file_groupownership_audit_binaries_6:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_audit_binaries_6:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/augenrules | oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_groupownership_audit_binaries_gid_0_6:ste:1 |
Verify that audit tools are owned by rootxccdf_org.ssgproject.content_rule_file_ownership_audit_binaries mediumCCE-86454-6
Verify that audit tools are owned by root
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_audit_binaries |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_ownership_audit_binaries:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86454-6 References:
CCI-001493, CCI-001494, SRG-OS-000256-GPiOS-00097, SRG-OS-000257-GPOS-00098, 4.1.4.9 |
Description | The Red Hat Enterprise Linux 9 operating system audit tools must have the proper
ownership configured to protected against unauthorized access.
Verify it by running the following command:
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
/sbin/auditctl root
/sbin/aureport root
/sbin/ausearch root
/sbin/autrace root
/sbin/auditd root
/sbin/audispd root
/sbin/augenrules root
Audit tools needed to successfully view and manipulate audit information
system activity and records. Audit tools include custom queries and report
generators |
Rationale | Protecting audit information also includes identifying and protecting the
tools used to view and manipulate log data. Therefore, protecting audit
tools is necessary to prevent unauthorized operation on audit information.
Operating systems providing tools to interface with audit information
will leverage user permissions and roles identifying the user accessing the
tools and the corresponding rights the user enjoys to make access decisions
regarding the access to audit tools. |
OVAL test results details
Testing user ownership of /sbin/auditctl
oval:ssg-test_file_ownership_audit_binaries_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_audit_binaries_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/auditctl | oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_ownership_audit_binaries_uid_0_0:ste:1 |
Testing user ownership of /sbin/aureport
oval:ssg-test_file_ownership_audit_binaries_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_audit_binaries_1:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/aureport | oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_ownership_audit_binaries_uid_0_1:ste:1 |
Testing user ownership of /sbin/ausearch
oval:ssg-test_file_ownership_audit_binaries_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_audit_binaries_2:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/ausearch | oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_ownership_audit_binaries_uid_0_2:ste:1 |
Testing user ownership of /sbin/autrace
oval:ssg-test_file_ownership_audit_binaries_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_audit_binaries_3:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/autrace | oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_ownership_audit_binaries_uid_0_3:ste:1 |
Testing user ownership of /sbin/auditd
oval:ssg-test_file_ownership_audit_binaries_4:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_audit_binaries_4:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/auditd | oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_ownership_audit_binaries_uid_0_4:ste:1 |
Testing user ownership of /sbin/audispd
oval:ssg-test_file_ownership_audit_binaries_5:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_audit_binaries_5:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/audispd | oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_ownership_audit_binaries_uid_0_5:ste:1 |
Testing user ownership of /sbin/augenrules
oval:ssg-test_file_ownership_audit_binaries_6:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_audit_binaries_6:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/augenrules | oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 | oval:ssg-state_file_ownership_audit_binaries_uid_0_6:ste:1 |
Verify that audit tools Have Mode 0755 or lessxccdf_org.ssgproject.content_rule_file_permissions_audit_binaries mediumCCE-86448-8
Verify that audit tools Have Mode 0755 or less
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_audit_binaries |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_audit_binaries:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86448-8 References:
CCI-001493, CCI-001494, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, 4.1.4.8 |
Description | The Red Hat Enterprise Linux 9 operating system audit tools must have the proper
permissions configured to protected against unauthorized access.
Verify it by running the following command:
$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
/sbin/auditctl 755
/sbin/aureport 755
/sbin/ausearch 755
/sbin/autrace 755
/sbin/auditd 755
/sbin/audispd 755
/sbin/augenrules 755
Audit tools needed to successfully view and manipulate audit information
system activity and records. Audit tools include custom queries and report
generators |
Rationale | Protecting audit information also includes identifying and protecting the
tools used to view and manipulate log data. Therefore, protecting audit
tools is necessary to prevent unauthorized operation on audit information.
Operating systems providing tools to interface with audit information
will leverage user permissions and roles identifying the user accessing the
tools and the corresponding rights the user enjoys to make access decisions
regarding the access to audit tools. |
OVAL test results details
Testing mode of /sbin/auditctl
oval:ssg-test_file_permissions_audit_binaries_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_audit_binaries_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/auditctl | oval:ssg-exclude_symlinks__audit_binaries:ste:1 | oval:ssg-state_file_permissions_audit_binaries_0_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/aureport
oval:ssg-test_file_permissions_audit_binaries_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_audit_binaries_1:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/aureport | oval:ssg-exclude_symlinks__audit_binaries:ste:1 | oval:ssg-state_file_permissions_audit_binaries_1_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/ausearch
oval:ssg-test_file_permissions_audit_binaries_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_audit_binaries_2:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/ausearch | oval:ssg-exclude_symlinks__audit_binaries:ste:1 | oval:ssg-state_file_permissions_audit_binaries_2_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/autrace
oval:ssg-test_file_permissions_audit_binaries_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_audit_binaries_3:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/autrace | oval:ssg-exclude_symlinks__audit_binaries:ste:1 | oval:ssg-state_file_permissions_audit_binaries_3_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/auditd
oval:ssg-test_file_permissions_audit_binaries_4:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_audit_binaries_4:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/auditd | oval:ssg-exclude_symlinks__audit_binaries:ste:1 | oval:ssg-state_file_permissions_audit_binaries_4_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/audispd
oval:ssg-test_file_permissions_audit_binaries_5:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_audit_binaries_5:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/audispd | oval:ssg-exclude_symlinks__audit_binaries:ste:1 | oval:ssg-state_file_permissions_audit_binaries_5_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/augenrules
oval:ssg-test_file_permissions_audit_binaries_6:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_audit_binaries_6:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/sbin/augenrules | oval:ssg-exclude_symlinks__audit_binaries:ste:1 | oval:ssg-state_file_permissions_audit_binaries_6_mode_0755or_stricter_:ste:1 |
Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits mediumCCE-83895-3
Verify that All World-Writable Directories Have Sticky Bits Set
Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dir_perms_world_writable_sticky_bits:def:1 |
Time | 2023-11-27T20:52:56+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83895-3 References:
BP28(R40), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001090, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000138-GPOS-00069, 6.1.12 |
Description | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
To set the sticky bit on a world-writable directory DIR, run the
following command:
$ sudo chmod +t DIR |
Rationale | Failing to set the sticky bit on public directories allows unauthorized
users to delete files in the directory structure.
The only authorized public directories are those temporary directories
supplied with the system, or those designed to be temporary file
repositories. The setting is normally reserved for directories used by the
system, by users for temporary file storage (such as /tmp ), and
for directories requiring global read/write access. |
OVAL test results details
all local world-writable directories have sticky bit set
oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_only_local_directories:obj:1 of type
file_object
Behaviors | Path | Filename | Filter |
---|
no value | / | no value | oval:ssg-state_world_writable_and_not_sticky:ste:1 |
Ensure No World-Writable Files Existxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable mediumCCE-83902-7
Ensure No World-Writable Files Exist
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_unauthorized_world_writable:def:1 |
Time | 2023-11-27T20:53:13+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83902-7 References:
BP28(R40), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, 6.1.9 |
Description | It is generally a good idea to remove global (other) write
access to a file when it is discovered. However, check with
documentation for specific applications before making changes.
Also, monitor for recurring world-writable files, as these may be
symptoms of a misconfigured application or user account. Finally,
this applies to real files and not virtual files that are a part of
pseudo file systems such as sysfs or procfs . |
Rationale | Data in world-writable files can be modified by any
user on the system. In almost all circumstances, files can be
configured using a combination of user and group permissions to
support whatever legitimate access is needed without the risk
caused by world-writable files. |
OVAL test results details
world writable files
oval:ssg-test_file_permissions_unauthorized_world_write:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_unauthorized_world_write:obj:1 of type
file_object
Behaviors | Path | Filename | Filter | Filter | Filter | Filter |
---|
no value | / | ^.*$ | oval:ssg-state_file_permissions_unauthorized_world_write:ste:1 | oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1 | oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1 | oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1 |
Ensure All Files Are Owned by a Groupxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned mediumCCE-83906-8
Ensure All Files Are Owned by a Group
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_ungroupowned:def:1 |
Time | 2023-11-27T20:53:30+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83906-8 References:
BP28(R55), 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, 2.2.6, SRG-OS-000480-GPOS-00227, 6.1.11 |
Description | If any files are not owned by a group, then the
cause of their lack of group-ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group. The following command will discover and print
any files on local partitions which do not belong to a valid group:
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
To search all filesystems on a system including network mounted
filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nogroup |
Rationale | Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed. |
Warnings | warning
This rule only considers local groups.
If you have your groups defined outside /etc/group , the rule won't consider those. |
OVAL test results details
files with no group owner
oval:ssg-test_file_permissions_ungroupowned:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_ungroupowned:obj:1 of type
file_object
Behaviors | Path | Filename | Filter |
---|
no value | / | .* | oval:ssg-state_file_permissions_ungroupowned:ste:1 |
Ensure All Files Are Owned by a Userxccdf_org.ssgproject.content_rule_no_files_unowned_by_user mediumCCE-83896-1
Ensure All Files Are Owned by a User
Rule ID | xccdf_org.ssgproject.content_rule_no_files_unowned_by_user |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_files_unowned_by_user:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83896-1 References:
BP28(R55), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, 2.2.6, SRG-OS-000480-GPOS-00227, 6.1.10 |
Description | If any files are not owned by a user, then the
cause of their lack of ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate user. The following command will discover and print
any files on local partitions which do not belong to a valid user:
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
To search all filesystems on a system including network mounted
filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nouser |
Rationale | Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed. |
Warnings | warning
For this rule to evaluate centralized user accounts, getent must be working properly
so that running the command getent passwd returns a list of all users in your organization.
If using the System Security Services Daemon (SSSD), enumerate = true must be configured
in your organization's domain to return a complete list of users warning
Enabling this rule will result in slower scan times depending on the size of your organization
and number of centralized users. |
OVAL test results details
Check user ids on all files on the system
oval:ssg-no_files_unowned_by_user_test:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-file_permissions_unowned_object:obj:1 of type
file_object
Behaviors | Path | Filename | Filter |
---|
no value | / | .* | oval:ssg-file_permissions_unowned_userid_list_match:ste:1 |
Disable Mounting of squashfsxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled lowCCE-83855-7
Disable Mounting of squashfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kernel_module_squashfs_disabled:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-83855-7 References:
A.8.SEC-RHEL4, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 1.1.1.1 |
Description |
To configure the system to prevent the squashfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf :
install squashfs /bin/true
This effectively prevents usage of this uncommon filesystem.
The squashfs filesystem type is a compressed read-only Linux
filesystem embedded in small footprint systems (similar to
cramfs ). A squashfs image can be used without having
to first decompress the image. |
Rationale | Removing support for unneeded filesystem types reduces the local attack
surface of the system. |
|
|
|
OVAL test results details
kernel module squashfs blacklisted
oval:ssg-test_kernmod_squashfs_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_squashfs_blacklisted:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/modprobe.d | /etc/modules-load.d | /run/modprobe.d | /run/modules-load.d | /usr/lib/modprobe.d | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+squashfs$ | 1 |
kernel module squashfs disabled
oval:ssg-test_kernmod_squashfs_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_squashfs_disabled:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/modprobe.d | /etc/modules-load.d | /run/modprobe.d | /run/modules-load.d | /usr/lib/modprobe.d | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ | 1 |
Disable Mounting of udfxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled lowCCE-83852-4
Disable Mounting of udf
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kernel_module_udf_disabled:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-83852-4 References:
A.8.SEC-RHEL4, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 1.1.1.2 |
Description |
To configure the system to prevent the udf
kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf :
install udf /bin/true
This effectively prevents usage of this uncommon filesystem.
The udf filesystem type is the universal disk format
used to implement the ISO/IEC 13346 and ECMA-167 specifications.
This is an open vendor filesystem type for data storage on a broad
range of media. This filesystem type is neccessary to support
writing DVDs and newer optical disc formats. |
Rationale | Removing support for unneeded filesystem types reduces the local
attack surface of the system. |
|
|
|
OVAL test results details
kernel module udf blacklisted
oval:ssg-test_kernmod_udf_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_udf_blacklisted:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/modprobe.d | /etc/modules-load.d | /run/modprobe.d | /run/modules-load.d | /usr/lib/modprobe.d | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+udf$ | 1 |
kernel module udf disabled
oval:ssg-test_kernmod_udf_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_udf_disabled:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/modprobe.d | /etc/modules-load.d | /run/modprobe.d | /run/modules-load.d | /usr/lib/modprobe.d | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+udf\s+(/bin/false|/bin/true)$ | 1 |
Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-83851-6
Disable Modprobe Loading of USB Storage Driver
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kernel_module_usb-storage_disabled:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83851-6 References:
A.15.SEC-RHEL1, 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.1.9 |
Description | To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf :
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
Rationale | USB storage devices such as thumb drives can be used to introduce
malicious software. |
|
|
|
OVAL test results details
kernel module usb-storage blacklisted
oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_blacklisted:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/modprobe.d | /etc/modules-load.d | /run/modprobe.d | /run/modules-load.d | /usr/lib/modprobe.d | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+usb-storage$ | 1 |
kernel module usb-storage disabled
oval:ssg-test_kernmod_usb-storage_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_disabled:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/modprobe.d | /etc/modules-load.d | /run/modprobe.d | /run/modules-load.d | /usr/lib/modprobe.d | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ | 1 |
Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev mediumCCE-83881-3
Add nodev Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-mount_option_dev_shm_nodev:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83881-3 References:
11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.8.2 |
Description | The nodev mount option can be used to prevent creation of device
files in /dev/shm . Legitimate character and block devices should
not exist within temporary directories like /dev/shm .
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm . |
Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
|
|
OVAL test results details
nodev on /dev/shm
oval:ssg-test_dev_shm_partition_nodev_expected:tst:1
true
Following items have been found on the system:
Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
---|
/dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | size=1874848k | nr_inodes=468712 | inode64 | 468712 | 0 | 468712 |
/dev/shm exists
oval:ssg-test_dev_shm_partition_nodev_expected_exist:tst:1
true
Following items have been found on the system:
Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
---|
/dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | size=1874848k | nr_inodes=468712 | inode64 | 468712 | 0 | 468712 |
nodev on /dev/shm in /etc/fstab
oval:ssg-test_dev_shm_partition_nodev_expected_in_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_dev_shm_partition_nodev_expected_in_fstab:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/fstab | ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) | 1 |
Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec mediumCCE-83857-3
Add noexec Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-mount_option_dev_shm_noexec:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83857-3 References:
11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.8.3 |
Description | The noexec mount option can be used to prevent binaries
from being executed out of /dev/shm .
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm .
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm . |
Rationale | Allowing users to execute binaries from world-writable directories
such as /dev/shm can expose the system to potential compromise. |
|
|
OVAL test results details
noexec on /dev/shm
oval:ssg-test_dev_shm_partition_noexec_expected:tst:1
false
Following items have been found on the system:
Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
---|
/dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | size=1874848k | nr_inodes=468712 | inode64 | 468712 | 0 | 468712 |
/dev/shm exists
oval:ssg-test_dev_shm_partition_noexec_expected_exist:tst:1
true
Following items have been found on the system:
Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
---|
/dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | size=1874848k | nr_inodes=468712 | inode64 | 468712 | 0 | 468712 |
noexec on /dev/shm in /etc/fstab
oval:ssg-test_dev_shm_partition_noexec_expected_in_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_dev_shm_partition_noexec_expected_in_fstab:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/fstab | ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) | 1 |
Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid mediumCCE-83891-2
Add nosuid Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-mount_option_dev_shm_nosuid:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83891-2 References:
11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.8.4 |
Description | The nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm . The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm . |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
|
|
OVAL test results details
nosuid on /dev/shm
oval:ssg-test_dev_shm_partition_nosuid_expected:tst:1
true
Following items have been found on the system:
Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
---|
/dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | size=1874848k | nr_inodes=468712 | inode64 | 468712 | 0 | 468712 |
/dev/shm exists
oval:ssg-test_dev_shm_partition_nosuid_expected_exist:tst:1
true
Following items have been found on the system:
Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
---|
/dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | size=1874848k | nr_inodes=468712 | inode64 | 468712 | 0 | 468712 |
nosuid on /dev/shm in /etc/fstab
oval:ssg-test_dev_shm_partition_nosuid_expected_in_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_dev_shm_partition_nosuid_expected_in_fstab:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/fstab | ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) | 1 |
Add nodev Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nodev unknownCCE-83871-4
Add nodev Option to /home
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nodev |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-83871-4 References:
BP28(R12), SRG-OS-000368-GPOS-00154, 1.1.7.2 |
Description | The nodev mount option can be used to prevent device files from
being created in /home .
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/home . |
Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add nosuid Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nosuid mediumCCE-83894-6
Add nosuid Option to /home
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nosuid |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83894-6 References:
BP28(R28), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, 1.1.7.3 |
Description | The nosuid mount option can be used to prevent
execution of setuid programs in /home . The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home . |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from user home directory partitions. |
Add nodev Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev mediumCCE-83869-8
Add nodev Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83869-8 References:
BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.2.2 |
Description | The nodev mount option can be used to prevent device files from
being created in /tmp . Legitimate character and block devices
should not exist within temporary directories like /tmp .
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp . |
Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec mediumCCE-83885-4
Add noexec Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83885-4 References:
BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.2.3 |
Description | The noexec mount option can be used to prevent binaries
from being executed out of /tmp .
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp . |
Rationale | Allowing users to execute binaries from world-writable directories
such as /tmp should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid mediumCCE-83872-2
Add nosuid Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83872-2 References:
BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.2.4 |
Description | The nosuid mount option can be used to prevent
execution of setuid programs in /tmp . The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp . |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add nodev Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev mediumCCE-83882-1
Add nodev Option to /var/log/audit
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83882-1 References:
CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.6.3 |
Description | The nodev mount option can be used to prevent device files from
being created in /var/log/audit .
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit . |
Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec mediumCCE-83878-9
Add noexec Option to /var/log/audit
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83878-9 References:
CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.6.2 |
Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/log/audit .
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit . |
Rationale | Allowing users to execute binaries from directories containing audit log files
such as /var/log/audit should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid mediumCCE-83893-8
Add nosuid Option to /var/log/audit
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83893-8 References:
CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.6.4 |
Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/log/audit . The SUID and SGID permissions
should not be required in directories containing audit log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit . |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for audit log files. |
Add nodev Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nodev mediumCCE-83886-2
Add nodev Option to /var/log
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83886-2 References:
CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.5.2 |
Description | The nodev mount option can be used to prevent device files from
being created in /var/log .
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log . |
Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec mediumCCE-83887-0
Add noexec Option to /var/log
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83887-0 References:
BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.5.3 |
Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/log .
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log . |
Rationale | Allowing users to execute binaries from directories containing log files
such as /var/log should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid mediumCCE-83870-6
Add nosuid Option to /var/log
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83870-6 References:
BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.5.4 |
Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/log . The SUID and SGID permissions
should not be required in directories containing log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log . |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for log files. |
Add nodev Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_nodev mediumCCE-83868-0
Add nodev Option to /var
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_nodev |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83868-0 References:
CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.3.2 |
Description | The nodev mount option can be used to prevent device files from
being created in /var .
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var . |
Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add nosuid Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_nosuid unknownCCE-83867-2
Add nosuid Option to /var
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_nosuid |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-mount_option_var_nosuid:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-83867-2 References:
BP28(R12), 1.1.3.3 |
Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var . The SUID and SGID permissions
should not be required for this directory.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var . |
Rationale | The presence of SUID and SGID executables should be tightly controlled. |
OVAL test results details
nosuid on /var
oval:ssg-test_var_partition_nosuid_optional:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_partition_nosuid_optional:obj:1 of type
partition_object
/var exists
oval:ssg-test_var_partition_nosuid_optional_exist:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_partition_nosuid_optional:obj:1 of type
partition_object
nosuid on /var in /etc/fstab
oval:ssg-test_var_partition_nosuid_optional_in_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_partition_nosuid_optional_in_fstab:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/fstab | ^[\s]*(?!#)[\S]+[\s]+/var[\s]+[\S]+[\s]+([\S]+) | 1 |
/var exists in /etc/fstab
oval:ssg-test_var_partition_nosuid_optional_exist_in_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_partition_nosuid_optional_in_fstab:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/fstab | ^[\s]*(?!#)[\S]+[\s]+/var[\s]+[\S]+[\s]+([\S]+) | 1 |
Add nodev Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev mediumCCE-83864-9
Add nodev Option to /var/tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83864-9 References:
BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, 1.1.4.4 |
Description | The nodev mount option can be used to prevent device files from
being created in /var/tmp . Legitimate character and block devices
should not exist within temporary directories like /var/tmp .
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp . |
Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec mediumCCE-83866-4
Add noexec Option to /var/tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83866-4 References:
BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, 1.1.4.2 |
Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/tmp .
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp . |
Rationale | Allowing users to execute binaries from world-writable directories
such as /var/tmp should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid mediumCCE-83863-1
Add nosuid Option to /var/tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83863-1 References:
BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, 1.1.4.3 |
Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/tmp . The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp . |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Disable core dump backtracesxccdf_org.ssgproject.content_rule_coredump_disable_backtraces mediumCCE-83984-5
Disable core dump backtraces
Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_backtraces |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-coredump_disable_backtraces:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83984-5 References:
CCI-000366, CM-6, FMT_SMF_EXT.1, Req-3.2, 3.3.1.1, 3.3.1.2, 3.3.1.3, SRG-OS-000480-GPOS-00227, 1.5.2 |
Description | The ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
specifies the maximum size in bytes of a core which will be processed.
Core dumps exceeding this size may be stored, but the backtrace will not
be generated. |
Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems.
Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
|
|
|
OVAL test results details
tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_backtraces:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_backtraces:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf.d file
oval:ssg-test_coredump_disable_backtraces_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_backtraces_config_dir:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/systemd/coredump.conf.d | .*\.conf$ | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Disable storing core dumpxccdf_org.ssgproject.content_rule_coredump_disable_storage mediumCCE-83979-5
Disable storing core dump
Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_storage |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-coredump_disable_storage:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83979-5 References:
CCI-000366, CM-6, FMT_SMF_EXT.1, Req-3.2, 3.3.1.1, 3.3.1.2, 3.3.1.3, SRG-OS-000480-GPOS-00227, 1.5.1 |
Description | The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently. |
Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems. Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
|
|
|
OVAL test results details
tests the value of Storage setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_storage:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
tests the value of Storage setting in the /etc/systemd/coredump.conf.d file
oval:ssg-test_coredump_disable_storage_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage_config_dir:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/systemd/coredump.conf.d | .*\.conf$ | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-83971-2
Enable Randomized Layout of Virtual Address Space
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sysctl_kernel_randomize_va_space:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-83971-2 References:
BP28(R23), 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), Req-2.2.1, 2.2.3, SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, SRG-APP-000450-CTR-001105, 1.5.3 |
Description | To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : kernel.randomize_va_space = 2 |
Rationale | Address space layout randomization (ASLR) makes it more difficult for an
attacker to predict the location of attack code they have introduced into a
process's address space during an attempt at exploitation. Additionally,
ASLR makes it more difficult for an attacker to know the location of
existing code in order to re-purpose it using return oriented programming
(ROP) techniques. |
|
|
|
OVAL test results details
kernel.randomize_va_space static configuration
oval:ssg-test_sysctl_kernel_randomize_va_space_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_randomize_va_space:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_kernel_randomize_va_space:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1
|
kernel.randomize_va_space static configuration
oval:ssg-test_sysctl_kernel_randomize_va_space_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_randomize_va_space:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-object_static_etc_sysctls_sysctl_kernel_randomize_va_space:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1
|
kernel.randomize_va_space static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_randomize_va_space_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_randomize_va_space:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter kernel.randomize_va_space set to 2
oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1
true
Following items have been found on the system:
Name | Value |
---|
kernel.randomize_va_space | 2 |
Install libselinux Packagexccdf_org.ssgproject.content_rule_package_libselinux_installed highCCE-84069-4
Install libselinux Package
Rule ID | xccdf_org.ssgproject.content_rule_package_libselinux_installed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_libselinux_installed:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-84069-4 References:
A.6.SEC-RHEL1, 1.6.1.1 |
Description | The libselinux package can be installed with the following command:
$ sudo dnf install libselinux |
Rationale | Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
with enhanced security functionality designed to add mandatory access controls to Linux.
The libselinux package contains the core library of the Security-enhanced Linux system. |
OVAL test results details
package libselinux is installed
oval:ssg-test_package_libselinux_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
libselinux | x86_64 | (none) | 1.el9 | 3.5 | 0:3.5-1.el9 | 199e2f91fd431d51 | libselinux-0:3.5-1.el9.x86_64 |
Uninstall mcstrans Packagexccdf_org.ssgproject.content_rule_package_mcstrans_removed lowCCE-84072-8
Uninstall mcstrans Package
Rule ID | xccdf_org.ssgproject.content_rule_package_mcstrans_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_mcstrans_removed:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-84072-8 References:
1.6.1.8 |
Description | The mcstransd daemon provides category label information
to client processes requesting information. The label translations are defined
in /etc/selinux/targeted/setrans.conf .
The mcstrans package can be removed with the following command:
$ sudo dnf erase mcstrans |
Rationale | Since this service is not used very often, disable it to reduce the
amount of potentially vulnerable code running on the system. |
OVAL test results details
package mcstrans is removed
oval:ssg-test_package_mcstrans_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_mcstrans_removed:obj:1 of type
rpminfo_object
Uninstall setroubleshoot Packagexccdf_org.ssgproject.content_rule_package_setroubleshoot_removed lowCCE-84073-6
Uninstall setroubleshoot Package
Rule ID | xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_setroubleshoot_removed:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-84073-6 References:
BP28(R68), 1.6.1.7 |
Description | The SETroubleshoot service notifies desktop users of SELinux
denials. The service provides information around configuration errors,
unauthorized intrusions, and other potential errors.
The setroubleshoot package can be removed with the following command:
$ sudo dnf erase setroubleshoot |
Rationale | The SETroubleshoot service is an unnecessary daemon to
have running on a server, especially if
X Windows is removed or disabled. |
OVAL test results details
package setroubleshoot is removed
oval:ssg-test_package_setroubleshoot_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_setroubleshoot_removed:obj:1 of type
rpminfo_object
Ensure SELinux Not Disabled in /etc/default/grubxccdf_org.ssgproject.content_rule_grub2_enable_selinux mediumCCE-84078-5
Ensure SELinux Not Disabled in /etc/default/grub
Rule ID | xccdf_org.ssgproject.content_rule_grub2_enable_selinux |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-grub2_enable_selinux:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84078-5 References:
A.6.SEC-RHEL1, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-000022, CCI-000032, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, AC-3(3)(a), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, 1.6.1.2 |
Description | SELinux can be disabled at boot time by an argument in
/etc/default/grub .
Remove any instances of selinux=0 from the kernel arguments in that
file to prevent SELinux from being disabled at boot. |
Rationale | Disabling a major host protection feature, such as SELinux, at boot time prevents
it from confining system services at boot time. Further, it increases
the chances that it will remain off during system operation. |
OVAL test results details
check value selinux|enforcing=0 in /etc/default/grub, fail if found
oval:ssg-test_selinux_default_grub:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_default_grub:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/default/grub | ^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$ | 1 |
check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found
oval:ssg-test_selinux_grub2_cfg:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_grub2_cfg:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/grub2.cfg | ^.*(selinux|enforcing)=0.*$ | 1 |
check value selinux|enforcing=0 in /etc/grub.d fail if found
oval:ssg-test_selinux_grub_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_grub_dir:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/grub.d | ^.*$ | ^.*(selinux|enforcing)=0.*$ | 1 |
Ensure No Daemons are Unconfined by SELinuxxccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons mediumCCE-84075-1
Ensure No Daemons are Unconfined by SELinux
Rule ID | xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-selinux_confinement_of_daemons:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84075-1 References:
1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, MEA02.01, 3.1.2, 3.1.5, 3.7.2, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-3(3)(a), AC-6, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-3, 1.6.1.6 |
Description | Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the unconfined_service_t context.
To check for unconfined daemons, run the following command:
$ sudo ps -eZ | grep "unconfined_service_t"
It should produce no output in a well-configured system. |
Rationale | Daemons which run with the unconfined_service_t context may cause AVC denials,
or allow privileges that the daemon does not require. |
Warnings | warning
Automatic remediation of this control is not available. Remediation
can be achieved by amending SELinux policy or stopping the unconfined
daemons as outlined above. |
OVAL test results details
none satisfy unconfined_service_t in /proc
oval:ssg-test_selinux_confinement_of_daemons:tst:1
false
Following items have been found on the system:
Filepath | Path | Filename | User | Role | Type | Low sensitivity | Rawlow sensitivity |
---|
/proc/2008/comm | /proc/2008 | comm | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/syscall | /proc/2008 | syscall | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/cmdline | /proc/2008 | cmdline | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/stat | /proc/2008 | stat | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/statm | /proc/2008 | statm | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/maps | /proc/2008 | maps | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/numa_maps | /proc/2008 | numa_maps | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/environ | /proc/2008 | environ | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/mounts | /proc/2008 | mounts | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/oom_score_adj | /proc/2008 | oom_score_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/loginuid | /proc/2008 | loginuid | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/sessionid | /proc/2008 | sessionid | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/coredump_filter | /proc/2008 | coredump_filter | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/io | /proc/2008 | io | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/uid_map | /proc/2008 | uid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/gid_map | /proc/2008 | gid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/projid_map | /proc/2008 | projid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/setgroups | /proc/2008 | setgroups | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/timers | /proc/2008 | timers | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/timerslack_ns | /proc/2008 | timerslack_ns | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/patch_state | /proc/2008 | patch_state | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/arch_status | /proc/2008 | arch_status | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/mounts | /proc/2405 | mounts | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/pagemap | /proc/2008 | pagemap | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/wchan | /proc/2008 | wchan | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/stack | /proc/2008 | stack | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/schedstat | /proc/2008 | schedstat | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/cpuset | /proc/2008 | cpuset | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/cgroup | /proc/2008 | cgroup | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/cpu_resctrl_groups | /proc/2008 | cpu_resctrl_groups | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/oom_score | /proc/2008 | oom_score | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/oom_adj | /proc/2008 | oom_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/status | /proc/2008 | status | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/auxv | /proc/2008 | auxv | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/mem | /proc/2008 | mem | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/mountinfo | /proc/2008 | mountinfo | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/mountstats | /proc/2008 | mountstats | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/clear_refs | /proc/2008 | clear_refs | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/smaps | /proc/2008 | smaps | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/smaps_rollup | /proc/2008 | smaps_rollup | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/personality | /proc/2008 | personality | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/limits | /proc/2008 | limits | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/sched | /proc/2008 | sched | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/autogroup | /proc/2008 | autogroup | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2008/timens_offsets | /proc/2008 | timens_offsets | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/environ | /proc/2405 | environ | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/auxv | /proc/2405 | auxv | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/status | /proc/2405 | status | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/personality | /proc/2405 | personality | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/limits | /proc/2405 | limits | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/sched | /proc/2405 | sched | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/autogroup | /proc/2405 | autogroup | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/timens_offsets | /proc/2405 | timens_offsets | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/comm | /proc/2405 | comm | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/syscall | /proc/2405 | syscall | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/cmdline | /proc/2405 | cmdline | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/stat | /proc/2405 | stat | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/statm | /proc/2405 | statm | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/maps | /proc/2405 | maps | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/numa_maps | /proc/2405 | numa_maps | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/mem | /proc/2405 | mem | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/mountinfo | /proc/2405 | mountinfo | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/mountstats | /proc/2405 | mountstats | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/clear_refs | /proc/2405 | clear_refs | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/smaps | /proc/2405 | smaps | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/smaps_rollup | /proc/2405 | smaps_rollup | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/pagemap | /proc/2405 | pagemap | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/wchan | /proc/2405 | wchan | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/stack | /proc/2405 | stack | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/schedstat | /proc/2405 | schedstat | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/cpuset | /proc/2405 | cpuset | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/cgroup | /proc/2405 | cgroup | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/cpu_resctrl_groups | /proc/2405 | cpu_resctrl_groups | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/oom_score | /proc/2405 | oom_score | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/oom_adj | /proc/2405 | oom_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/oom_score_adj | /proc/2405 | oom_score_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/loginuid | /proc/2405 | loginuid | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/sessionid | /proc/2405 | sessionid | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/coredump_filter | /proc/2405 | coredump_filter | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/io | /proc/2405 | io | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/uid_map | /proc/2405 | uid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/gid_map | /proc/2405 | gid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/projid_map | /proc/2405 | projid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/setgroups | /proc/2405 | setgroups | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/timers | /proc/2405 | timers | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/timerslack_ns | /proc/2405 | timerslack_ns | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/patch_state | /proc/2405 | patch_state | system_u | system_r | unconfined_service_t | s0 | s0 |
/proc/2405/arch_status | /proc/2405 | arch_status | system_u | system_r | unconfined_service_t | s0 | s0 |
Ensure SELinux is Not Disabledxccdf_org.ssgproject.content_rule_selinux_not_disabled highCCE-86152-6
Ensure SELinux is Not Disabled
Rule ID | xccdf_org.ssgproject.content_rule_selinux_not_disabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-selinux_not_disabled:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-86152-6 References:
1.6.1.4 |
Description | The SELinux state should be set to enforcing or permissive at system boot
time. In the file /etc/selinux/config , add or correct the following line to configure
the system to boot into enforcing or permissive mode:
SELINUX=enforcing
OR
SELINUX=permissive |
Rationale | Running SELinux in disabled mode is strongly discouraged. It prevents enforcing the SELinux
controls without a system reboot. It also avoids labeling any persistent objects such as
files, making it difficult to enable SELinux in the future. |
Warnings | warning
In case the SELinux is "disabled", the automated remediation will adopt a more
conservative approach and set it to "permissive" in order to avoid any system disruption
and give the administrator the opportunity to assess the impact and necessary efforts
before setting it to "enforcing", which is strongly recommended. |
OVAL test results details
SELinux is not disabled in /etc/selinux/config
oval:ssg-test_selinux_not_disabled:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/selinux/config | SELINUX=enforcing |
Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-84074-4
Configure SELinux Policy
Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-selinux_policytype:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84074-4 References:
BP28(R66), A.6.SEC-RHEL1, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-APP-000233-CTR-000585, 1.6.1.3 |
Description | The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config :
SELINUXTYPE=targeted
Other policies, such as mls , provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
Rationale | Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
targeted . |
OVAL test results details
Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file
oval:ssg-test_selinux_policy:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/selinux/config | SELINUXTYPE=targeted
|
Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-84079-3
Ensure SELinux State is Enforcing
Rule ID | xccdf_org.ssgproject.content_rule_selinux_state |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-selinux_state:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-84079-3 References:
BP28(R4), BP28(R66), A.6.SEC-RHEL1, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-001084, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068, 1.6.1.5 |
Description | The SELinux state should be set to enforcing at
system boot time. In the file /etc/selinux/config , add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=enforcing |
Rationale | Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges. |
OVAL test results details
/selinux/enforce is 1
oval:ssg-test_etc_selinux_config:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/selinux/config | SELINUX=enforcing |
Uninstall avahi Server Packagexccdf_org.ssgproject.content_rule_package_avahi_removed mediumCCE-86513-9
Uninstall avahi Server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_avahi_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_avahi_removed:def:1 |
Time | 2023-11-27T20:53:47+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86513-9 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.2 |
Description | If the system does not need to have an Avahi server which implements
the DNS Service Discovery and Multicast DNS protocols,
the avahi-autoipd and avahi packages can be uninstalled. |
Rationale | Automatic discovery of network services is not normally required for
system functionality. It is recommended to remove this package to reduce
the potential attack surface. |
|
|
|
|
OVAL test results details
package avahi is removed
oval:ssg-test_package_avahi_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
avahi | x86_64 | (none) | 12.el9_2.1 | 0.8 | 0:0.8-12.el9_2.1 | 199e2f91fd431d51 | avahi-0:0.8-12.el9_2.1.x86_64 |
Ensure that /etc/at.deny does not existxccdf_org.ssgproject.content_rule_file_at_deny_not_exist mediumCCE-86946-1
Ensure that /etc/at.deny does not exist
Rule ID | xccdf_org.ssgproject.content_rule_file_at_deny_not_exist |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_at_deny_not_exist:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86946-1 References:
2.2.6, 5.1.9 |
Description | The file /etc/at.deny should not exist.
Use /etc/at.allow instead. |
Rationale | Access to at should be restricted.
It is easier to manage an allow list than a deny list. |
|
|
OVAL test results details
Test that that /etc/at.deny does not exist
oval:ssg-test_file_at_deny_not_exist:tst:1
false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/etc/at.deny | regular | 0 | 0 | 1 | rw-r--r-- |
Ensure that /etc/cron.deny does not existxccdf_org.ssgproject.content_rule_file_cron_deny_not_exist mediumCCE-86850-5
Ensure that /etc/cron.deny does not exist
Rule ID | xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_cron_deny_not_exist:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86850-5 References:
2.2.6, 5.1.8 |
Description | The file /etc/cron.deny should not exist.
Use /etc/cron.allow instead. |
Rationale | Access to cron should be restricted.
It is easier to manage an allow list than a deny list. |
|
|
OVAL test results details
Test that that /etc/cron.deny does not exist
oval:ssg-test_file_cron_deny_not_exist:tst:1
false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/etc/cron.deny | regular | 0 | 0 | 0 | rw-r--r-- |
Verify Group Who Owns /etc/at.allow filexccdf_org.ssgproject.content_rule_file_groupowner_at_allow mediumCCE-87103-8
Verify Group Who Owns /etc/at.allow file
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_at_allow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_at_allow:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87103-8 References:
2.2.6, 5.1.9 |
Description | If /etc/at.allow exists, it must be group-owned by root .
To properly set the group owner of /etc/at.allow , run the command:
$ sudo chgrp root /etc/at.allow |
Rationale | If the owner of the at.allow file is not set to root, the possibility exists for an
unauthorized user to view or edit sensitive information. |
OVAL test results details
Testing group ownership of /etc/at.allow
oval:ssg-test_file_groupowner_at_allow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_at_allow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/at.allow | oval:ssg-symlink_file_groupowner_at_allow_uid_0:ste:1 | oval:ssg-state_file_groupowner_at_allow_gid_0_0:ste:1 |
Verify Group Who Owns /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_groupowner_cron_allow mediumCCE-86830-7
Verify Group Who Owns /etc/cron.allow file
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_cron_allow:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86830-7 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.8 |
Description | If /etc/cron.allow exists, it must be group-owned by root .
To properly set the group owner of /etc/cron.allow , run the command:
$ sudo chgrp root /etc/cron.allow |
Rationale | If the owner of the cron.allow file is not set to root, the possibility exists for an
unauthorized user to view or edit sensitive information. |
OVAL test results details
Testing group ownership of /etc/cron.allow
oval:ssg-test_file_groupowner_cron_allow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_allow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/cron.allow | oval:ssg-symlink_file_groupowner_cron_allow_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_allow_gid_0_0:ste:1 |
Verify User Who Owns /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_owner_cron_allow mediumCCE-86844-8
Verify User Who Owns /etc/cron.allow file
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_allow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_cron_allow:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86844-8 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.8 |
Description | If /etc/cron.allow exists, it must be owned by root .
To properly set the owner of /etc/cron.allow , run the command:
$ sudo chown root /etc/cron.allow |
Rationale | If the owner of the cron.allow file is not set to root, the possibility exists for an
unauthorized user to view or edit sensitive information. |
OVAL test results details
Testing user ownership of /etc/cron.allow
oval:ssg-test_file_owner_cron_allow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_allow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/cron.allow | oval:ssg-symlink_file_owner_cron_allow_uid_0:ste:1 | oval:ssg-state_file_owner_cron_allow_uid_0_0:ste:1 |
Verify Permissions on /etc/at.allow filexccdf_org.ssgproject.content_rule_file_permissions_at_allow mediumCCE-86904-0
Verify Permissions on /etc/at.allow file
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_at_allow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_at_allow:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86904-0 References:
2.2.6, 5.1.9 |
Description | If /etc/at.allow exists, it must have permissions 0600
or more restrictive.
To properly set the permissions of /etc/at.allow , run the command:
$ sudo chmod 0600 /etc/at.allow |
Rationale | If the permissions of the at.allow file are not set to 0600 or more restrictive,
the possibility exists for an unauthorized user to view or edit sensitive information. |
OVAL test results details
Testing mode of /etc/at.allow
oval:ssg-test_file_permissions_at_allow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_at_allow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/at.allow | oval:ssg-exclude_symlinks__at_allow:ste:1 | oval:ssg-state_file_permissions_at_allow_0_mode_0600or_stricter_:ste:1 |
Verify Permissions on /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_permissions_cron_allow mediumCCE-86877-8
Verify Permissions on /etc/cron.allow file
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_cron_allow |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_cron_allow:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86877-8 References:
2.2.6, SRG-OS-000480-GPOS-00227, 5.1.8 |
Description | If /etc/cron.allow exists, it must have permissions 0600
or more restrictive.
To properly set the permissions of /etc/cron.allow , run the command:
$ sudo chmod 0600 /etc/cron.allow |
Rationale | If the permissions of the cron.allow file are not set to 0600 or more restrictive,
the possibility exists for an unauthorized user to view or edit sensitive information. |
OVAL test results details
Testing mode of /etc/cron.allow
oval:ssg-test_file_permissions_cron_allow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_allow_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/cron.allow | oval:ssg-exclude_symlinks__cron_allow:ste:1 | oval:ssg-state_file_permissions_cron_allow_0_mode_0600or_stricter_:ste:1 |
Enable cron Servicexccdf_org.ssgproject.content_rule_service_crond_enabled mediumCCE-84163-5
Enable cron Service
Rule ID | xccdf_org.ssgproject.content_rule_service_crond_enabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-service_crond_enabled:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84163-5 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-6(a), PR.IP-1, PR.PT-3, 5.1.1 |
Description | The crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond service can be enabled with the following command:
$ sudo systemctl enable crond.service |
Rationale | Due to its usage for maintenance and security-supporting tasks,
enabling the cron daemon is essential. |
OVAL test results details
package cronie is installed
oval:ssg-test_service_crond_package_cronie_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
cronie | x86_64 | (none) | 8.el9 | 1.5.7 | 0:1.5.7-8.el9 | 199e2f91fd431d51 | cronie-0:1.5.7-8.el9.x86_64 |
Test that the crond service is running
oval:ssg-test_service_running_crond:tst:1
true
Following items have been found on the system:
Unit | Property | Value |
---|
crond.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_crond:tst:1
true
Following items have been found on the system:
Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
---|
multi-user.target | basic.target | sysinit.target | systemd-network-generator.service | sys-fs-fuse-connections.mount | lvm2-lvmpolld.socket | kmod-static-nodes.service | systemd-tmpfiles-setup.service | systemd-pcrphase-sysinit.service | systemd-random-seed.service | integritysetup.target | lvm2-monitor.service | selinux-autorelabel-mark.service | dev-mqueue.mount | systemd-pcrphase.service | nis-domainname.service | systemd-journald.service | systemd-update-utmp.service | systemd-sysusers.service | systemd-tmpfiles-setup-dev.service | cryptsetup.target | dev-hugepages.mount | iscsi-onboot.service | systemd-firstboot.service | systemd-sysctl.service | systemd-udevd.service | plymouth-read-write.service | systemd-journal-catalog-update.service | systemd-machine-id-commit.service | proc-sys-fs-binfmt_misc.automount | systemd-repart.service | veritysetup.target | swap.target | dev-mapper-rhel\x2dswap.swap | sys-kernel-tracing.mount | systemd-ask-password-console.path | systemd-update-done.service | multipathd.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-hwdb-update.service | sys-kernel-config.mount | dracut-shutdown.service | systemd-journal-flush.service | local-fs.target | boot.mount | boot-efi.mount | -.mount | ostree-remount.service | systemd-remount-fs.service | plymouth-start.service | systemd-binfmt.service | ldconfig.service | systemd-udev-trigger.service | systemd-boot-system-token.service | slices.target | system.slice | -.slice | sockets.target | systemd-journald.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | cups.socket | iscsid.socket | iscsiuio.socket | systemd-udevd-control.socket | dbus.socket | dm-event.socket | systemd-coredump.socket | systemd-initctl.socket | multipathd.socket | microcode.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | dnf-makecache.timer | mlocate-updatedb.timer | low-memory-monitor.service | paths.target | nvmefc-boot-connections.service | chronyd.service | avahi-daemon.service | mcelog.service | cups.service | firewalld.service | rsyslog.service | irqbalance.service | plymouth-quit.service | crond.service | kdump.service | sshd.service | tuned.service | sssd.service | insights-client-boot.service | systemd-ask-password-wall.path | mdmonitor.service | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | libstoragemgmt.service | auditd.service | rhsmcertd.service | remote-fs.target | iscsi.service | pmlogger.service | ModemManager.service | smartd.service | atd.service | getty.target | getty@tty1.service | ostree-readonly-sysroot-migration.service | vmtoolsd.service | pmie.service | NetworkManager.service | pmcd.service | cups.path | systemd-logind.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_crond_socket:tst:1
false
Following items have been found on the system:
Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
---|
multi-user.target | basic.target | sysinit.target | systemd-network-generator.service | sys-fs-fuse-connections.mount | lvm2-lvmpolld.socket | kmod-static-nodes.service | systemd-tmpfiles-setup.service | systemd-pcrphase-sysinit.service | systemd-random-seed.service | integritysetup.target | lvm2-monitor.service | selinux-autorelabel-mark.service | dev-mqueue.mount | systemd-pcrphase.service | nis-domainname.service | systemd-journald.service | systemd-update-utmp.service | systemd-sysusers.service | systemd-tmpfiles-setup-dev.service | cryptsetup.target | dev-hugepages.mount | iscsi-onboot.service | systemd-firstboot.service | systemd-sysctl.service | systemd-udevd.service | plymouth-read-write.service | systemd-journal-catalog-update.service | systemd-machine-id-commit.service | proc-sys-fs-binfmt_misc.automount | systemd-repart.service | veritysetup.target | swap.target | dev-mapper-rhel\x2dswap.swap | sys-kernel-tracing.mount | systemd-ask-password-console.path | systemd-update-done.service | multipathd.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-hwdb-update.service | sys-kernel-config.mount | dracut-shutdown.service | systemd-journal-flush.service | local-fs.target | boot.mount | boot-efi.mount | -.mount | ostree-remount.service | systemd-remount-fs.service | plymouth-start.service | systemd-binfmt.service | ldconfig.service | systemd-udev-trigger.service | systemd-boot-system-token.service | slices.target | system.slice | -.slice | sockets.target | systemd-journald.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | cups.socket | iscsid.socket | iscsiuio.socket | systemd-udevd-control.socket | dbus.socket | dm-event.socket | systemd-coredump.socket | systemd-initctl.socket | multipathd.socket | microcode.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | dnf-makecache.timer | mlocate-updatedb.timer | low-memory-monitor.service | paths.target | nvmefc-boot-connections.service | chronyd.service | avahi-daemon.service | mcelog.service | cups.service | firewalld.service | rsyslog.service | irqbalance.service | plymouth-quit.service | crond.service | kdump.service | sshd.service | tuned.service | sssd.service | insights-client-boot.service | systemd-ask-password-wall.path | mdmonitor.service | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | libstoragemgmt.service | auditd.service | rhsmcertd.service | remote-fs.target | iscsi.service | pmlogger.service | ModemManager.service | smartd.service | atd.service | getty.target | getty@tty1.service | ostree-readonly-sysroot-migration.service | vmtoolsd.service | pmie.service | NetworkManager.service | pmcd.service | cups.path | systemd-logind.service | plymouth-quit-wait.service |
Verify Group Who Owns cron.dxccdf_org.ssgproject.content_rule_file_groupowner_cron_d mediumCCE-84177-5
Verify Group Who Owns cron.d
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_d |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_cron_d:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84177-5 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.7 |
Description |
To properly set the group owner of /etc/cron.d , run the command:
$ sudo chgrp root /etc/cron.d |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing group ownership of /etc/cron.d/
oval:ssg-test_file_groupowner_cron_d_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_d_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/cron.d | no value | oval:ssg-symlink_file_groupowner_cron_d_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_d_gid_0_0:ste:1 |
Verify Group Who Owns cron.dailyxccdf_org.ssgproject.content_rule_file_groupowner_cron_daily mediumCCE-84170-0
Verify Group Who Owns cron.daily
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_cron_daily:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84170-0 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.4 |
Description |
To properly set the group owner of /etc/cron.daily , run the command:
$ sudo chgrp root /etc/cron.daily |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing group ownership of /etc/cron.daily/
oval:ssg-test_file_groupowner_cron_daily_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_daily_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/cron.daily | no value | oval:ssg-symlink_file_groupowner_cron_daily_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_daily_gid_0_0:ste:1 |
Verify Group Who Owns cron.hourlyxccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly mediumCCE-84186-6
Verify Group Who Owns cron.hourly
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_cron_hourly:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84186-6 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.3 |
Description |
To properly set the group owner of /etc/cron.hourly , run the command:
$ sudo chgrp root /etc/cron.hourly |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing group ownership of /etc/cron.hourly/
oval:ssg-test_file_groupowner_cron_hourly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_hourly_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/cron.hourly | no value | oval:ssg-symlink_file_groupowner_cron_hourly_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_hourly_gid_0_0:ste:1 |
Verify Group Who Owns cron.monthlyxccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly mediumCCE-84189-0
Verify Group Who Owns cron.monthly
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_cron_monthly:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84189-0 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.6 |
Description |
To properly set the group owner of /etc/cron.monthly , run the command:
$ sudo chgrp root /etc/cron.monthly |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing group ownership of /etc/cron.monthly/
oval:ssg-test_file_groupowner_cron_monthly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_monthly_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/cron.monthly | no value | oval:ssg-symlink_file_groupowner_cron_monthly_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_monthly_gid_0_0:ste:1 |
Verify Group Who Owns cron.weeklyxccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly mediumCCE-84174-2
Verify Group Who Owns cron.weekly
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_cron_weekly:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84174-2 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.5 |
Description |
To properly set the group owner of /etc/cron.weekly , run the command:
$ sudo chgrp root /etc/cron.weekly |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing group ownership of /etc/cron.weekly/
oval:ssg-test_file_groupowner_cron_weekly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_weekly_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/cron.weekly | no value | oval:ssg-symlink_file_groupowner_cron_weekly_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_weekly_gid_0_0:ste:1 |
Verify Group Who Owns Crontabxccdf_org.ssgproject.content_rule_file_groupowner_crontab mediumCCE-84171-8
Verify Group Who Owns Crontab
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_crontab |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_crontab:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84171-8 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.2 |
Description |
To properly set the group owner of /etc/crontab , run the command:
$ sudo chgrp root /etc/crontab |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing group ownership of /etc/crontab
oval:ssg-test_file_groupowner_crontab_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_crontab_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/crontab | oval:ssg-symlink_file_groupowner_crontab_uid_0:ste:1 | oval:ssg-state_file_groupowner_crontab_gid_0_0:ste:1 |
Verify Owner on cron.dxccdf_org.ssgproject.content_rule_file_owner_cron_d mediumCCE-84169-2
Verify Owner on cron.d
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_d |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_cron_d:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84169-2 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.7 |
Description |
To properly set the owner of /etc/cron.d , run the command:
$ sudo chown root /etc/cron.d |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results details
Testing user ownership of /etc/cron.d/
oval:ssg-test_file_owner_cron_d_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_d_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/cron.d | no value | oval:ssg-symlink_file_owner_cron_d_uid_0:ste:1 | oval:ssg-state_file_owner_cron_d_uid_0_0:ste:1 |
Verify Owner on cron.dailyxccdf_org.ssgproject.content_rule_file_owner_cron_daily mediumCCE-84188-2
Verify Owner on cron.daily
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_daily |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_cron_daily:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84188-2 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.4 |
Description |
To properly set the owner of /etc/cron.daily , run the command:
$ sudo chown root /etc/cron.daily |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results details
Testing user ownership of /etc/cron.daily/
oval:ssg-test_file_owner_cron_daily_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_daily_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/cron.daily | no value | oval:ssg-symlink_file_owner_cron_daily_uid_0:ste:1 | oval:ssg-state_file_owner_cron_daily_uid_0_0:ste:1 |
Verify Owner on cron.hourlyxccdf_org.ssgproject.content_rule_file_owner_cron_hourly mediumCCE-84168-4
Verify Owner on cron.hourly
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_hourly |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_cron_hourly:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84168-4 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.3 |
Description |
To properly set the owner of /etc/cron.hourly , run the command:
$ sudo chown root /etc/cron.hourly |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results details
Testing user ownership of /etc/cron.hourly/
oval:ssg-test_file_owner_cron_hourly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_hourly_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/cron.hourly | no value | oval:ssg-symlink_file_owner_cron_hourly_uid_0:ste:1 | oval:ssg-state_file_owner_cron_hourly_uid_0_0:ste:1 |
Verify Owner on cron.monthlyxccdf_org.ssgproject.content_rule_file_owner_cron_monthly mediumCCE-84179-1
Verify Owner on cron.monthly
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_monthly |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_cron_monthly:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84179-1 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.6 |
Description |
To properly set the owner of /etc/cron.monthly , run the command:
$ sudo chown root /etc/cron.monthly |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results details
Testing user ownership of /etc/cron.monthly/
oval:ssg-test_file_owner_cron_monthly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_monthly_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/cron.monthly | no value | oval:ssg-symlink_file_owner_cron_monthly_uid_0:ste:1 | oval:ssg-state_file_owner_cron_monthly_uid_0_0:ste:1 |
Verify Owner on cron.weeklyxccdf_org.ssgproject.content_rule_file_owner_cron_weekly mediumCCE-84190-8
Verify Owner on cron.weekly
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_weekly |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_cron_weekly:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84190-8 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.5 |
Description |
To properly set the owner of /etc/cron.weekly , run the command:
$ sudo chown root /etc/cron.weekly |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results details
Testing user ownership of /etc/cron.weekly/
oval:ssg-test_file_owner_cron_weekly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_weekly_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/cron.weekly | no value | oval:ssg-symlink_file_owner_cron_weekly_uid_0:ste:1 | oval:ssg-state_file_owner_cron_weekly_uid_0_0:ste:1 |
Verify Owner on crontabxccdf_org.ssgproject.content_rule_file_owner_crontab mediumCCE-84167-6
Verify Owner on crontab
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_crontab |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_crontab:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84167-6 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.2 |
Description |
To properly set the owner of /etc/crontab , run the command:
$ sudo chown root /etc/crontab |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results details
Testing user ownership of /etc/crontab
oval:ssg-test_file_owner_crontab_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_crontab_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/crontab | oval:ssg-symlink_file_owner_crontab_uid_0:ste:1 | oval:ssg-state_file_owner_crontab_uid_0_0:ste:1 |
Verify Permissions on cron.dxccdf_org.ssgproject.content_rule_file_permissions_cron_d mediumCCE-84183-3
Verify Permissions on cron.d
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_cron_d |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_cron_d:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84183-3 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.7 |
Description |
To properly set the permissions of /etc/cron.d , run the command:
$ sudo chmod 0700 /etc/cron.d |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes. |
|
|
OVAL test results details
Testing mode of /etc/cron.d/
oval:ssg-test_file_permissions_cron_d_0:tst:1
false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/etc/cron.d/ | directory | 0 | 0 | 21 | rwxr-xr-x |
Verify Permissions on cron.dailyxccdf_org.ssgproject.content_rule_file_permissions_cron_daily mediumCCE-84175-9
Verify Permissions on cron.daily
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_cron_daily |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_cron_daily:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84175-9 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.4 |
Description |
To properly set the permissions of /etc/cron.daily , run the command:
$ sudo chmod 0700 /etc/cron.daily |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes. |
|
|
OVAL test results details
Testing mode of /etc/cron.daily/
oval:ssg-test_file_permissions_cron_daily_0:tst:1
false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/etc/cron.daily/ | directory | 0 | 0 | 6 | rwxr-xr-x |
Verify Permissions on cron.hourlyxccdf_org.ssgproject.content_rule_file_permissions_cron_hourly mediumCCE-84173-4
Verify Permissions on cron.hourly
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_cron_hourly:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84173-4 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.3 |
Description |
To properly set the permissions of /etc/cron.hourly , run the command:
$ sudo chmod 0700 /etc/cron.hourly |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes. |
|
|
OVAL test results details
Testing mode of /etc/cron.hourly/
oval:ssg-test_file_permissions_cron_hourly_0:tst:1
false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/etc/cron.hourly/ | directory | 0 | 0 | 22 | rwxr-xr-x |
Verify Permissions on cron.monthlyxccdf_org.ssgproject.content_rule_file_permissions_cron_monthly mediumCCE-84181-7
Verify Permissions on cron.monthly
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_cron_monthly:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84181-7 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.6 |
Description |
To properly set the permissions of /etc/cron.monthly , run the command:
$ sudo chmod 0700 /etc/cron.monthly |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes. |
|
|
OVAL test results details
Testing mode of /etc/cron.monthly/
oval:ssg-test_file_permissions_cron_monthly_0:tst:1
false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/etc/cron.monthly/ | directory | 0 | 0 | 6 | rwxr-xr-x |
Verify Permissions on cron.weeklyxccdf_org.ssgproject.content_rule_file_permissions_cron_weekly mediumCCE-84187-4
Verify Permissions on cron.weekly
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_cron_weekly:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84187-4 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.5 |
Description |
To properly set the permissions of /etc/cron.weekly , run the command:
$ sudo chmod 0700 /etc/cron.weekly |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes. |
|
|
OVAL test results details
Testing mode of /etc/cron.weekly/
oval:ssg-test_file_permissions_cron_weekly_0:tst:1
false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/etc/cron.weekly/ | directory | 0 | 0 | 6 | rwxr-xr-x |
Verify Permissions on crontabxccdf_org.ssgproject.content_rule_file_permissions_crontab mediumCCE-84176-7
Verify Permissions on crontab
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_crontab |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_crontab:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84176-7 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.2 |
Description |
To properly set the permissions of /etc/crontab , run the command:
$ sudo chmod 0600 /etc/crontab |
Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes. |
|
|
OVAL test results details
Testing mode of /etc/crontab
oval:ssg-test_file_permissions_crontab_0:tst:1
false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|
/etc/crontab | regular | 0 | 0 | 451 | rw-r--r-- |
Uninstall DHCP Server Packagexccdf_org.ssgproject.content_rule_package_dhcp_removed mediumCCE-84240-1
Uninstall DHCP Server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_dhcp_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_dhcp_removed:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84240-1 References:
BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.4, 2.2.4 |
Description | If the system does not need to act as a DHCP server,
the dhcp package can be uninstalled.
The dhcp-server package can be removed with the following command:
$ sudo dnf erase dhcp-server |
Rationale | Removing the DHCP server ensures that it cannot be easily or
accidentally reactivated and disrupt network operation. |
OVAL test results details
package dhcp-server is removed
oval:ssg-test_package_dhcp-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_dhcp-server_removed:obj:1 of type
rpminfo_object
Uninstall bind Packagexccdf_org.ssgproject.content_rule_package_bind_removed lowCCE-86505-5
Uninstall bind Package
Rule ID | xccdf_org.ssgproject.content_rule_package_bind_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_bind_removed:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-86505-5 References:
A.8.SEC-RHEL4, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.4, 2.2.5 |
Description | The named service is provided by the bind package.
The bind package can be removed with the following command:
$ sudo dnf erase bind |
Rationale | If there is no need to make DNS server software available,
removing it provides a safeguard against its activation. |
OVAL test results details
package bind is removed
oval:ssg-test_package_bind_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_bind_removed:obj:1 of type
rpminfo_object
Uninstall dnsmasq Packagexccdf_org.ssgproject.content_rule_package_dnsmasq_removed lowCCE-86063-5
Uninstall dnsmasq Package
Rule ID | xccdf_org.ssgproject.content_rule_package_dnsmasq_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_dnsmasq_removed:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-86063-5 References:
2.2.14 |
Description | dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and
DHCP (Dynamic Host Configuration Protocol) services.
The dnsmasq package can be removed with the following command:
$ sudo dnf erase dnsmasq |
Rationale | Unless a system is specifically designated to act as a DNS
caching, DNS forwarding and/or DHCP server, it is recommended that the
package be removed to reduce the potential attack surface. |
|
|
|
|
OVAL test results details
package dnsmasq is removed
oval:ssg-test_package_dnsmasq_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
dnsmasq | x86_64 | (none) | 6.el9 | 2.85 | 0:2.85-6.el9 | 199e2f91fd431d51 | dnsmasq-0:2.85-6.el9.x86_64 |
Uninstall vsftpd Packagexccdf_org.ssgproject.content_rule_package_vsftpd_removed highCCE-84159-3
Uninstall vsftpd Package
Rule ID | xccdf_org.ssgproject.content_rule_package_vsftpd_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_vsftpd_removed:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-84159-3 References:
A.8.SEC-RHEL4, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000197, CCI-000366, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), IA-5(1).1(v), CM-7, CM-7.1(ii), PR.IP-1, PR.PT-3, 2.2.4, SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, 2.2.6 |
Description | The vsftpd package can be removed with the following command: $ sudo dnf erase vsftpd |
Rationale | Removing the vsftpd package decreases the risk of its
accidental activation. |
OVAL test results details
package vsftpd is removed
oval:ssg-test_package_vsftpd_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_vsftpd_removed:obj:1 of type
rpminfo_object
Remove ftp Packagexccdf_org.ssgproject.content_rule_package_ftp_removed lowCCE-86075-9
Remove ftp Package
Rule ID | xccdf_org.ssgproject.content_rule_package_ftp_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_ftp_removed:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-86075-9 References:
2.3.4 |
Description | FTP (File Transfer Protocol) is a traditional and widely used standard tool for
transferring files between a server and clients over a network, especially where no
authentication is necessary (permits anonymous users to connect to a server).
The ftp package can be removed with the following command:
$ sudo dnf erase ftp |
Rationale | FTP does not protect the confidentiality of data or authentication credentials. It
is recommended SFTP be used if file transfer is required. Unless there is a need
to run the system as a FTP server (for example, to allow anonymous downloads), it is
recommended that the package be removed to reduce the potential attack surface. |
OVAL test results details
package ftp is removed
oval:ssg-test_package_ftp_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_ftp_removed:obj:1 of type
rpminfo_object
Uninstall httpd Packagexccdf_org.ssgproject.content_rule_package_httpd_removed unknownCCE-85974-4
Uninstall httpd Package
Rule ID | xccdf_org.ssgproject.content_rule_package_httpd_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_httpd_removed:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-85974-4 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.4, 2.2.8 |
Description |
The httpd package can be removed with the following command:
$ sudo dnf erase httpd |
Rationale | If there is no need to make the web server software available,
removing it provides a safeguard against its activation. |
OVAL test results details
package httpd is removed
oval:ssg-test_package_httpd_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_httpd_removed:obj:1 of type
rpminfo_object
Uninstall nginx Packagexccdf_org.ssgproject.content_rule_package_nginx_removed unknownCCE-88035-1
Uninstall nginx Package
Rule ID | xccdf_org.ssgproject.content_rule_package_nginx_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_nginx_removed:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-88035-1 References:
BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.8 |
Description | The nginx package can be removed with the following command:
$ sudo dnf erase nginx |
Rationale | If there is no need to make the web server software available,
removing it provides a safeguard against its activation. |
OVAL test results details
package nginx is removed
oval:ssg-test_package_nginx_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_nginx_removed:obj:1 of type
rpminfo_object
Uninstall cyrus-imapd Packagexccdf_org.ssgproject.content_rule_package_cyrus-imapd_removed unknownCCE-88120-1
Uninstall cyrus-imapd Package
Rule ID | xccdf_org.ssgproject.content_rule_package_cyrus-imapd_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_cyrus-imapd_removed:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-88120-1 References:
A.8.SEC-RHEL4, 2.2.9 |
Description | The cyrus-imapd package can be removed with the following command:
$ sudo dnf erase cyrus-imapd |
Rationale | If there is no need to make the cyrus-imapd software available,
removing it provides a safeguard against its activation. |
OVAL test results details
package cyrus-imapd is removed
oval:ssg-test_package_cyrus-imapd_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_cyrus-imapd_removed:obj:1 of type
rpminfo_object
Uninstall dovecot Packagexccdf_org.ssgproject.content_rule_package_dovecot_removed unknownCCE-85977-7
Uninstall dovecot Package
Rule ID | xccdf_org.ssgproject.content_rule_package_dovecot_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_dovecot_removed:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-85977-7 References:
A.8.SEC-RHEL4, 2.2.9 |
Description |
The dovecot package can be removed with the following command:
$ sudo dnf erase dovecot |
Rationale | If there is no need to make the Dovecot software available,
removing it provides a safeguard against its activation. |
OVAL test results details
package dovecot is removed
oval:ssg-test_package_dovecot_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_dovecot_removed:obj:1 of type
rpminfo_object
Ensure LDAP client is not installedxccdf_org.ssgproject.content_rule_package_openldap-clients_removed lowCCE-90831-9
Ensure LDAP client is not installed
Rule ID | xccdf_org.ssgproject.content_rule_package_openldap-clients_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_openldap-clients_removed:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-90831-9 References:
2.2.4, 2.3.2 |
Description | The Lightweight Directory Access Protocol (LDAP) is a service that provides
a method for looking up information from a central database.
The openldap-clients package can be removed with the following command:
$ sudo dnf erase openldap-clients |
Rationale | If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface. |
OVAL test results details
package openldap-clients is removed
oval:ssg-test_package_openldap-clients_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_openldap-clients_removed:obj:1 of type
rpminfo_object
Disable Postfix Network Listeningxccdf_org.ssgproject.content_rule_postfix_network_listening_disabled mediumCCE-90825-1
Disable Postfix Network Listening
Rule ID | xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled |
Result | |
Multi-check rule | no |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90825-1 References:
BP28(R48), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000382, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.4, 2.2.15 |
Description | Edit the file /etc/postfix/main.cf to ensure that only the following
inet_interfaces line appears:
inet_interfaces = loopback-only |
Rationale | This ensures postfix accepts mail messages
(such as cron job reports) from the local system only,
and not from the network, which protects it from network attack. |
Ensure Mail Transfer Agent is not Listening on any non-loopback Addressxccdf_org.ssgproject.content_rule_has_nonlocal_mta mediumCCE-88499-9
Ensure Mail Transfer Agent is not Listening on any non-loopback Address
Rule ID | xccdf_org.ssgproject.content_rule_has_nonlocal_mta |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-has_nonlocal_mta:def:1 |
Time | 2023-11-27T20:53:48+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-88499-9 References:
2.2.15 |
Description | Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to
listen for incoming mail and transfer the messages to the appropriate
user or mail server. If the system is not intended to be a mail server,
it is recommended that the MTA be configured to only process local mail. |
Rationale | The software for all Mail Transfer Agents is complex and most have a
long history of security issues. While it is important to ensure that
the system can process local mail messages, it is not necessary to have
the MTA's daemon listening on a port unless the server is intended to
be a mail server that receives and processes mail from other systems. |
OVAL test results details
mta is not listening on any non-loopback address
oval:ssg-tst_nothing_listening_external_mta_port:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_listening_port_25:obj:1 of type
inetlisteningservers_object
Protocol | Local address | Local port | Filter | Filter |
---|
tcp | 127.0.0.1 | 25 | oval:ssg-ste_not_port_25:ste:1 | oval:ssg-ste_not_on_localhost:ste:1 |
Disable rpcbind Servicexccdf_org.ssgproject.content_rule_service_rpcbind_disabled lowCCE-84245-0
Disable rpcbind Service
Rule ID | xccdf_org.ssgproject.content_rule_service_rpcbind_disabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-service_rpcbind_disabled:def:1 |
Time | 2023-11-27T20:53:49+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-84245-0 References:
2.2.4, 2.2.17 |
Description | The rpcbind utility maps RPC services to the ports on which they listen.
RPC processes notify rpcbind when they start, registering the ports they
are listening on and the RPC program numbers they expect to serve. The
rpcbind service redirects the client to the proper port number so it can
communicate with the requested service. If the system does not require RPC
(such as for NFS servers) then this service should be disabled.
The rpcbind service can be disabled with the following command:
$ sudo systemctl mask --now rpcbind.service |
Rationale | If the system does not require rpc based services, it is recommended that
rpcbind be disabled to reduce the attack surface. |
OVAL test results details
package nfs-utils is removed
oval:ssg-test_service_rpcbind_package_nfs-utils_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_rpcbind_package_nfs-utils_removed:obj:1 of type
rpminfo_object
Test that the rpcbind service is not running
oval:ssg-test_service_not_running_rpcbind:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_rpcbind:obj:1 of type
systemdunitproperty_object
Unit | Property |
---|
^rpcbind\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service rpcbind is masked
oval:ssg-test_service_loadstate_is_masked_rpcbind:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_rpcbind:obj:1 of type
systemdunitproperty_object
Unit | Property |
---|
^rpcbind\.(service|socket)$ | LoadState |
Disable Network File System (nfs)xccdf_org.ssgproject.content_rule_service_nfs_disabled unknownCCE-90850-9
Disable Network File System (nfs)
Rule ID | xccdf_org.ssgproject.content_rule_service_nfs_disabled |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-service_nfs_disabled:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-90850-9 References:
11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, 2.2.16 |
Description | The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local system. If the local system
is not designated as a NFS server then this service should be disabled.
The nfs-server service can be disabled with the following command:
$ sudo systemctl mask --now nfs-server.service |
Rationale | Unnecessary services should be disabled to decrease the attack surface of the system. |
OVAL test results details
package nfs-utils is removed
oval:ssg-test_service_nfs-server_package_nfs-utils_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_nfs-server_package_nfs-utils_removed:obj:1 of type
rpminfo_object
Test that the nfs-server service is not running
oval:ssg-test_service_not_running_nfs-server:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_nfs-server:obj:1 of type
systemdunitproperty_object
Unit | Property |
---|
^nfs-server\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service nfs-server is masked
oval:ssg-test_service_loadstate_is_masked_nfs-server:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_nfs-server:obj:1 of type
systemdunitproperty_object
Unit | Property |
---|
^nfs-server\.(service|socket)$ | LoadState |
Ensure that chronyd is running under chrony user accountxccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user mediumCCE-84108-0
Ensure that chronyd is running under chrony user account
Rule ID | xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-chronyd_run_as_chrony_user:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84108-0 References:
A.3.SEC-RHEL3, 2.1.2 |
Description | chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
http://chrony.tuxfamily.org/.
Chrony can be configured to be a client and/or a server.
To ensure that chronyd is running under chrony user account,
remove any -u ... option from OPTIONS other than -u chrony ,
as chrony is run under its own user by default.
This recommendation only applies if chrony is in use on the system. |
Rationale | If chrony is in use on the system proper configuration is vital to ensuring time synchronization
is working properly. |
OVAL test results details
The default chrony user hasn't been overriden
oval:ssg-test_no_user_override:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_user_override:obj:1 of type
textfilecontent54_object
Behaviors | Filepath | Pattern | Instance |
---|
no value | /etc/sysconfig/chronyd | ^\s*OPTIONS=.*[\s'"]-u(?!\s*chrony\b).* | 0 |
A remote time server for Chrony is configuredxccdf_org.ssgproject.content_rule_chronyd_specify_remote_server mediumCCE-84218-7
A remote time server for Chrony is configured
Rule ID | xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-chronyd_specify_remote_server:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84218-7 References:
BP28(R71), A.3.SEC-RHEL3, CCI-000160, CCI-001891, 0988, 1405, CM-6(a), AU-8(1)(a), Req-10.4.3, 10.6.2, 2.1.2 |
Description | Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
http://chrony.tuxfamily.org/.
Chrony can be configured to be a client and/or a server.
Add or edit server or pool lines to /etc/chrony.conf as appropriate:
server <remote-server>
Multiple servers may be configured. |
Rationale | If chrony is in use on the system proper configuration is vital to ensuring time
synchronization is working properly. |
OVAL test results details
Ensure at least one NTP server is set
oval:ssg-test_chronyd_remote_server:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/chrony.conf | pool 2.rhel.pool.ntp.org iburst |
Remove Rsh Trust Filesxccdf_org.ssgproject.content_rule_no_rsh_trust_files highCCE-84145-2
Remove Rsh Trust Files
Rule ID | xccdf_org.ssgproject.content_rule_no_rsh_trust_files |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_rsh_trust_files:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-84145-2 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 6.2.15 |
Description | The files /etc/hosts.equiv and ~/.rhosts (in
each user's home directory) list remote hosts and users that are trusted by the
local system when using the rshd daemon.
To remove these files, run the following command to delete them from any
location:
$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts |
Rationale | This action is only meaningful if .rhosts support is permitted
through PAM. Trust files are convenient, but when used in conjunction with
the R-services, they can allow unauthenticated access to a system. |
OVAL test results details
look for .rhosts in /root
oval:ssg-test_no_rsh_trust_files_root:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_root:obj:1 of type
file_object
Path | Filename |
---|
/root | ^\.rhosts$ |
look for .rhosts in /home
oval:ssg-test_no_rsh_trust_files_home:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_home:obj:1 of type
file_object
Behaviors | Path | Filename |
---|
no value | /home | ^\.rhosts$ |
look for /etc/hosts.equiv
oval:ssg-test_no_rsh_trust_files_etc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_etc:obj:1 of type
file_object
Path | Filename |
---|
/etc | ^hosts\.equiv$ |
Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-84149-4
Uninstall telnet-server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_telnet-server_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_telnet-server_removed:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-84149-4 References:
BP28(R1), A.8.SEC-RHEL4, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.2, 2.2.4, SRG-OS-000095-GPOS-00049, 2.2.13 |
Description | The telnet-server package can be removed with the following command:
$ sudo dnf erase telnet-server |
Rationale | It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
The telnet service provides an unencrypted remote access service which does
not provide for the confidentiality and integrity of user passwords or the
remote session. If a privileged user were to login using this service, the
privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation. |
OVAL test results details
package telnet-server is removed
oval:ssg-test_package_telnet-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type
rpminfo_object
Remove telnet Clientsxccdf_org.ssgproject.content_rule_package_telnet_removed lowCCE-84146-0
Remove telnet Clients
Rule ID | xccdf_org.ssgproject.content_rule_package_telnet_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_telnet_removed:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-84146-0 References:
BP28(R1), 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.2.4, 2.3.1 |
Description | The telnet client allows users to start connections to other systems via
the telnet protocol. |
Rationale | The telnet protocol is insecure and unencrypted. The use
of an unencrypted transmission medium could allow an unauthorized user
to steal credentials. The ssh package provides an
encrypted session and stronger security and is included in Red Hat Enterprise Linux 9. |
OVAL test results details
package telnet is removed
oval:ssg-test_package_telnet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet_removed:obj:1 of type
rpminfo_object
Uninstall tftp-server Packagexccdf_org.ssgproject.content_rule_package_tftp-server_removed highCCE-84154-4
Uninstall tftp-server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_tftp-server_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_tftp-server_removed:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-84154-4 References:
BP28(R1), A.8.SEC-RHEL4, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 2.2.7 |
Description | The tftp-server package can be removed with the following command: $ sudo dnf erase tftp-server |
Rationale | Removing the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router
configurations), its use must be documented with the Information Systems
Securty Manager (ISSM), restricted to only authorized personnel, and have
access control rules established. |
OVAL test results details
package tftp-server is removed
oval:ssg-test_package_tftp-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type
rpminfo_object
Remove tftp Daemonxccdf_org.ssgproject.content_rule_package_tftp_removed lowCCE-84153-6
Remove tftp Daemon
Rule ID | xccdf_org.ssgproject.content_rule_package_tftp_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_tftp_removed:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | low |
Identifiers and References | Identifiers:
CCE-84153-6 References:
BP28(R1), 2.3.3 |
Description | Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
typically used to automatically transfer configuration or boot files between systems.
TFTP does not support authentication and can be easily hacked. The package
tftp is a client program that allows for connections to a tftp server. |
Rationale | It is recommended that TFTP be removed, unless there is a specific need
for TFTP (such as a boot server). In that case, use extreme caution when configuring
the services. |
OVAL test results details
package tftp is removed
oval:ssg-test_package_tftp_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp_removed:obj:1 of type
rpminfo_object
Uninstall rsync Packagexccdf_org.ssgproject.content_rule_package_rsync_removed mediumCCE-86336-5
Uninstall rsync Package
Rule ID | xccdf_org.ssgproject.content_rule_package_rsync_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_rsync_removed:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86336-5 References:
2.2.18 |
Description | The rsyncd service can be used to synchronize files between systems over network links.
The rsync-daemon package can be removed with the following command:
$ sudo dnf erase rsync-daemon |
Rationale | The rsyncd service presents a security risk as it uses unencrypted protocols for
communication. |
OVAL test results details
package rsync-daemon is removed
oval:ssg-test_package_rsync-daemon_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rsync-daemon_removed:obj:1 of type
rpminfo_object
Uninstall CUPS Packagexccdf_org.ssgproject.content_rule_package_cups_removed unknownCCE-86300-1
Uninstall CUPS Package
Rule ID | xccdf_org.ssgproject.content_rule_package_cups_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_cups_removed:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-86300-1 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.3 |
Description | The cups package can be removed with the following command:
$ sudo dnf erase cups |
Rationale | If the system does not need to print jobs or accept print jobs from other systems, it is
recommended that CUPS be removed to reduce the potential attack surface. |
|
|
|
|
OVAL test results details
package cups is removed
oval:ssg-test_package_cups_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
cups | x86_64 | 1 | 16.el9 | 2.3.3op2 | 1:2.3.3op2-16.el9 | 199e2f91fd431d51 | cups-1:2.3.3op2-16.el9.x86_64 |
Uninstall squid Packagexccdf_org.ssgproject.content_rule_package_squid_removed unknownCCE-84238-5
Uninstall squid Package
Rule ID | xccdf_org.ssgproject.content_rule_package_squid_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_squid_removed:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-84238-5 References:
A.8.SEC-RHEL4, 2.2.11 |
Description | The squid package can be removed with the following command: $ sudo dnf erase squid |
Rationale | If there is no need to make the proxy server software available,
removing it provides a safeguard against its activation. |
OVAL test results details
package squid is removed
oval:ssg-test_package_squid_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_squid_removed:obj:1 of type
rpminfo_object
Uninstall Samba Packagexccdf_org.ssgproject.content_rule_package_samba_removed unknownCCE-85979-3
Uninstall Samba Package
Rule ID | xccdf_org.ssgproject.content_rule_package_samba_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_samba_removed:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-85979-3 References:
2.2.4, 2.2.10 |
Description | The samba package can be removed with the following command: $ sudo dnf erase samba |
Rationale | If there is no need to make the Samba software available,
removing it provides a safeguard against its activation. |
OVAL test results details
package samba is removed
oval:ssg-test_package_samba_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_samba_removed:obj:1 of type
rpminfo_object
Uninstall net-snmp Packagexccdf_org.ssgproject.content_rule_package_net-snmp_removed unknownCCE-85981-9
Uninstall net-snmp Package
Rule ID | xccdf_org.ssgproject.content_rule_package_net-snmp_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_net-snmp_removed:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-85981-9 References:
A.8.SEC-RHEL4, 2.2.4, 2.2.12 |
Description |
The net-snmp package provides the snmpd service.
The net-snmp package can be removed with the following command:
$ sudo dnf erase net-snmp |
Rationale | If there is no need to run SNMP server software,
removing the package provides a safeguard against its
activation. |
OVAL test results details
package net-snmp is removed
oval:ssg-test_package_net-snmp_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_net-snmp_removed:obj:1 of type
rpminfo_object
Set SSH Client Alive Count Maxxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-90805-3
Set SSH Client Alive Count Max
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_set_keepalive:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90805-3 References:
BP28(R32), A.5.SEC-RHEL7, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, 8.2.8, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, 5.2.20 |
Description | The SSH server sends at most ClientAliveCountMax messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval configures timeout after
each ClientAliveCountMax message. If the SSH server does not
receive a response from the client, then the connection is considered unresponsive
and terminated.
For SSH earlier than v8.2, a ClientAliveCountMax value of 0
causes a timeout precisely when the ClientAliveInterval is set.
Starting with v8.2, a value of 0 disables the timeout functionality
completely. If the option is set to a number greater than 0 , then
the session will be disconnected after
ClientAliveInterval * ClientAliveCountMax seconds without receiving
a keep alive message. |
Rationale | This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Check the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_set_keepalive_clientalivecountmax:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_set_keepalive_clientalivecountmax:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Check the value of ClientAliveCountMax setting in /etc/ssh/sshd_config.d/ files
oval:ssg-test_sshd_set_keepalive_clientalivecountmax_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_set_keepalive_clientalivecountmax_dir:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-90816-0
Disable Host-Based Authentication
Rule ID | xccdf_org.ssgproject.content_rule_disable_host_auth |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-disable_host_auth:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90816-0 References:
11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, 8.3.1, SRG-OS-000480-GPOS-00229, 5.2.8 |
Description | SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
The default SSH configuration disables host-based authentication. The appropriate
configuration is used if no value is set for HostbasedAuthentication .
To explicitly disable host-based authentication, add or correct the
following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
HostbasedAuthentication no |
Rationale | SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts. |
|
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_disable_host_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_host_auth:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_disable_host_auth_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_host_auth_config_dir:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of HostbasedAuthentication is present
oval:ssg-test_HostbasedAuthentication_present_disable_host_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_disable_host_auth:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-obj_disable_host_auth:obj:1
oval:ssg-obj_disable_host_auth_config_dir:obj:1
|
Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-90799-8
Disable SSH Access via Empty Passwords
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_disable_empty_passwords:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | high |
Identifiers and References | Identifiers:
CCE-90799-8 References:
NT007(R17), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, Req-2.2.4, 2.2.6, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, 5.2.9 |
Description | Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords .
To explicitly disallow SSH login from accounts with empty passwords,
add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords. |
Rationale | Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_empty_passwords:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_empty_passwords_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of PermitEmptyPasswords is present
oval:ssg-test_PermitEmptyPasswords_present_sshd_disable_empty_passwords:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_empty_passwords:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-obj_sshd_disable_empty_passwords:obj:1
oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1
|
Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-90797-2
Disable SSH Support for .rhosts Files
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_rhosts |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_disable_rhosts:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90797-2 References:
11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, 2.2.6, SRG-OS-000480-GPOS-00227, 5.2.11 |
Description | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
The default SSH configuration disables support for .rhosts . The appropriate
configuration is used if no value is set for IgnoreRhosts .
To explicitly disable support for .rhosts files, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
IgnoreRhosts yes |
Rationale | SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_rhosts:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_rhosts:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_rhosts_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_rhosts_config_dir:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of IgnoreRhosts is present
oval:ssg-test_IgnoreRhosts_present_sshd_disable_rhosts:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_rhosts:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-obj_sshd_disable_rhosts:obj:1
oval:ssg-obj_sshd_disable_rhosts_config_dir:obj:1
|
Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-90800-4
Disable SSH Root Login
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_disable_root_login:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90800-4 References:
BP28(R19), NT007(R21), 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FAU_GEN.1, Req-2.2.4, 2.2.6, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-APP-000148-CTR-000335, SRG-APP-000190-CTR-000500, 5.2.7 |
Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
PermitRootLogin no |
Rationale | Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_root_login:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_root_login:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_root_login_config_dir:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/ssh/sshd_config.d/01-permitrootlogin.conf | PermitRootLogin yes |
Verify that the value of PermitRootLogin is present
oval:ssg-test_PermitRootLogin_present_sshd_disable_root_login:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/ssh/sshd_config.d/01-permitrootlogin.conf | PermitRootLogin yes |
Disable SSH TCP Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding mediumCCE-90806-1
Disable SSH TCP Forwarding
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_disable_tcp_forwarding:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90806-1 References:
2.2.6, 5.2.13 |
Description | The AllowTcpForwarding parameter specifies whether TCP forwarding is permitted.
To disable TCP forwarding, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
AllowTcpForwarding no |
Rationale | Leaving port forwarding enabled can expose the organization to security risks and back-doors. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
tests the value of AllowTcpForwarding setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_tcp_forwarding:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_tcp_forwarding:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[ \t]*(?i)AllowTcpForwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of AllowTcpForwarding setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_tcp_forwarding_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_tcp_forwarding_config_dir:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)AllowTcpForwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of AllowTcpForwarding is present
oval:ssg-test_AllowTcpForwarding_present_sshd_disable_tcp_forwarding:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_tcp_forwarding:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-obj_sshd_disable_tcp_forwarding:obj:1
oval:ssg-obj_sshd_disable_tcp_forwarding_config_dir:obj:1
|
Disable X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding mediumCCE-90798-0
Disable X11 Forwarding
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_disable_x11_forwarding:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90798-0 References:
CCI-000366, CM-6(b), 2.2.4, SRG-OS-000480-GPOS-00227, 5.2.12 |
Description | The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate
configuration is used if no value is set for X11Forwarding .
To explicitly disable X11 Forwarding, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
X11Forwarding no |
Rationale | Disable X11 forwarding unless there is an operational requirement to use X11
applications directly. There is a small risk that the remote X11 servers of
users who are logged in via SSH with X11 forwarding could be compromised by
other users on the X11 server. Note that even if X11 forwarding is disabled,
users can always install their own forwarders. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_x11_forwarding:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_x11_forwarding:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of X11Forwarding setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_x11_forwarding_config_dir:tst:1
false
Following items have been found on the system:
Path | Content |
---|
/etc/ssh/sshd_config.d/50-redhat.conf | X11Forwarding yes |
Verify that the value of X11Forwarding is present
oval:ssg-test_X11Forwarding_present_sshd_disable_x11_forwarding:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/ssh/sshd_config.d/50-redhat.conf | X11Forwarding yes |
Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-90803-8
Do Not Allow SSH Environment Options
Rule ID | xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_do_not_permit_user_env:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90803-8 References:
11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, Req-2.2.4, 2.2.6, SRG-OS-000480-GPOS-00229, 5.2.10 |
Description | Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate
configuration is used if no value is set for PermitUserEnvironment .
To explicitly disable Environment options, add or correct the following
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
PermitUserEnvironment no |
Rationale | SSH environment options potentially allow users to bypass
access restriction in some configurations. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_do_not_permit_user_env:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_do_not_permit_user_env_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_do_not_permit_user_env_config_dir:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of PermitUserEnvironment is present
oval:ssg-test_PermitUserEnvironment_present_sshd_do_not_permit_user_env:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_do_not_permit_user_env:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-obj_sshd_do_not_permit_user_env:obj:1
oval:ssg-obj_sshd_do_not_permit_user_env_config_dir:obj:1
|
Enable PAMxccdf_org.ssgproject.content_rule_sshd_enable_pam mediumCCE-86722-6
Enable PAM
Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_pam |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_enable_pam:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86722-6 References:
CCI-000877, 2.2.4, SRG-OS-000125-GPOS-00065, 5.2.6 |
Description | UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
enable PAM authentication using ChallengeResponseAuthentication and
PasswordAuthentication in addition to PAM account and session module processing for all
authentication types.
To enable PAM authentication, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
UsePAM yes |
Rationale | When UsePAM is set to yes, PAM runs through account and session types properly. This is
important if you want to restrict access to services based off of IP, time or other factors of
the account. Additionally, you can make sure users inherit certain environment variables
on login or disallow access to the server. |
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
tests the value of UsePAM setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_pam:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_pam:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[ \t]*(?i)UsePAM(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of UsePAM setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_enable_pam_config_dir:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/ssh/sshd_config.d/50-redhat.conf | UsePAM yes |
Verify that the value of UsePAM is present
oval:ssg-test_UsePAM_present_sshd_enable_pam:tst:1
true
Following items have been found on the system:
Path | Content |
---|
/etc/ssh/sshd_config.d/50-redhat.conf | UsePAM yes |
Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net mediumCCE-87979-1
Enable SSH Warning Banner
Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_enable_warning_banner_net:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87979-1 References:
A.11.SEC-RHEL4, 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FTA_TAB.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, 5.2.15 |
Description | To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
Banner /etc/issue.net
Another section contains information on how to create an
appropriate system-wide warning banner. |
Rationale | The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers. Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
tests the value of Banner setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_warning_banner_net:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_warning_banner_net:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of Banner setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_enable_warning_banner_net_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_warning_banner_net_config_dir:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of Banner is present
oval:ssg-test_Banner_present_sshd_enable_warning_banner_net:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_enable_warning_banner_net:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-obj_sshd_enable_warning_banner_net:obj:1
oval:ssg-obj_sshd_enable_warning_banner_net_config_dir:obj:1
|
Limit Users' SSH Accessxccdf_org.ssgproject.content_rule_sshd_limit_user_access unknownCCE-86817-4
Limit Users' SSH Access
Rule ID | xccdf_org.ssgproject.content_rule_sshd_limit_user_access |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_limit_user_access:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | unknown |
Identifiers and References | Identifiers:
CCE-86817-4 References:
A.11.SEC-RHEL2, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, Req-2.2.4, 2.2.6, 5.2.4 |
Description | By default, the SSH configuration allows any user with an account
to access the system. There are several options available to limit
which users and group can access the system via SSH. It is
recommended that at least one of the following options be leveraged:
- AllowUsers variable gives the system administrator the option of
allowing specific users to ssh into the system. The list consists of
space separated user names. Numeric user IDs are not recognized with
this variable. If a system administrator wants to restrict user
access further by specifically allowing a user's access only from a
particular host, the entry can be specified in the form of user@host.
- AllowGroups variable gives the system administrator the option of
allowing specific groups of users to ssh into the system. The list
consists of space separated group names. Numeric group IDs are not
recognized with this variable.
- DenyUsers variable gives the system administrator the option of
denying specific users to ssh into the system. The list consists of
space separated user names. Numeric user IDs are not recognized with
this variable. If a system administrator wants to restrict user
access further by specifically denying a user's access from a
particular host, the entry can be specified in the form of user@host.
- DenyGroups variable gives the system administrator the option of
denying specific groups of users to ssh into the system. The list
consists of space separated group names. Numeric group IDs are not
recognized with this variable. |
Rationale | Specifying which accounts are allowed SSH access into the system reduces the
possibility of unauthorized access to the system. |
OVAL test results details
Check if there is an AllowUsers entry
oval:ssg-test_allow_user_is_configured:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_allow_user:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^\/etc\/ssh\/sshd_config.*$ | (?i)^[ ]*AllowUsers[ ]+((?:[^ \n]+[ ]*)+)$ | 1 |
Check if there is an AllowGroups entry
oval:ssg-test_allow_group_is_configured:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_allow_group:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/ssh/sshd_config.*$ | (?i)^[ ]*AllowGroups[ ]+((?:[^ \n]+[ ]*)+)$ | 1 |
Check if there is a DenyUsers entry
oval:ssg-test_deny_user_is_configured:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_deny_user:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/ssh/sshd_config.*$ | (?i)^[ ]*DenyUsers[ ]+((?:[^ \n]+[ ]*)+)$ | 1 |
Check if there is a DenyGroups entry
oval:ssg-test_deny_group_is_configured:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_deny_group:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
^/etc/ssh/sshd_config.*$ | (?i)^[ ]*DenyGroups[ ]+((?:[^ \n]+[ ]*)+)$ | 1 |
Ensure SSH LoginGraceTime is configuredxccdf_org.ssgproject.content_rule_sshd_set_login_grace_time mediumCCE-86552-7
Ensure SSH LoginGraceTime is configured
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_set_login_grace_time:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86552-7 References:
5.2.19 |
Description | The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to
the SSH server. The longer the Grace period is the more open unauthenticated connections
can exist. Like other session controls in this session the Grace Period should be limited to
appropriate limits to ensure the service is available for needed access. |
Rationale | Setting the LoginGraceTime parameter to a low number will minimize the risk of successful
brute force attacks to the SSH server. It will also limit the number of concurrent
unauthenticated connections. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
LoginGraceTime is configured
oval:ssg-test_sshd_login_grace_time:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_login_grace_time:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$ | 1 |
Set SSH Daemon LogLevel to VERBOSExccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose mediumCCE-86923-0
Set SSH Daemon LogLevel to VERBOSE
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_set_loglevel_verbose:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86923-0 References:
CCI-000067, CIP-007-3 R7.1, AC-17(a), AC-17(1), CM-6(a), Req-2.2.4, 2.2.6, SRG-OS-000032-GPOS-00013, 5.2.5 |
Description | The VERBOSE parameter configures the SSH daemon to record login and logout activity.
To specify the log level in
SSH, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
LogLevel VERBOSE |
Rationale | SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
not recommended other than strictly for debugging SSH communications since it provides
so much data that it is difficult to identify important security information. INFO or
VERBOSE level is the basic level that only records login activity of SSH users. In many
situations, such as Incident Response, it is important to determine when a particular user was active
on a system. The logout record can eliminate those users who disconnected, which helps narrow the
field. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
tests the value of LogLevel setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_set_loglevel_verbose:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_set_loglevel_verbose:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of LogLevel setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_set_loglevel_verbose_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_set_loglevel_verbose_config_dir:obj:1 of type
textfilecontent54_object
Path | Filename | Pattern | Instance |
---|
/etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of LogLevel is present
oval:ssg-test_LogLevel_present_sshd_set_loglevel_verbose:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_set_loglevel_verbose:obj:1 of type
textfilecontent54_object
Set |
---|
oval:ssg-obj_sshd_set_loglevel_verbose:obj:1
oval:ssg-obj_sshd_set_loglevel_verbose_config_dir:obj:1
|
Set SSH authentication attempt limitxccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries mediumCCE-90810-3
Set SSH authentication attempt limit
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_set_max_auth_tries:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90810-3 References:
0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, 2.2.6, 5.2.16 |
Description | The MaxAuthTries parameter specifies the maximum number of authentication attempts
permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
to set MaxAUthTries edit /etc/ssh/sshd_config as follows:
MaxAuthTries 4 |
Rationale | Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
brute force attacks to the SSH server. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
maxauthtries is configured
oval:ssg-test_sshd_max_auth_tries:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_max_auth_tries:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$ | 1 |
Set SSH MaxSessions limitxccdf_org.ssgproject.content_rule_sshd_set_max_sessions mediumCCE-84103-1
Set SSH MaxSessions limit
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_max_sessions |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_set_max_sessions:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84103-1 References:
2.2.6, 5.2.18 |
Description | The MaxSessions parameter specifies the maximum number of open sessions permitted
from a given connection. To set MaxSessions edit
/etc/ssh/sshd_config as follows: MaxSessions 10 |
Rationale | To protect a system from denial of service due to a large number of concurrent
sessions, use the rate limiting function of MaxSessions to protect availability
of sshd logins and prevent overwhelming the daemon. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
maxsessions is configured
oval:ssg-test_sshd_max_sessions:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_max_sessions:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | ^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$ | 1 |
Ensure SSH MaxStartups is configuredxccdf_org.ssgproject.content_rule_sshd_set_maxstartups mediumCCE-87872-8
Ensure SSH MaxStartups is configured
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_maxstartups |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-sshd_set_maxstartups:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-87872-8 References:
2.2.6, 5.2.17 |
Description | The MaxStartups parameter specifies the maximum number of concurrent
unauthenticated connections to the SSH daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime expires for a
connection. To confgure MaxStartups, you should add or correct the following
line in the
/etc/ssh/sshd_config file:
MaxStartups 10:30:60
CIS recommends a MaxStartups value of '10:30:60', or more restrictive where
dictated by site policy. |
Rationale | To protect a system from denial of service due to a large number of pending
authentication connection attempts, use the rate limiting function of MaxStartups
to protect availability of sshd logins and prevent overwhelming the daemon. |
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
Var ref | Value |
---|
oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
openssh-server | x86_64 | (none) | 29.el9_2 | 8.7p1 | 0:8.7p1-29.el9_2 | 199e2f91fd431d51 | openssh-server-0:8.7p1-29.el9_2.x86_64 |
SSH MaxStartups start parameter is less than or equal to 10
oval:ssg-tst_maxstartups_start_parameter:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_config_maxstartups_first_parameter:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | (?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$ | 1 |
SSH MaxStartups rate parameter is greater than or equal to 30
oval:ssg-tst_maxstartups_rate_parameter:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_config_maxstartups_second_parameter:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | (?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$ | 1 |
SSH MaxStartups full parameter is less than or equal to 100
oval:ssg-tst_maxstartups_full_parameter:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_config_maxstartups_third_parameter:obj:1 of type
textfilecontent54_object
Filepath | Pattern | Instance |
---|
/etc/ssh/sshd_config | (?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$ | 1 |
Verify Group Who Owns SSH Server config filexccdf_org.ssgproject.content_rule_file_groupowner_sshd_config mediumCCE-90817-8
Verify Group Who Owns SSH Server config file
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_sshd_config:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90817-8 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1 |
Description |
To properly set the group owner of /etc/ssh/sshd_config , run the command:
$ sudo chgrp root /etc/ssh/sshd_config |
Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing group ownership of /etc/ssh/sshd_config
oval:ssg-test_file_groupowner_sshd_config_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_sshd_config_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/ssh/sshd_config | oval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1 | oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1 |
Verify Group Ownership on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key mediumCCE-86127-8
Verify Group Ownership on SSH Server Private *_key Key Files
Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupownership_sshd_private_key:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86127-8 References:
5.2.2 |
Description | SSH server private keys, files that match the /etc/ssh/*_key glob, must be
group-owned by ssh_keys group. |
Rationale | If an unauthorized user obtains the private SSH host key file, the host could be impersonated. |
OVAL test results details
Testing group ownership of /etc/ssh/
oval:ssg-test_file_groupownership_sshd_private_key_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_sshd_private_key_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/ssh | ^.*_key$ | oval:ssg-symlink_file_groupownership_sshd_private_key_uid_ssh_keys:ste:1 | oval:ssg-state_file_groupownership_sshd_private_key_gid_ssh_keys_0:ste:1 |
Verify Group Ownership on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key mediumCCE-86136-9
Verify Group Ownership on SSH Server Public *.pub Key Files
Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupownership_sshd_pub_key:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86136-9 References:
5.2.3 |
Description | SSH server public keys, files that match the /etc/ssh/*.pub glob, must be
group-owned by root group. |
Rationale | If a public host key file is modified by an unauthorized user, the SSH service
may be compromised. |
OVAL test results details
Testing group ownership of /etc/ssh/
oval:ssg-test_file_groupownership_sshd_pub_key_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_sshd_pub_key_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/ssh | ^.*\.pub$ | oval:ssg-symlink_file_groupownership_sshd_pub_key_uid_0:ste:1 | oval:ssg-state_file_groupownership_sshd_pub_key_gid_0_0:ste:1 |
Verify Owner on SSH Server config filexccdf_org.ssgproject.content_rule_file_owner_sshd_config mediumCCE-90821-0
Verify Owner on SSH Server config file
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_sshd_config |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_sshd_config:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90821-0 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1 |
Description |
To properly set the owner of /etc/ssh/sshd_config , run the command:
$ sudo chown root /etc/ssh/sshd_config |
Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing user ownership of /etc/ssh/sshd_config
oval:ssg-test_file_owner_sshd_config_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_sshd_config_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/ssh/sshd_config | oval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1 | oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1 |
Verify Ownership on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key mediumCCE-86119-5
Verify Ownership on SSH Server Private *_key Key Files
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_ownership_sshd_private_key:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86119-5 References:
5.2.2 |
Description | SSH server private keys, files that match the /etc/ssh/*_key glob, must be owned
by root user. |
Rationale | If an unauthorized user obtains the private SSH host key file, the host could be impersonated. |
OVAL test results details
Testing user ownership of /etc/ssh/
oval:ssg-test_file_ownership_sshd_private_key_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_sshd_private_key_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/ssh | ^.*_key$ | oval:ssg-symlink_file_ownership_sshd_private_key_uid_0:ste:1 | oval:ssg-state_file_ownership_sshd_private_key_uid_0_0:ste:1 |
Verify Ownership on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key mediumCCE-86130-2
Verify Ownership on SSH Server Public *.pub Key Files
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_ownership_sshd_pub_key:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-86130-2 References:
5.2.3 |
Description | SSH server public keys, files that match the /etc/ssh/*.pub glob, must be owned
by root user. |
Rationale | If a public host key file is modified by an unauthorized user, the SSH service
may be compromised. |
OVAL test results details
Testing user ownership of /etc/ssh/
oval:ssg-test_file_ownership_sshd_pub_key_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_sshd_pub_key_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/ssh | ^.*\.pub$ | oval:ssg-symlink_file_ownership_sshd_pub_key_uid_0:ste:1 | oval:ssg-state_file_ownership_sshd_pub_key_uid_0_0:ste:1 |
Verify Permissions on SSH Server config filexccdf_org.ssgproject.content_rule_file_permissions_sshd_config mediumCCE-90818-6
Verify Permissions on SSH Server config file
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_config |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_sshd_config:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90818-6 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.2.1 |
Description |
To properly set the permissions of /etc/ssh/sshd_config , run the command:
$ sudo chmod 0600 /etc/ssh/sshd_config |
Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing mode of /etc/ssh/sshd_config
oval:ssg-test_file_permissions_sshd_config_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_config_0:obj:1 of type
file_object
Filepath | Filter | Filter |
---|
/etc/ssh/sshd_config | oval:ssg-exclude_symlinks__sshd_config:ste:1 | oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1 |
Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-90820-2
Verify Permissions on SSH Server Private *_key Key Files
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_sshd_private_key:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90820-2 References:
BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.4, 2.2.6, SRG-OS-000480-GPOS-00227, 5.2.2 |
Description | SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter.
If they are owned by the root user, but by a dedicated group ssh_keys , they can have the 0640 permission or stricter. |
Rationale | If an unauthorized user obtains the private SSH host key file, the host could be
impersonated. |
OVAL test results details
No keys that have unsafe ownership/permissions combination exist
oval:ssg-test_no_offending_keys:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_offending_keys:obj:1 of type
file_object
Path | Filename | Filter | Filter | Filter |
---|
/etc/ssh | .*_key$ | oval:ssg-exclude_symlinks__sshd_private_key:ste:1 | oval:ssg-filter_ssh_key_owner_root:ste:1 | oval:ssg-filter_ssh_key_owner_ssh_keys:ste:1 |
Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key mediumCCE-90819-4
Verify Permissions on SSH Server Public *.pub Key Files
Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_permissions_sshd_pub_key:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-90819-4 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.4, 2.2.6, SRG-OS-000480-GPOS-00227, 5.2.3 |
Description | To properly set the permissions of /etc/ssh/*.pub , run the command: $ sudo chmod 0644 /etc/ssh/*.pub |
Rationale | If a public host key file is modified by an unauthorized user, the SSH service
may be compromised. |
OVAL test results details
Testing mode of /etc/ssh/
oval:ssg-test_file_permissions_sshd_pub_key_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_pub_key_0:obj:1 of type
file_object
Path | Filename | Filter | Filter |
---|
/etc/ssh | ^.*\.pub$ | oval:ssg-exclude_symlinks__sshd_pub_key:ste:1 | oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1 |
Remove the X Windows Package Groupxccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed mediumCCE-84104-9
Remove the X Windows Package Group
Rule ID | xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed |
Result | |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_xorg-x11-server-common_removed:def:1 |
Time | 2023-11-27T20:53:50+10:00 |
Severity | medium |
Identifiers and References | Identifiers:
CCE-84104-9 References:
12, 15, 8, APO13.01, DSS01.04, DSS05.02, DSS05.03, CCI-000366, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 2.2.1 |
Description | By removing the xorg-x11-server-common package, the system no longer has X Windows
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command: $ sudo dnf groupremove base-x
$ sudo dnf remove xorg-x11-server-common |
Rationale | Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
vulnerabilities and should not be installed unless approved and documented. |
Warnings | warning
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
which might bring your system to an inconsistent state requiring additional configuration to access the system
again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before
continuing installation. |
|
|
|
|
OVAL test results details
package xorg-x11-server-common is removed
oval:ssg-test_package_xorg-x11-server-common_removed:tst:1
false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|
xorg-x11-server-common | x86_64 | (none) | 17.el9 | 1.20.11 | 0:1.20.11-17.el9 | 199e2f91fd431d51 | xorg-x11-server-common-0:1.20.11-17.el9.x86_64 |
Scroll back to the first rule