combine_ovals.py from SCAP Security Guide ssg: [0, 1, 43], python: 2.7.5 5.11 2019-06-12T16:10:38 Ensure Users Re-Authenticate for Privilege Escalation - sudo Red Hat Enterprise Linux 7 Checks sudo usage without password Ensure !authenticate Is Not Used in Sudo Red Hat Enterprise Linux 7 Checks sudo usage without authentication Ensure NOPASSWD Is Used Only for the VDSM User in Sudo Red Hat Enterprise Linux 7 Checks sudo usage for the vdsm user without a password Ensure NOPASSWD Is Not Used in Sudo Red Hat Enterprise Linux 7 Checks sudo usage without password Implement Local DB for DConf User Profile Red Hat Enterprise Linux 7 The DConf User profile should have the local DB configured. The dconf databases are up-to-date. Red Hat Enterprise Linux 7 Make sure that the dconf databases are up-to-date with regards to respective keyfiles. Force dconf to use the textfiles instead of a binary DB Red Hat Enterprise Linux 7 dconf should use text files instead of the binary database. Disable Geolocation in GNOME3 Red Hat Enterprise Linux 7 Disable GNOME3 Geolocation for the clock and system. Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 Red Hat Enterprise Linux 7 Disable the GNOME3 ctrl-alt-del reboot key sequence in GNOME3. Disable User Administration in GNOME3 Red Hat Enterprise Linux 7 Disable GNOME3's ability to give users some administrative rights. Disable Power Settings in GNOME3 Red Hat Enterprise Linux 7 Disable GNOME3 power settings. Require Encryption for Remote Access in GNOME3 Red Hat Enterprise Linux 7 Configure GNOME3 to require encryption for remote access connections. Require Credential Prompting for Remote Access in GNOME3 Red Hat Enterprise Linux 7 Configure GNOME3 to require credential prompting for remote access. Disable WIFI Network Notification in GNOME3 Red Hat Enterprise Linux 7 Disable the GNOME3 wireless network notification. Disable WIFI Network Connection Creation in GNOME3 Red Hat Enterprise Linux 7 Disable the GNOME3 wireless network creation settings. Enable the GNOME3 Login Smartcard Authentication Red Hat Enterprise Linux 7 Enable smartcard authentication in the GNOME3 Login GUI. Set the GNOME3 Login Number of Failures Red Hat Enterprise Linux 7 Set the GNOME3 number of login failure attempts. Disable the GNOME3 Login User List Red Hat Enterprise Linux 7 Disable the GNOME3 GUI listing of all known users on the login screen. Disable GDM Automatic Login Red Hat Enterprise Linux 7 Disable the GNOME Display Manager (GDM) ability to allow users to automatically login. Disable GDM Guest Login Red Hat Enterprise Linux 7 Disable the GNOME Display Manager (GDM) ability to allow guest users to login. Disable the GNOME3 Login Restart and Shutdown Buttons Red Hat Enterprise Linux 7 Disable the GNOME3 Login GUI Restart and Shutdown buttons to all users on the login screen. Enable GNOME3 Screensaver Lock Delay After Idle Period Red Hat Enterprise Linux 7 Idle activation of the screen lock should be enabled immediately or after a delay. Ensure Users Cannot Change GNOME3 Session Idle Settings Red Hat Enterprise Linux 7 Ensure that users cannot change GNOME3 session idle settings. Enable GNOME3 Screensaver Lock After Idle Period Red Hat Enterprise Linux 7 Idle activation of the screen lock should be enabled. Disable Full User Name on Splash Shield Red Hat Enterprise Linux 7 GNOME3 screen splash shield should not display full name of logged in user. Ensure Users Cannot Change GNOME3 Screensaver Lock Delay Settings Red Hat Enterprise Linux 7 Ensure that users cannot change GNOME3 screensaver idle and lock settings. Configure the GNOME3 GUI Screen locking Red Hat Enterprise Linux 7 The allowed period of inactivity before the screensaver is activated. Implement Blank Screensaver Red Hat Enterprise Linux 7 The GNOME3 screensaver should be blank. Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period Red Hat Enterprise Linux 7 Idle activation of the screen lock should not be changed by users. Ensure Users Cannot Change GNOME3 Screensaver Idle Activation Red Hat Enterprise Linux 7 Idle activation of the screen saver should not be changed by users. Enable GNOME3 Screensaver Idle Activation Red Hat Enterprise Linux 7 Idle activation of the screen saver should be enabled. Disable All GNOME3 Thumbnailers Red Hat Enterprise Linux 7 The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. Disable the execution of these thumbnail applications within GNOME3. Disable GNOME3 Automounting Red Hat Enterprise Linux 7 The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount and autorun within GNOME3. Disable Prelinking Red Hat Enterprise Linux 7 The prelinking feature can interfere with the operation of checksum integrity tools (e.g. AIDE), mitigates the protection provided by ASLR, and requires additional CPU cycles by software upgrades. Verify File Hashes with RPM Red Hat Enterprise Linux 7 Verify the RPM digests of system binaries using the RPM database. Verify File Permissions Using RPM Red Hat Enterprise Linux 7 Verify the permissions of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Verify File Ownership Using RPM Red Hat Enterprise Linux 7 Verify ownership of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Configure Periodic Execution of AIDE Red Hat Enterprise Linux 7 By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Configure AIDE to Verify Extended Attributes Red Hat Enterprise Linux 7 AIDE should be configured to verify extended file attributes. Aide Database Must Exist Red Hat Enterprise Linux 7 The aide database must be initialized. Configure Notification of Post-AIDE Scan Details Red Hat Enterprise Linux 7 AIDE should notify appropriate personnel of the details of a scan after the scan has been run. Configure AIDE to Use FIPS 140-2 for Validating Hashes Red Hat Enterprise Linux 7 AIDE should be configured to use the FIPS 140-2 cryptographic hashes. Configure AIDE to Verify Access Control Lists (ACLs) Red Hat Enterprise Linux 7 AIDE should be configured to verify Access Control Lists (ACLs). Package dracut-fips Installed Red Hat Enterprise Linux 7 The RPM package dracut-fips should be installed. Enable FIPS Mode in GRUB2 Red Hat Enterprise Linux 7 Look for argument fips=1 in the kernel line in /etc/default/grub. Vendor Supported Operating System Red Hat Enterprise Linux 7 The operating system installed on the system is supported by a vendor that provides security patches. FIPS 140-2 Certified Operating System Red Hat Enterprise Linux 7 The operating system installed on the system is a certified operating system that meets FIPS 140-2 requirements. Package Antivirus Installed Red Hat Enterprise Linux 7 Antivirus software should be installed. Install Intrusion Detection Software Red Hat Enterprise Linux 7 Intrusion detection software or SELinux should be installed and enabled. Package McAfeeVSEForLinux Installed Red Hat Enterprise Linux 7 McAfee Antivirus software should be installed. Install the McAfee Runtime Libraries and Linux Agent Red Hat Enterprise Linux 7 Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma). McAfee AntiVirus Definitions Updated Red Hat Enterprise Linux 7 Verify that McAfee AntiVirus definitions have been updated. Install the Host Intrusion Prevention System (HIPS) Module Red Hat Enterprise Linux 7 Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module. Install the Policy Auditor (PA) Module Red Hat Enterprise Linux 7 Install the Policy Auditor (PA) Module. Install the Asset Configuration Compliance Module (ACCM) Red Hat Enterprise Linux 7 Install the Asset Configuration Compliance Module (ACCM). Ensure gpgcheck Enabled for Repository Metadata Red Hat Enterprise Linux 7 The repo_gpgcheck option should be used to ensure that checking of repository metadata always occurs. Ensure YUM Removes Previous Package Versions Red Hat Enterprise Linux 7 The clean_requirements_on_remove option should be used to ensure that old versions of software components are removed after updating. Ensure gpgcheck Enabled For All Yum or Dnf Package Repositories Red Hat Enterprise Linux 7 Ensure all yum or dnf repositories utilize signature checking. Red Hat Release and Auxiliary gpg-pubkey Packages Installed Red Hat Enterprise Linux 7 The Red Hat release and auxiliary key packages are required to be installed. Ensure gpgcheck Enabled for Local Packages Red Hat Enterprise Linux 7 The localpkg_gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. Ensure yum gpgcheck Globally Activated Red Hat Enterprise Linux 7 The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. Force IOMMU usage in GRUB2 Red Hat Enterprise Linux 7 Look for argument iommu=force in the kernel line in /etc/default/grub. File /boot/efi/EFI/redhat/grub.cfg Permissions Red Hat Enterprise Linux 7 File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 0700 (or stronger). Set the UEFI Boot Loader Password Red Hat Enterprise Linux 7 The UEFI grub2 boot loader should have password protection enabled. Set Boot Loader Password Red Hat Enterprise Linux 7 The grub2 boot loader should have password protection enabled. Enable SELinux Red Hat Enterprise Linux 7 The SELinux policy should be set appropriately. Enable SELinux in the GRUB2 Bootloader" Red Hat Enterprise Linux 7 Check if selinux=0 OR enforcing=0 within the GRUB2 configuration files, fail if found. SELinux Enforcing Red Hat Enterprise Linux 7 The SELinux state should be enforcing the local policy. Ensure No Daemons are Unconfined by SELinux Red Hat Enterprise Linux 7 All pids in /proc should be assigned an SELinux security context other than 'initrc_t'. Device Files Have Proper SELinux Context Red Hat Enterprise Linux 7 All device files in /dev should be assigned an SELinux security context other than 'device_t'. Disable Kernel Support for USB via Bootloader Configuration Red Hat Enterprise Linux 7 Look for 'nousb' argument in the kernel line in /etc/default/grub Set Daemon umask Red Hat Enterprise Linux 7 The daemon umask should be set as appropriate Package kernel-PAE Installed Red Hat Enterprise Linux 7 The RPM package kernel-PAE should be installed on 32-bit systems. Kernel Runtime Parameter "kernel.exec-shield" Check Red Hat Enterprise Linux 7 The kernel runtime parameter "kernel.exec-shield" should not be disabled and set to 1 on 32-bit systems. Disable Core Dumps Red Hat Enterprise Linux 7 Core dumps for all users should be disabled Add nodev Option to Non-Root Local Partitions Red Hat Enterprise Linux 7 The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist in the /dev directory on the root partition or within chroot jails built for system services. All other locations should not allow character and block devices. Bind Mount /var/tmp To /tmp Red Hat Enterprise Linux 7 The /var/tmp directory should be bind mounted to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp. Find world writable directories not owned by a system account Red Hat Enterprise Linux 7 All world writable directories should be owned by a system user. Find setgid files system packages Red Hat Enterprise Linux 7 All files with setgid should be owned by a base system package Find setuid files from system packages Red Hat Enterprise Linux 7 All files with setuid should be owned by a base system package Find files unowned by a group Red Hat Enterprise Linux 7 All files should be owned by a group Find files unowned by a user Red Hat Enterprise Linux 7 All files should be owned by a user Find Unauthorized World-Writable Files Red Hat Enterprise Linux 7 The world-write permission should be disabled for all files. Verify that All World-Writable Directories Have Sticky Bits Set Red Hat Enterprise Linux 7 The sticky bit should be set for all world-writable directories. Verify that System.map files are readable only by root Red Hat Enterprise Linux 7 Checks that /boot/System.map-* are only readable by root. Verify that Shared Library Files Have Restrictive Permissions Red Hat Enterprise Linux 7 Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are not group-writable or world-writable. Verify that System Executables Have Root Ownership Red Hat Enterprise Linux 7 Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, /usr/libexec, and objects therein, are owned by root. Verify that System Executables Have Restrictive Permissions Red Hat Enterprise Linux 7 Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, and /usr/libexec are not group-writable or world-writable. Verify that Shared Library Files Have Root Ownership Red Hat Enterprise Linux 7 Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are owned by root. System Login Banner Compliance Red Hat Enterprise Linux 7 The system login banner text should be set correctly. Enable GUI Warning Banner Red Hat Enterprise Linux 7 Enable the GUI warning banner. Enable GNOME3 Login Warning Banner Red Hat Enterprise Linux 7 Enable the GNOME3 Login warning banner. Disable Ctrl-Alt-Del Burst Action Red Hat Enterprise Linux 7 Configure the CtrlAltDelBurstAction setting in /etc/systemd/system.conf to none to prevent a reboot if Ctrl-Alt-Delete is pressed more than 7 times in 2 seconds. Verify that Interactive Boot is Disabled Red Hat Enterprise Linux 7 The ability for users to perform interactive startups should be disabled. Disable Ctrl-Alt-Del Reboot Activation Red Hat Enterprise Linux 7 By default, the system will reboot when the Ctrl-Alt-Del key sequence is pressed. Require Authentication for Single-User Mode Red Hat Enterprise Linux 7 The requirement for a password to boot into single-user mode should be configured correctly. Force opensc To Use Defined Smart Card Driver Red Hat Enterprise Linux 7 Force opensc to use the organization's smart card driver so that only the smart card in use by the organization will be recognized by the system. Enable Smart Card Login Red Hat Enterprise Linux 7 Enable Smart Card logins Configure opensc Smart Card Drivers Red Hat Enterprise Linux 7 Configure the organization's smart card driver so that only the smart card in use by the organization will be recognized by the system. Verify that Interactive Boot is Disabled Red Hat Enterprise Linux 7 The ability for users to perform interactive startups should be disabled. Install needed packages for smartcard use. Red Hat Enterprise Linux 7 The RPM packages esc pam_pkcs11 and authconfig-gtk must be installed. Set Password Expiration Parameters Red Hat Enterprise Linux 7 The password expiration warning age should be set appropriately. Set Password Expiration Parameters Red Hat Enterprise Linux 7 The maximum password age policy should meet minimum requirements. Set Password Expiration Parameters Red Hat Enterprise Linux 7 The password minimum length should be set appropriately. Set Password Expiration Parameters Red Hat Enterprise Linux 7 The minimum password age policy should be set appropriately. Set Accounts to Expire Following Password Expiration Red Hat Enterprise Linux 7 The accounts should be configured to expire automatically following password expiration. Set All Accounts To Have Unique Names Red Hat Enterprise Linux 7 All accounts on the system should have unique names for proper accountability. All GIDs Are Present In /etc/group Red Hat Enterprise Linux 7 All GIDs referenced in /etc/passwd must be defined in /etc/group. All Password Hashes Shadowed Red Hat Enterprise Linux 7 All password hashes should be shadowed. No nullok Option in /etc/pam.d/system-auth Red Hat Enterprise Linux 7 The file /etc/pam.d/system-auth should not contain the nullok option Verify No netrc Files Exist Red Hat Enterprise Linux 7 The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. Restrict Serial Port Root Logins Red Hat Enterprise Linux 7 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the system using the root account. Restrict Virtual Console Root Logins Red Hat Enterprise Linux 7 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. UID 0 Belongs Only To Root Red Hat Enterprise Linux 7 Only the root account should be assigned a user id of 0. Direct root Logins Not Allowed Red Hat Enterprise Linux 7 Preventing direct root logins help ensure accountability for actions taken on the system using the root account. System Accounts Do Not Run a Shell Red Hat Enterprise Linux 7 The root account is the only system account that should have a login shell. Set Last Login/Access Notification Red Hat Enterprise Linux 7 Configure the system to notify users of last login/access using pam_lastlog. Set Password retry Requirements Red Hat Enterprise Linux 7 The password retry should meet minimum requirements Lock out account after failed login attempts Red Hat Enterprise Linux 7 The number of allowed failed logins should be set correctly. Lock out account after failed login attempts Red Hat Enterprise Linux 7 The number of allowed failed logins should be set correctly. Lock out account after failed login attempts Red Hat Enterprise Linux 7 The number of allowed failed logins should be set correctly. Lock out the root account after failed login attempts Red Hat Enterprise Linux 7 The root account should be configured to deny access after the number of defined failed attempts has been reached. Limit Password Reuse Red Hat Enterprise Linux 7 The passwords to remember should be set correctly. Set SHA512 Password Hashing Algorithm in /etc/libuser.conf Red Hat Enterprise Linux 7 The password hashing algorithm should be set correctly in /etc/libuser.conf. Set SHA512 Password Hashing Algorithm in /etc/login.defs Red Hat Enterprise Linux 7 The password hashing algorithm should be set correctly in /etc/login.defs. Set Password Hashing Algorithm in /etc/pam.d/system-auth Red Hat Enterprise Linux 7 The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. Set Interactive Session Timeout Red Hat Enterprise Linux 7 Checks interactive shell timeout Proper Permissions User Home Directories Red Hat Enterprise Linux 7 File permissions should be set correctly for the home directories for all user accounts. Ensure new users receive home directories Red Hat Enterprise Linux 7 CREATE_HOME should be enabled Set Maximum Number of Concurrent Login Sessions Per User Red Hat Enterprise Linux 7 The maximum number of concurrent login sessions per user should meet minimum requirements. Ensure that FAIL_DELAY is Configured in /etc/login.defs Red Hat Enterprise Linux 7 The delay between failed authentication attempts should be set for all users specified in /etc/login.defs Ensure that Users Have Sensible Umask Values in /etc/profile Red Hat Enterprise Linux 7 The default umask for all users should be set correctly Ensure that Users Have Sensible Umask Values set for csh Red Hat Enterprise Linux 7 The default umask for users of the csh shell Ensure that Users Have Sensible Umask Values set for bash Red Hat Enterprise Linux 7 The default umask for users of the bash shell Ensure that Users Have Sensible Umask Values in /etc/login.defs Red Hat Enterprise Linux 7 The default umask for all users specified in /etc/login.defs Ensure that No Dangerous Directories Exist in Root's Path Red Hat Enterprise Linux 7 The environment variable PATH should be set correctly for the root user. Write permissions are disabled for group and other in all directories in Root's Path Red Hat Enterprise Linux 7 Check each directory in root's path and make use it does not grant write permission to group and other Set Enterprise Application to travel mode Red Hat Enterprise Linux 7 Travel mode should be enabled when operating outiside of intranet. Verify /var/log/audit Ownership Red Hat Enterprise Linux 7 Checks that all /var/log/audit files and directories are owned by the root user and group. Verify /var/log/audit Directory Permissions Red Hat Enterprise Linux 7 Checks for correct permissions for /var/log/audit. Audit Information Export To Media Red Hat Enterprise Linux 7 Audit rules that detect the mounting of filesystems should be enabled. Audit System Administrator Actions Red Hat Enterprise Linux 7 Audit actions taken by system administrators on the system. Shutdown System When Auditing Failures Occur Red Hat Enterprise Linux 7 The system will shutdown when auditing fails. Record Attempts to Alter Process and Session Initiation Information Red Hat Enterprise Linux 7 Audit rules should capture information about session initiation. Record Events that Modify the System's Network Environment Red Hat Enterprise Linux 7 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. Make Audit Configuration Immutable Red Hat Enterprise Linux 7 Force a reboot to change audit rules is enabled Record Events that Modify the System's Mandatory Access Controls Red Hat Enterprise Linux 7 Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. Verify /var/log/audit Permissions Red Hat Enterprise Linux 7 Checks for correct permissions for all log files in /var/log/audit. Audit User/Group Modification Red Hat Enterprise Linux 7 Audit rules should detect modification to system files that hold information about users and groups. Ensure auditd Collects Information Read Access to /var/log/audit Red Hat Enterprise Linux 7 Audit rules about the read events to /var/log/audit Audit Kernel Module Loading and Unloading - init_module Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - modprobe Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - insmod Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - delete_module Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - create_module Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - finit_module Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - rmmod Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Record Attempts to Alter Time Through Stime Red Hat Enterprise Linux 7 Record attempts to alter time through stime. Note that on 64-bit architectures the stime system call is not defined in the audit system calls lookup table. Record Attempts to Alter Time Through Clock_settime Red Hat Enterprise Linux 7 Record attempts to alter time through clock_settime. Record Attempts to Alter Time Through Settimeofday Red Hat Enterprise Linux 7 Record attempts to alter time through settimeofday. Record Attempts to Alter Time Through Adjtimex Red Hat Enterprise Linux 7 Record attempts to alter time through adjtimex. Record Attempts to Alter Time Through the Localtime File Red Hat Enterprise Linux 7 Record attempts to alter time through /etc/localtime. Ensure auditd Collects Information on the Use of Privileged Commands Red Hat Enterprise Linux 7 Audit rules about the information on the use of privileged commands are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Audit File Deletion Events Red Hat Enterprise Linux 7 Audit files deletion events. Record Attempts to Alter Login and Logout Events Red Hat Enterprise Linux 7 Audit rules should be configured to log successful and unsuccessful login and logout events. Auditd priority for flushing data to disk Red Hat Enterprise Linux 7 The setting for flush in /etc/audit/auditd.conf Auditd Action to Take When Disk Errors Red Hat Enterprise Linux 7 disk_error_action setting in /etc/audit/auditd.conf is set to a certain action Configure audispd Plugin Remote Server IP address or Hostname Red Hat Enterprise Linux 7 remote_server setting in /etc/audisp/audisp-remote.conf is set to a certain IP address or hostname Kerberos 5 Authentication and Encryption in Audit Event Multiplexor (audispd) Is Activated Red Hat Enterprise Linux 7 enable_krb5 setting in /etc/audisp/audisp-remote.conf is set to 'yes' Auditd Email Account to Notify Upon Action Red Hat Enterprise Linux 7 action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account Auditd Maximum Number of Logs to Retain Red Hat Enterprise Linux 7 num_logs setting in /etc/audit/auditd.conf is set to at least a certain value Auditd Action to Take When Disk Is Full Red Hat Enterprise Linux 7 disk_full_action setting in /etc/audit/auditd.conf is set to a certain action Auditd Action to Take When Disk Starting to Run Low on Space Red Hat Enterprise Linux 7 space_left_action setting in /etc/audit/auditd.conf is set to a certain action The syslog Plugin Of the Audit Event Multiplexor (audispd) Is Activated Red Hat Enterprise Linux 7 active setting in /etc/audisp/plugins.d/syslog.conf is set to 'yes' Auditd Action to Take When Disk is Low on Space Red Hat Enterprise Linux 7 admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action Auditd Action to Take When Maximum Log Size Reached Red Hat Enterprise Linux 7 max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action Auditd Maximum Log File Size Red Hat Enterprise Linux 7 max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value Configure auditd space_left on Low Disk Space Red Hat Enterprise Linux 7 space_left setting in /etc/audit/auditd.conf is set to at least a certain value Disable the network sniffer Red Hat Enterprise Linux 7 Disable the network sniffer Disable Client Dynamic DNS Updates Red Hat Enterprise Linux 7 Clients should not automatically update their own DNS record. Configure Multiple DNS Servers in /etc/resolv.conf Red Hat Enterprise Linux 7 Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. Disable Zeroconf Networking Red Hat Enterprise Linux 7 Disable Zeroconf automatic route assignment in the 169.254.0.0 subnet. Change the default firewalld zone to drop Red Hat Enterprise Linux 7 Change the default firewalld zone to drop. Configure the Firewalld Ports Red Hat Enterprise Linux 7 Configure the firewalld ports to allow approved services to have access to the system. Disable Support for RPC IPv6 Red Hat Enterprise Linux 7 Disable ipv6 based rpc services Disable IPv6 Kernel Module Functionality via Disable Option Red Hat Enterprise Linux 7 The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack. Manually Assign Global IPv6 Address Red Hat Enterprise Linux 7 Manually configure addresses for IPv6 Enable Privacy Extensions for IPv6 Red Hat Enterprise Linux 7 Enable privacy extensions for IPv6 Manually Assign IPv6 Router Address Red Hat Enterprise Linux 7 Define default gateways for IPv6 traffic Deactivate Wireless Interfaces Red Hat Enterprise Linux 7 All wireless interfaces should be disabled. Ensure the logrotate utility performs the automatic rotation of log files on daily basis Red Hat Enterprise Linux 7 The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily Disable Rsyslogd from Accepting Remote Messages on Loghosts Only Red Hat Enterprise Linux 7 rsyslogd should reject remote messages Send Logs to a Remote Loghost Red Hat Enterprise Linux 7 Syslog logs should be sent to a remote loghost Confirm Existence and Permissions of System Log Files Red Hat Enterprise Linux 7 All syslog log files should be owned by the appropriate group. Verify Cron is Logging to Rsyslog Red Hat Enterprise Linux 7 Rsyslog should be configured to capture cron messages. Confirm Existence and Permissions of System Log Files Red Hat Enterprise Linux 7 All syslog log files should be owned by the appropriate user. Confirm Existence and Permissions of System Log Files Red Hat Enterprise Linux 7 File permissions for all syslog log files should be set correctly. Ensure Logwatch HostLimit Configured Red Hat Enterprise Linux 7 Test if HostLimit line in logwatch.conf is set appropriately. Ensure Logwatch SplitHosts Configured Red Hat Enterprise Linux 7 Check if SplitHosts line in logwatch.conf is set appropriately. Disable X Windows Startup By Setting Default SystemD Target Red Hat Enterprise Linux 7 Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target. Disable Printer Browsing Entirely if Possible Red Hat Enterprise Linux 7 The CUPS print service can be configured to broadcast a list of available printers to the network. Other machines on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the machine will no longer generate or receive such broadcasts. Disable Printer Server if Possible Red Hat Enterprise Linux 7 By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive. Verify Permissions On Apache Web Server Configuration Files Red Hat Enterprise Linux 7 The /etc/httpd/conf.modules.d/* files should have the appropriate permissions (0640 or stronger). Directory /var/log/httpd/ Permissions Red Hat Enterprise Linux 7 Directory permissions for /var/log/httpd should be set to 0700 (or stronger). Verify Permissions On Apache Web Server Configuration Files Red Hat Enterprise Linux 7 The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger). Directory /etc/httpd/conf/ Permissions Red Hat Enterprise Linux 7 Directory permissions for /etc/httpd/conf/ should be set to 0750 (or stronger). Verify Permissions On Apache Web Server Configuration Files Red Hat Enterprise Linux 7 The /etc/httpd/conf.d/* files should have the appropriate permissions (0640 or stronger). Require Client SMB Packet Signing, if using mount.cifs Red Hat Enterprise Linux 7 Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are used. Require Client SMB Packet Signing in smb.conf Red Hat Enterprise Linux 7 Require samba clients which use smb.conf, such as smbclient, to use packet signing. A Samba client should only communicate with servers who can support SMB packet signing. Disallow inbound firewall access to the SSH Server port Red Hat Enterprise Linux 7 If inbound SSH access is not needed, the firewall should disallow or reject access to the SSH port (22). Disable Empty Passwords Red Hat Enterprise Linux 7 Remote connections from accounts with empty passwords should be disabled (and dependencies are met) Disable .rhosts Files Red Hat Enterprise Linux 7 Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) Use Only Approved Ciphers Red Hat Enterprise Linux 7 Limit the ciphers to those which are FIPS-approved. Disable Kerberos Authentication Red Hat Enterprise Linux 7 Unless needed, disable the Kerberos authentication option for the SSH Server. Disable root Login via SSH Red Hat Enterprise Linux 7 Root login via SSH should be disabled (and dependencies are met) Disable Compression Or Set Compression to delayed Red Hat Enterprise Linux 7 SSH should either have compression disabled or set to delayed. Do Not Allow Users to Set Environment Options Red Hat Enterprise Linux 7 PermitUserEnvironment should be disabled Set OpenSSH authentication attempt limit (MaxAuthTries) Red Hat Enterprise Linux 7 The SSH MaxAuthTries should be set to an appropriate value. Disable SSH Support for Rhosts RSA Authentication Red Hat Enterprise Linux 7 SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. Ensure Only Protocol 2 Connections Allowed Red Hat Enterprise Linux 7 The OpenSSH daemon should be running protocol 2. Disable SSH Support for User Known Hosts Red Hat Enterprise Linux 7 SSH can allow system users host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled. Enable SSH Server's Strict Mode Red Hat Enterprise Linux 7 Enable StrictMode to check users home directory permissions and configurations. Disable Host-Based Authentication Red Hat Enterprise Linux 7 SSH host-based authentication should be disabled. Use Only FIPS MACs Red Hat Enterprise Linux 7 Limit the Message Authentication Codes (MACs) to those which are FIPS-approved. Disable GSSAPI Authentication Red Hat Enterprise Linux 7 Unless needed, disable the GSSAPI authentication option for the SSH Server. Enable X11 Forwarding Red Hat Enterprise Linux 7 Enable X11Forwarding to encrypt X11 remote connections over SSH. Allow inbound firewall access to the SSH Server port Red Hat Enterprise Linux 7 If inbound SSH access is needed, the firewall should allow access to the SSH port (22). Use Priviledge Separation Red Hat Enterprise Linux 7 Use priviledge separation to cause the SSH process to drop root privileges when not needed. Enable Print Last Log Red Hat Enterprise Linux 7 Enable PrintLastLog to display user's last login time and date. Use Only Strong MACs Red Hat Enterprise Linux 7 Only use strong MACs. Set ClientAliveCountMax for User Logins Red Hat Enterprise Linux 7 The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met) Set OpenSSH Idle Timeout Interval Red Hat Enterprise Linux 7 The SSH idle timeout interval should be set to an appropriate value. Set OpenSSH LogLevel to INFO Red Hat Enterprise Linux 7 The SSH LogLevel should be set to INFO. Enable a Warning Banner Red Hat Enterprise Linux 7 SSH warning banner should be enabled (and dependencies are met) Use Only Strong Ciphers Red Hat Enterprise Linux 7 Only use strong ciphers. Ensure insecure_locks is disabled Red Hat Enterprise Linux 7 Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. Use Kerberos Security on All Exports Red Hat Enterprise Linux 7 Using Kerberos Security allows to cryptography authenticate a valid user to an NFS share. Mount Remote Filesystems with Kerberos Security Red Hat Enterprise Linux 7 The Kerberos security option should be enabled for all NFS mounts in /etc/fstab. Verify user who owns 'cron.allow' file Red Hat Enterprise Linux 7 The /etc/cron.allow file should be owned by the appropriate user. Verify group who owns 'cron.allow' file Red Hat Enterprise Linux 7 The /etc/cron.allow file should be owned by the appropriate group. Postfix network listening should be disabled Red Hat Enterprise Linux 7 Postfix network listening should be disabled Configure Postfix Against Unnecessary Release of Information Red Hat Enterprise Linux 7 Protect against unnecessary release of information. Disable DHCP Client Red Hat Enterprise Linux 7 DHCP configuration should be static for all interfaces. Ensure SELinux support is enabled in Docker Red Hat Enterprise Linux 7 The Docker daemon should be configured to start with --selinux-enabled option to enable SELinux for the daemon. Use direct-lvm with device mapper storage driver Red Hat Enterprise Linux 7 To use Docker in production with the device mapper storage driver, the Docker daemon should be configured to use direct-lvm instead of loopback device as a storage. Specify a Remote ntpd NTP Server for Time Data Red Hat Enterprise Linux 7 A remote ntpd NTP Server for time synchronization should be specified (and dependencies are met) Configure Time Service Maxpoll Interval Red Hat Enterprise Linux 7 Configure the maxpoll setting in /etc/ntp.conf or chrony.conf to continuously poll the time source servers. Specify Multiple Remote chronyd Or ntpd NTP Servers for Time Data Red Hat Enterprise Linux 7 Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met) Service chronyd Or Service ntpd Enabled Red Hat Enterprise Linux 7 At least one of the chronyd or ntpd services should be enabled if possible. Specify Multiple Remote ntpd NTP Server for Time Data Red Hat Enterprise Linux 7 Multiple ntpd NTP Servers for time synchronization should be specified. Specify Remote NTP chronyd Or ntpd Server for Time Data Red Hat Enterprise Linux 7 A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met) TFTP Daemon Uses Secure Mode Red Hat Enterprise Linux 7 The TFTP daemon should use secure mode. No .shosts file deployed on the system Red Hat Enterprise Linux 7 There should not be any .shosts files on the system. No shosts.equiv file deployed on the system Red Hat Enterprise Linux 7 There should not be any shosts.equiv files on the system. No Legacy .rhosts Or hosts.equiv Files Red Hat Enterprise Linux 7 There should not be any .rhosts or hosts.equiv files on the system. SNMP use newer protocols Red Hat Enterprise Linux 7 SNMP version 1 and 2c must not be enabled. SNMP default communities disabled Red Hat Enterprise Linux 7 SNMP default communities must be removed. Banner for FTP Users Red Hat Enterprise Linux 7 This setting will cause the system greeting banner to be used for FTP connections as well. Banner for FTP Users Red Hat Enterprise Linux 7 To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the FTP server are logged using the verbose vsftpd log format. Enable SSL in Dovecot Red Hat Enterprise Linux 7 SSL capabilities should be enabled for the mail server. Disable Plaintext Authentication in Dovecot Red Hat Enterprise Linux 7 Plaintext authentication of mail clients should be disabled. Configure SSSD to Expire Offline Credentials Red Hat Enterprise Linux 7 SSSD should be configured to expire offline credentials after 1 day. Configure PAM in SSSD Services Red Hat Enterprise Linux 7 SSSD should be configured to run SSSD PAM services. Configure SSSD's Memory Cache to Expire Red Hat Enterprise Linux 7 SSSD's memory cache should be configured to set to expire records after 1 day. Configure SSSD to Expire SSH Known Hosts Red Hat Enterprise Linux 7 SSSD should be configured to expire keys from known SSH hosts after 1 day. Enable Smartcards in SSSD Red Hat Enterprise Linux 7 SSSD should be configured to authenticate access to the system using smart cards. Configure SSSD LDAP Backend to Use TLS For All Transactions Red Hat Enterprise Linux 7 LDAP should be used for authentication and use STARTTLS Configure SSSD LDAP Backend Client CA Certificate Location Red Hat Enterprise Linux 7 Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. Enable the LDAP Client For Use in Authconfig Red Hat Enterprise Linux 7 Enable LDAP in authconfig. Configure LDAP CA Certificate Path Red Hat Enterprise Linux 7 Require the use of TLS for ldap clients. Configure LDAP to Use TLS for All Transactions Red Hat Enterprise Linux 7 Require the use of TLS for ldap clients. Set Password dcredit Requirements Red Hat Enterprise Linux 7 The password dcredit should meet minimum requirements Set Password difok Requirements Red Hat Enterprise Linux 7 The password difok should meet minimum requirements Set Password lcredit Requirements Red Hat Enterprise Linux 7 The password lcredit should meet minimum requirements Set Password maxclassrepeat Requirements Red Hat Enterprise Linux 7 The password maxclassrepeat should meet minimum requirements Set Password maxrepeat Requirements Red Hat Enterprise Linux 7 The password maxrepeat should meet minimum requirements Set Password minclass Requirements Red Hat Enterprise Linux 7 The password minclass should meet minimum requirements Set Password minlen Requirements Red Hat Enterprise Linux 7 The password minlen should meet minimum requirements Set Password ocredit Requirements Red Hat Enterprise Linux 7 The password ocredit should meet minimum requirements Set Password ucredit Requirements Red Hat Enterprise Linux 7 The password ucredit should meet minimum requirements Verify /boot/efi/EFI/redhat/grub.cfg Group Owner Red Hat Enterprise Linux 7 This test makes sure that /boot/efi/EFI/redhat/grub.cfg is group owned by 0. Verify /etc/group Group Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/group is group owned by 0. Verify /etc/gshadow Group Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/gshadow is group owned by 0. Verify /etc/passwd Group Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/passwd is group owned by 0. Verify /etc/shadow Group Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/shadow is group owned by 0. Verify /boot/grub2/grub.cfg Group Owner Red Hat Enterprise Linux 7 This test makes sure that /boot/grub2/grub.cfg is group owned by 0. Verify /boot/efi/EFI/redhat/grub.cfg Owner Red Hat Enterprise Linux 7 This test makes sure that /boot/efi/EFI/redhat/grub.cfg is owned by 0. Verify /etc/group Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/group is owned by 0. Verify /etc/gshadow Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/gshadow is owned by 0. Verify /etc/passwd Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/passwd is owned by 0. Verify /etc/shadow Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/shadow is owned by 0. Verify /boot/grub2/grub.cfg Owner Red Hat Enterprise Linux 7 This test makes sure that /boot/grub2/grub.cfg is owned by 0. Verify /etc/cron.allow Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/cron.allow has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/group Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/group has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/gshadow Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/gshadow has mode 0000. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/passwd Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/passwd has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/shadow Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/shadow has mode 0000. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /boot/grub2/grub.cfg Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /boot/grub2/grub.cfg has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/httpd/conf.modules.d/^.*$ Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/httpd/conf.modules.d/^.*$ has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/ssh/^.*_key$ Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/ssh/^.*_key$ has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/ssh/^.*.pub$ Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/ssh/^.*.pub$ has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Disable bluetooth Kernel Module Red Hat Enterprise Linux 7 The kernel module bluetooth should be disabled. Disable cramfs Kernel Module Red Hat Enterprise Linux 7 The kernel module cramfs should be disabled. Disable dccp Kernel Module Red Hat Enterprise Linux 7 The kernel module dccp should be disabled. Disable freevxfs Kernel Module Red Hat Enterprise Linux 7 The kernel module freevxfs should be disabled. Disable hfs Kernel Module Red Hat Enterprise Linux 7 The kernel module hfs should be disabled. Disable hfsplus Kernel Module Red Hat Enterprise Linux 7 The kernel module hfsplus should be disabled. Disable jffs2 Kernel Module Red Hat Enterprise Linux 7 The kernel module jffs2 should be disabled. Disable sctp Kernel Module Red Hat Enterprise Linux 7 The kernel module sctp should be disabled. Disable squashfs Kernel Module Red Hat Enterprise Linux 7 The kernel module squashfs should be disabled. Disable udf Kernel Module Red Hat Enterprise Linux 7 The kernel module udf should be disabled. Disable usb-storage Kernel Module Red Hat Enterprise Linux 7 The kernel module usb-storage should be disabled. Add nodev Option to /dev/shm Red Hat Enterprise Linux 7 /dev/shm should be mounted with mount option nodev. Add noexec Option to /dev/shm Red Hat Enterprise Linux 7 /dev/shm should be mounted with mount option noexec. Add nosuid Option to /dev/shm Red Hat Enterprise Linux 7 /dev/shm should be mounted with mount option nosuid. Add nodev Option to /home Red Hat Enterprise Linux 7 /home should be mounted with mount option nodev. Add nosuid Option to /home Red Hat Enterprise Linux 7 /home should be mounted with mount option nosuid. Add nodev Option to /tmp Red Hat Enterprise Linux 7 /tmp should be mounted with mount option nodev. Add noexec Option to /tmp Red Hat Enterprise Linux 7 /tmp should be mounted with mount option noexec. Add nosuid Option to /tmp Red Hat Enterprise Linux 7 /tmp should be mounted with mount option nosuid. Add nodev Option to /var/tmp Red Hat Enterprise Linux 7 /var/tmp should be mounted with mount option nodev. Add noexec Option to /var/tmp Red Hat Enterprise Linux 7 /var/tmp should be mounted with mount option noexec. Add nosuid Option to /var/tmp Red Hat Enterprise Linux 7 /var/tmp should be mounted with mount option nosuid. Package abrt Removed Red Hat Enterprise Linux 7 The RPM package abrt should be removed. Package acpid Removed Red Hat Enterprise Linux 7 The RPM package acpid should be removed. Package aide Installed Red Hat Enterprise Linux 7 The RPM package aide should be installed. Package at Removed Red Hat Enterprise Linux 7 The RPM package at should be removed. Package audit Installed Red Hat Enterprise Linux 7 The RPM package audit should be installed. Package authconfig-gtk Installed Red Hat Enterprise Linux 7 The RPM package authconfig-gtk should be installed. Package autofs Removed Red Hat Enterprise Linux 7 The RPM package autofs should be removed. Package avahi Removed Red Hat Enterprise Linux 7 The RPM package avahi should be removed. Package bind Removed Red Hat Enterprise Linux 7 The RPM package bind should be removed. Package bluez Removed Red Hat Enterprise Linux 7 The RPM package bluez should be removed. Package certmonger Removed Red Hat Enterprise Linux 7 The RPM package certmonger should be removed. Package chrony Installed Red Hat Enterprise Linux 7 The RPM package chrony should be installed. Package cronie Installed Red Hat Enterprise Linux 7 The RPM package cronie should be installed. Package cups Removed Red Hat Enterprise Linux 7 The RPM package cups should be removed. Package cyrus-sasl Removed Red Hat Enterprise Linux 7 The RPM package cyrus-sasl should be removed. Package dbus Removed Red Hat Enterprise Linux 7 The RPM package dbus should be removed. Package dconf Installed Red Hat Enterprise Linux 7 The RPM package dconf should be installed. Package dhcp Removed Red Hat Enterprise Linux 7 The RPM package dhcp should be removed. Package docker Installed Red Hat Enterprise Linux 7 The RPM package docker should be installed. Package dovecot Removed Red Hat Enterprise Linux 7 The RPM package dovecot should be removed. Package esc Installed Red Hat Enterprise Linux 7 The RPM package esc should be installed. Package firewalld Installed Red Hat Enterprise Linux 7 The RPM package firewalld should be installed. Package gdm Installed Red Hat Enterprise Linux 7 The RPM package gdm should be installed. Package gdm Removed Red Hat Enterprise Linux 7 The RPM package gdm should be removed. Package httpd Removed Red Hat Enterprise Linux 7 The RPM package httpd should be removed. Package iputils Removed Red Hat Enterprise Linux 7 The RPM package iputils should be removed. Package irqbalance Installed Red Hat Enterprise Linux 7 The RPM package irqbalance should be installed. Package kernel-tools Removed Red Hat Enterprise Linux 7 The RPM package kernel-tools should be removed. Package kexec-tools Removed Red Hat Enterprise Linux 7 The RPM package kexec-tools should be removed. Package libcgroup-tools Removed Red Hat Enterprise Linux 7 The RPM package libcgroup-tools should be removed. Package libcgroup Removed Red Hat Enterprise Linux 7 The RPM package libcgroup should be removed. Package libreswan Installed Red Hat Enterprise Linux 7 The RPM package libreswan should be installed. Package mcstrans Removed Red Hat Enterprise Linux 7 The RPM package mcstrans should be removed. Package mdadm Removed Red Hat Enterprise Linux 7 The RPM package mdadm should be removed. Package net-snmp Removed Red Hat Enterprise Linux 7 The RPM package net-snmp should be removed. Package nfs-utils Removed Red Hat Enterprise Linux 7 The RPM package nfs-utils should be removed. Package ntp Installed Red Hat Enterprise Linux 7 The RPM package ntp should be installed. Package ntp Removed Red Hat Enterprise Linux 7 The RPM package ntp should be removed. Package ntpdate Removed Red Hat Enterprise Linux 7 The RPM package ntpdate should be removed. Package oddjob Removed Red Hat Enterprise Linux 7 The RPM package oddjob should be removed. Package openldap-servers Removed Red Hat Enterprise Linux 7 The RPM package openldap-servers should be removed. Package opensc Installed Red Hat Enterprise Linux 7 The RPM package opensc should be installed. Package openssh-server Installed Red Hat Enterprise Linux 7 The RPM package openssh-server should be installed. Package openssh-server Removed Red Hat Enterprise Linux 7 The RPM package openssh-server should be removed. Package pam_pkcs11 Installed Red Hat Enterprise Linux 7 The RPM package pam_pkcs11 should be installed. Package pcsc-lite Installed Red Hat Enterprise Linux 7 The RPM package pcsc-lite should be installed. Package policycoreutils Installed Red Hat Enterprise Linux 7 The RPM package policycoreutils should be installed. Package portreserve Removed Red Hat Enterprise Linux 7 The RPM package portreserve should be removed. Package postfix Installed Red Hat Enterprise Linux 7 The RPM package postfix should be installed. Package prelink Removed Red Hat Enterprise Linux 7 The RPM package prelink should be removed. Package psacct Installed Red Hat Enterprise Linux 7 The RPM package psacct should be installed. Package qpid-cpp-server Removed Red Hat Enterprise Linux 7 The RPM package qpid-cpp-server should be removed. Package quagga Removed Red Hat Enterprise Linux 7 The RPM package quagga should be removed. Package quota-nld Removed Red Hat Enterprise Linux 7 The RPM package quota-nld should be removed. Package rhnsd Removed Red Hat Enterprise Linux 7 The RPM package rhnsd should be removed. Package rsh-server Removed Red Hat Enterprise Linux 7 The RPM package rsh-server should be removed. Package rsh Removed Red Hat Enterprise Linux 7 The RPM package rsh should be removed. Package rsyslog Installed Red Hat Enterprise Linux 7 The RPM package rsyslog should be installed. Package samba-common Removed Red Hat Enterprise Linux 7 The RPM package samba-common should be removed. Package samba Removed Red Hat Enterprise Linux 7 The RPM package samba should be removed. Package screen Installed Red Hat Enterprise Linux 7 The RPM package screen should be installed. Package sendmail Removed Red Hat Enterprise Linux 7 The RPM package sendmail should be removed. Package setroubleshoot Removed Red Hat Enterprise Linux 7 The RPM package setroubleshoot should be removed. Package smartmontools Removed Red Hat Enterprise Linux 7 The RPM package smartmontools should be removed. Package squid Removed Red Hat Enterprise Linux 7 The RPM package squid should be removed. Package sssd Installed Red Hat Enterprise Linux 7 The RPM package sssd should be installed. Package sssd Removed Red Hat Enterprise Linux 7 The RPM package sssd should be removed. Package subscription-manager Removed Red Hat Enterprise Linux 7 The RPM package subscription-manager should be removed. Package sysstat Removed Red Hat Enterprise Linux 7 The RPM package sysstat should be removed. Package systemd Installed Red Hat Enterprise Linux 7 The RPM package systemd should be installed. Package systemd Removed Red Hat Enterprise Linux 7 The RPM package systemd should be removed. Package talk-server Removed Red Hat Enterprise Linux 7 The RPM package talk-server should be removed. Package talk Removed Red Hat Enterprise Linux 7 The RPM package talk should be removed. Package tcp_wrappers Installed Red Hat Enterprise Linux 7 The RPM package tcp_wrappers should be installed. Package telnet-server Removed Red Hat Enterprise Linux 7 The RPM package telnet-server should be removed. Package telnet Removed Red Hat Enterprise Linux 7 The RPM package telnet should be removed. Package tftp-server Removed Red Hat Enterprise Linux 7 The RPM package tftp-server should be removed. Package tftp Removed Red Hat Enterprise Linux 7 The RPM package tftp should be removed. Package vsftpd Installed Red Hat Enterprise Linux 7 The RPM package vsftpd should be installed. Package vsftpd Removed Red Hat Enterprise Linux 7 The RPM package vsftpd should be removed. Package xinetd Installed Red Hat Enterprise Linux 7 The RPM package xinetd should be installed. Package xinetd Removed Red Hat Enterprise Linux 7 The RPM package xinetd should be removed. Package xorg-x11-server-common Removed Red Hat Enterprise Linux 7 The RPM package xorg-x11-server-common should be removed. Package ypbind Removed Red Hat Enterprise Linux 7 The RPM package ypbind should be removed. Package ypserv Removed Red Hat Enterprise Linux 7 The RPM package ypserv should be removed. Ensure /home Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /home. If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /tmp Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /tmp. If /tmp will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /var. If /var will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var/log Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /var/log. If /var/log will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var/log/audit Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /var/log/audit. If /var/log/audit will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var/tmp Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /var/tmp. If /var/tmp will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure Correct Mode, Owner, Group Owner for /etc/cron.allow Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/cron.allow. Ensure Correct Mode, Owner, Group Owner for /boot/efi/EFI/redhat/grub.cfg Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /boot/efi/EFI/redhat/grub.cfg. Ensure Correct Mode, Owner, Group Owner for /etc/group Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/group. Ensure Correct Mode, Owner, Group Owner for /etc/gshadow Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/gshadow. Ensure Correct Mode, Owner, Group Owner for /etc/passwd Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/passwd. Ensure Correct Mode, Owner, Group Owner for /etc/shadow Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/shadow. Ensure Correct Mode, Owner, Group Owner for /boot/grub2/grub.cfg Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /boot/grub2/grub.cfg. Ensure Correct Mode, Owner, Group Owner for /etc/httpd/conf.d/^.*$ Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/httpd/conf.d/^.*$. Ensure Correct Mode, Owner, Group Owner for /etc/httpd/conf/^.*$ Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/httpd/conf/^.*$. Ensure Correct Mode, Owner, Group Owner for /etc/httpd/conf.modules.d/^.*$ Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/httpd/conf.modules.d/^.*$. Ensure Correct Mode, Owner, Group Owner for /etc/ssh/^.*_key$ Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/ssh/^.*_key$. Ensure Correct Mode, Owner, Group Owner for /etc/ssh/^.*.pub$ Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/ssh/^.*.pub$. SELinux "SELinux" Boolean Check Red Hat Enterprise Linux 7 The SELinux "SELinux" boolean should be set in the system configuration. SELinux "abrt_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "abrt_anon_write" boolean should be set in the system configuration. SELinux "abrt_handle_event" Boolean Check Red Hat Enterprise Linux 7 The SELinux "abrt_handle_event" boolean should be set in the system configuration. SELinux "abrt_upload_watch_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "abrt_upload_watch_anon_write" boolean should be set in the system configuration. SELinux "antivirus_can_scan_system" Boolean Check Red Hat Enterprise Linux 7 The SELinux "antivirus_can_scan_system" boolean should be set in the system configuration. SELinux "antivirus_use_jit" Boolean Check Red Hat Enterprise Linux 7 The SELinux "antivirus_use_jit" boolean should be set in the system configuration. SELinux "auditadm_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "auditadm_exec_content" boolean should be set in the system configuration. SELinux "authlogin_nsswitch_use_ldap" Boolean Check Red Hat Enterprise Linux 7 The SELinux "authlogin_nsswitch_use_ldap" boolean should be set in the system configuration. SELinux "authlogin_radius" Boolean Check Red Hat Enterprise Linux 7 The SELinux "authlogin_radius" boolean should be set in the system configuration. SELinux "authlogin_yubikey" Boolean Check Red Hat Enterprise Linux 7 The SELinux "authlogin_yubikey" boolean should be set in the system configuration. SELinux "awstats_purge_apache_log_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "awstats_purge_apache_log_files" boolean should be set in the system configuration. SELinux "boinc_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "boinc_execmem" boolean should be set in the system configuration. SELinux "cdrecord_read_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cdrecord_read_content" boolean should be set in the system configuration. SELinux "cluster_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cluster_can_network_connect" boolean should be set in the system configuration. SELinux "cluster_manage_all_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cluster_manage_all_files" boolean should be set in the system configuration. SELinux "cluster_use_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cluster_use_execmem" boolean should be set in the system configuration. SELinux "cobbler_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cobbler_anon_write" boolean should be set in the system configuration. SELinux "cobbler_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cobbler_can_network_connect" boolean should be set in the system configuration. SELinux "cobbler_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cobbler_use_cifs" boolean should be set in the system configuration. SELinux "cobbler_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cobbler_use_nfs" boolean should be set in the system configuration. SELinux "collectd_tcp_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "collectd_tcp_network_connect" boolean should be set in the system configuration. SELinux "condor_tcp_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "condor_tcp_network_connect" boolean should be set in the system configuration. SELinux "conman_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "conman_can_network" boolean should be set in the system configuration. SELinux "container_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "container_connect_any" boolean should be set in the system configuration. SELinux "cron_can_relabel" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cron_can_relabel" boolean should be set in the system configuration. SELinux "cron_system_cronjob_use_shares" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cron_system_cronjob_use_shares" boolean should be set in the system configuration. SELinux "cron_userdomain_transition" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cron_userdomain_transition" boolean should be set in the system configuration. SELinux "cups_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cups_execmem" boolean should be set in the system configuration. SELinux "cvs_read_shadow" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cvs_read_shadow" boolean should be set in the system configuration. SELinux "daemons_dump_core" Boolean Check Red Hat Enterprise Linux 7 The SELinux "daemons_dump_core" boolean should be set in the system configuration. SELinux "daemons_enable_cluster_mode" Boolean Check Red Hat Enterprise Linux 7 The SELinux "daemons_enable_cluster_mode" boolean should be set in the system configuration. SELinux "daemons_use_tcp_wrapper" Boolean Check Red Hat Enterprise Linux 7 The SELinux "daemons_use_tcp_wrapper" boolean should be set in the system configuration. SELinux "daemons_use_tty" Boolean Check Red Hat Enterprise Linux 7 The SELinux "daemons_use_tty" boolean should be set in the system configuration. SELinux "dbadm_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "dbadm_exec_content" boolean should be set in the system configuration. SELinux "dbadm_manage_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "dbadm_manage_user_files" boolean should be set in the system configuration. SELinux "dbadm_read_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "dbadm_read_user_files" boolean should be set in the system configuration. SELinux "deny_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "deny_execmem" boolean should be set in the system configuration. SELinux "deny_ptrace" Boolean Check Red Hat Enterprise Linux 7 The SELinux "deny_ptrace" boolean should be set in the system configuration. SELinux "dhcpc_exec_iptables" Boolean Check Red Hat Enterprise Linux 7 The SELinux "dhcpc_exec_iptables" boolean should be set in the system configuration. SELinux "dhcpd_use_ldap" Boolean Check Red Hat Enterprise Linux 7 The SELinux "dhcpd_use_ldap" boolean should be set in the system configuration. SELinux "domain_fd_use" Boolean Check Red Hat Enterprise Linux 7 The SELinux "domain_fd_use" boolean should be set in the system configuration. SELinux "domain_kernel_load_modules" Boolean Check Red Hat Enterprise Linux 7 The SELinux "domain_kernel_load_modules" boolean should be set in the system configuration. SELinux "entropyd_use_audio" Boolean Check Red Hat Enterprise Linux 7 The SELinux "entropyd_use_audio" boolean should be set in the system configuration. SELinux "exim_can_connect_db" Boolean Check Red Hat Enterprise Linux 7 The SELinux "exim_can_connect_db" boolean should be set in the system configuration. SELinux "exim_manage_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "exim_manage_user_files" boolean should be set in the system configuration. SELinux "exim_read_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "exim_read_user_files" boolean should be set in the system configuration. SELinux "fcron_crond" Boolean Check Red Hat Enterprise Linux 7 The SELinux "fcron_crond" boolean should be set in the system configuration. SELinux "fenced_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "fenced_can_network_connect" boolean should be set in the system configuration. SELinux "fenced_can_ssh" Boolean Check Red Hat Enterprise Linux 7 The SELinux "fenced_can_ssh" boolean should be set in the system configuration. SELinux "fips_mode" Boolean Check Red Hat Enterprise Linux 7 The SELinux "fips_mode" boolean should be set in the system configuration. SELinux "ftpd_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_anon_write" boolean should be set in the system configuration. SELinux "ftpd_connect_all_unreserved" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_connect_all_unreserved" boolean should be set in the system configuration. SELinux "ftpd_connect_db" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_connect_db" boolean should be set in the system configuration. SELinux "ftpd_full_access" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_full_access" boolean should be set in the system configuration. SELinux "ftpd_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_use_cifs" boolean should be set in the system configuration. SELinux "ftpd_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_use_fusefs" boolean should be set in the system configuration. SELinux "ftpd_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_use_nfs" boolean should be set in the system configuration. SELinux "ftpd_use_passive_mode" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_use_passive_mode" boolean should be set in the system configuration. SELinux "git_cgi_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_cgi_enable_homedirs" boolean should be set in the system configuration. SELinux "git_cgi_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_cgi_use_cifs" boolean should be set in the system configuration. SELinux "git_cgi_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_cgi_use_nfs" boolean should be set in the system configuration. SELinux "git_session_bind_all_unreserved_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_session_bind_all_unreserved_ports" boolean should be set in the system configuration. SELinux "git_session_users" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_session_users" boolean should be set in the system configuration. SELinux "git_system_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_system_enable_homedirs" boolean should be set in the system configuration. SELinux "git_system_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_system_use_cifs" boolean should be set in the system configuration. SELinux "git_system_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_system_use_nfs" boolean should be set in the system configuration. SELinux "gitosis_can_sendmail" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gitosis_can_sendmail" boolean should be set in the system configuration. SELinux "glance_api_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "glance_api_can_network" boolean should be set in the system configuration. SELinux "glance_use_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "glance_use_execmem" boolean should be set in the system configuration. SELinux "glance_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "glance_use_fusefs" boolean should be set in the system configuration. SELinux "global_ssp" Boolean Check Red Hat Enterprise Linux 7 The SELinux "global_ssp" boolean should be set in the system configuration. SELinux "gluster_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gluster_anon_write" boolean should be set in the system configuration. SELinux "gluster_export_all_ro" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gluster_export_all_ro" boolean should be set in the system configuration. SELinux "gluster_export_all_rw" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gluster_export_all_rw" boolean should be set in the system configuration. SELinux "gpg_web_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gpg_web_anon_write" boolean should be set in the system configuration. SELinux "gssd_read_tmp" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gssd_read_tmp" boolean should be set in the system configuration. SELinux "guest_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "guest_exec_content" boolean should be set in the system configuration. SELinux "haproxy_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "haproxy_connect_any" boolean should be set in the system configuration. SELinux "httpd_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_anon_write" boolean should be set in the system configuration. SELinux "httpd_builtin_scripting" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_builtin_scripting" boolean should be set in the system configuration. SELinux "httpd_can_check_spam" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_check_spam" boolean should be set in the system configuration. SELinux "httpd_can_connect_ftp" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_connect_ftp" boolean should be set in the system configuration. SELinux "httpd_can_connect_ldap" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_connect_ldap" boolean should be set in the system configuration. SELinux "httpd_can_connect_mythtv" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_connect_mythtv" boolean should be set in the system configuration. SELinux "httpd_can_connect_zabbix" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_connect_zabbix" boolean should be set in the system configuration. SELinux "httpd_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_network_connect" boolean should be set in the system configuration. SELinux "httpd_can_network_connect_cobbler" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_network_connect_cobbler" boolean should be set in the system configuration. SELinux "httpd_can_network_connect_db" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_network_connect_db" boolean should be set in the system configuration. SELinux "httpd_can_network_memcache" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_network_memcache" boolean should be set in the system configuration. SELinux "httpd_can_network_relay" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_network_relay" boolean should be set in the system configuration. SELinux "httpd_can_sendmail" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_sendmail" boolean should be set in the system configuration. SELinux "httpd_dbus_avahi" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_dbus_avahi" boolean should be set in the system configuration. SELinux "httpd_dbus_sssd" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_dbus_sssd" boolean should be set in the system configuration. SELinux "httpd_dontaudit_search_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_dontaudit_search_dirs" boolean should be set in the system configuration. SELinux "httpd_enable_cgi" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_enable_cgi" boolean should be set in the system configuration. SELinux "httpd_enable_ftp_server" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_enable_ftp_server" boolean should be set in the system configuration. SELinux "httpd_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_enable_homedirs" boolean should be set in the system configuration. SELinux "httpd_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_execmem" boolean should be set in the system configuration. SELinux "httpd_graceful_shutdown" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_graceful_shutdown" boolean should be set in the system configuration. SELinux "httpd_manage_ipa" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_manage_ipa" boolean should be set in the system configuration. SELinux "httpd_mod_auth_ntlm_winbind" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_mod_auth_ntlm_winbind" boolean should be set in the system configuration. SELinux "httpd_mod_auth_pam" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_mod_auth_pam" boolean should be set in the system configuration. SELinux "httpd_read_user_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_read_user_content" boolean should be set in the system configuration. SELinux "httpd_run_ipa" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_run_ipa" boolean should be set in the system configuration. SELinux "httpd_run_preupgrade" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_run_preupgrade" boolean should be set in the system configuration. SELinux "httpd_run_stickshift" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_run_stickshift" boolean should be set in the system configuration. SELinux "httpd_serve_cobbler_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_serve_cobbler_files" boolean should be set in the system configuration. SELinux "httpd_setrlimit" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_setrlimit" boolean should be set in the system configuration. SELinux "httpd_ssi_exec" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_ssi_exec" boolean should be set in the system configuration. SELinux "httpd_sys_script_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_sys_script_anon_write" boolean should be set in the system configuration. SELinux "httpd_tmp_exec" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_tmp_exec" boolean should be set in the system configuration. SELinux "httpd_tty_comm" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_tty_comm" boolean should be set in the system configuration. SELinux "httpd_unified" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_unified" boolean should be set in the system configuration. SELinux "httpd_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_cifs" boolean should be set in the system configuration. SELinux "httpd_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_fusefs" boolean should be set in the system configuration. SELinux "httpd_use_gpg" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_gpg" boolean should be set in the system configuration. SELinux "httpd_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_nfs" boolean should be set in the system configuration. SELinux "httpd_use_openstack" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_openstack" boolean should be set in the system configuration. SELinux "httpd_use_sasl" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_sasl" boolean should be set in the system configuration. SELinux "httpd_verify_dns" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_verify_dns" boolean should be set in the system configuration. SELinux "icecast_use_any_tcp_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "icecast_use_any_tcp_ports" boolean should be set in the system configuration. SELinux "irc_use_any_tcp_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "irc_use_any_tcp_ports" boolean should be set in the system configuration. SELinux "irssi_use_full_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "irssi_use_full_network" boolean should be set in the system configuration. SELinux "kdumpgui_run_bootloader" Boolean Check Red Hat Enterprise Linux 7 The SELinux "kdumpgui_run_bootloader" boolean should be set in the system configuration. SELinux "kerberos_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "kerberos_enabled" boolean should be set in the system configuration. SELinux "ksmtuned_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ksmtuned_use_cifs" boolean should be set in the system configuration. SELinux "ksmtuned_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ksmtuned_use_nfs" boolean should be set in the system configuration. SELinux "logadm_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logadm_exec_content" boolean should be set in the system configuration. SELinux "logging_syslogd_can_sendmail" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logging_syslogd_can_sendmail" boolean should be set in the system configuration. SELinux "logging_syslogd_run_nagios_plugins" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logging_syslogd_run_nagios_plugins" boolean should be set in the system configuration. SELinux "logging_syslogd_use_tty" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logging_syslogd_use_tty" boolean should be set in the system configuration. SELinux "login_console_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "login_console_enabled" boolean should be set in the system configuration. SELinux "logrotate_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logrotate_use_nfs" boolean should be set in the system configuration. SELinux "logwatch_can_network_connect_mail" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logwatch_can_network_connect_mail" boolean should be set in the system configuration. SELinux "lsmd_plugin_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "lsmd_plugin_connect_any" boolean should be set in the system configuration. SELinux "mailman_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mailman_use_fusefs" boolean should be set in the system configuration. SELinux "mcelog_client" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mcelog_client" boolean should be set in the system configuration. SELinux "mcelog_exec_scripts" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mcelog_exec_scripts" boolean should be set in the system configuration. SELinux "mcelog_foreground" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mcelog_foreground" boolean should be set in the system configuration. SELinux "mcelog_server" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mcelog_server" boolean should be set in the system configuration. SELinux "minidlna_read_generic_user_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "minidlna_read_generic_user_content" boolean should be set in the system configuration. SELinux "mmap_low_allowed" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mmap_low_allowed" boolean should be set in the system configuration. SELinux "mock_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mock_enable_homedirs" boolean should be set in the system configuration. SELinux "mount_anyfile" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mount_anyfile" boolean should be set in the system configuration. SELinux "mozilla_plugin_bind_unreserved_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_plugin_bind_unreserved_ports" boolean should be set in the system configuration. SELinux "mozilla_plugin_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_plugin_can_network_connect" boolean should be set in the system configuration. SELinux "mozilla_plugin_use_bluejeans" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_plugin_use_bluejeans" boolean should be set in the system configuration. SELinux "mozilla_plugin_use_gps" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_plugin_use_gps" boolean should be set in the system configuration. SELinux "mozilla_plugin_use_spice" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_plugin_use_spice" boolean should be set in the system configuration. SELinux "mozilla_read_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_read_content" boolean should be set in the system configuration. SELinux "mpd_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mpd_enable_homedirs" boolean should be set in the system configuration. SELinux "mpd_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mpd_use_cifs" boolean should be set in the system configuration. SELinux "mpd_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mpd_use_nfs" boolean should be set in the system configuration. SELinux "mplayer_execstack" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mplayer_execstack" boolean should be set in the system configuration. SELinux "mysql_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mysql_connect_any" boolean should be set in the system configuration. SELinux "nagios_run_pnp4nagios" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nagios_run_pnp4nagios" boolean should be set in the system configuration. SELinux "nagios_run_sudo" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nagios_run_sudo" boolean should be set in the system configuration. SELinux "named_tcp_bind_http_port" Boolean Check Red Hat Enterprise Linux 7 The SELinux "named_tcp_bind_http_port" boolean should be set in the system configuration. SELinux "named_write_master_zones" Boolean Check Red Hat Enterprise Linux 7 The SELinux "named_write_master_zones" boolean should be set in the system configuration. SELinux "neutron_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "neutron_can_network" boolean should be set in the system configuration. SELinux "nfs_export_all_ro" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nfs_export_all_ro" boolean should be set in the system configuration. SELinux "nfs_export_all_rw" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nfs_export_all_rw" boolean should be set in the system configuration. SELinux "nfsd_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nfsd_anon_write" boolean should be set in the system configuration. SELinux "nis_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nis_enabled" boolean should be set in the system configuration. SELinux "nscd_use_shm" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nscd_use_shm" boolean should be set in the system configuration. SELinux "openshift_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "openshift_use_nfs" boolean should be set in the system configuration. SELinux "openvpn_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "openvpn_can_network_connect" boolean should be set in the system configuration. SELinux "openvpn_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "openvpn_enable_homedirs" boolean should be set in the system configuration. SELinux "openvpn_run_unconfined" Boolean Check Red Hat Enterprise Linux 7 The SELinux "openvpn_run_unconfined" boolean should be set in the system configuration. SELinux "pcp_bind_all_unreserved_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "pcp_bind_all_unreserved_ports" boolean should be set in the system configuration. SELinux "pcp_read_generic_logs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "pcp_read_generic_logs" boolean should be set in the system configuration. SELinux "piranha_lvs_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "piranha_lvs_can_network_connect" boolean should be set in the system configuration. SELinux "polipo_connect_all_unreserved" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polipo_connect_all_unreserved" boolean should be set in the system configuration. SELinux "polipo_session_bind_all_unreserved_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polipo_session_bind_all_unreserved_ports" boolean should be set in the system configuration. SELinux "polipo_session_users" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polipo_session_users" boolean should be set in the system configuration. SELinux "polipo_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polipo_use_cifs" boolean should be set in the system configuration. SELinux "polipo_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polipo_use_nfs" boolean should be set in the system configuration. SELinux "polyinstantiation_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polyinstantiation_enabled" boolean should be set in the system configuration. SELinux "postfix_local_write_mail_spool" Boolean Check Red Hat Enterprise Linux 7 The SELinux "postfix_local_write_mail_spool" boolean should be set in the system configuration. SELinux "postgresql_can_rsync" Boolean Check Red Hat Enterprise Linux 7 The SELinux "postgresql_can_rsync" boolean should be set in the system configuration. SELinux "postgresql_selinux_transmit_client_label" Boolean Check Red Hat Enterprise Linux 7 The SELinux "postgresql_selinux_transmit_client_label" boolean should be set in the system configuration. SELinux "postgresql_selinux_unconfined_dbadm" Boolean Check Red Hat Enterprise Linux 7 The SELinux "postgresql_selinux_unconfined_dbadm" boolean should be set in the system configuration. SELinux "postgresql_selinux_users_ddl" Boolean Check Red Hat Enterprise Linux 7 The SELinux "postgresql_selinux_users_ddl" boolean should be set in the system configuration. SELinux "pppd_can_insmod" Boolean Check Red Hat Enterprise Linux 7 The SELinux "pppd_can_insmod" boolean should be set in the system configuration. SELinux "pppd_for_user" Boolean Check Red Hat Enterprise Linux 7 The SELinux "pppd_for_user" boolean should be set in the system configuration. SELinux "privoxy_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "privoxy_connect_any" boolean should be set in the system configuration. SELinux "prosody_bind_http_port" Boolean Check Red Hat Enterprise Linux 7 The SELinux "prosody_bind_http_port" boolean should be set in the system configuration. SELinux "puppetagent_manage_all_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "puppetagent_manage_all_files" boolean should be set in the system configuration. SELinux "puppetmaster_use_db" Boolean Check Red Hat Enterprise Linux 7 The SELinux "puppetmaster_use_db" boolean should be set in the system configuration. SELinux "racoon_read_shadow" Boolean Check Red Hat Enterprise Linux 7 The SELinux "racoon_read_shadow" boolean should be set in the system configuration. SELinux "rsync_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "rsync_anon_write" boolean should be set in the system configuration. SELinux "rsync_client" Boolean Check Red Hat Enterprise Linux 7 The SELinux "rsync_client" boolean should be set in the system configuration. SELinux "rsync_export_all_ro" Boolean Check Red Hat Enterprise Linux 7 The SELinux "rsync_export_all_ro" boolean should be set in the system configuration. SELinux "rsync_full_access" Boolean Check Red Hat Enterprise Linux 7 The SELinux "rsync_full_access" boolean should be set in the system configuration. SELinux "samba_create_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_create_home_dirs" boolean should be set in the system configuration. SELinux "samba_domain_controller" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_domain_controller" boolean should be set in the system configuration. SELinux "samba_enable_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_enable_home_dirs" boolean should be set in the system configuration. SELinux "samba_export_all_ro" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_export_all_ro" boolean should be set in the system configuration. SELinux "samba_export_all_rw" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_export_all_rw" boolean should be set in the system configuration. SELinux "samba_load_libgfapi" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_load_libgfapi" boolean should be set in the system configuration. SELinux "samba_portmapper" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_portmapper" boolean should be set in the system configuration. SELinux "samba_run_unconfined" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_run_unconfined" boolean should be set in the system configuration. SELinux "samba_share_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_share_fusefs" boolean should be set in the system configuration. SELinux "samba_share_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_share_nfs" boolean should be set in the system configuration. SELinux "sanlock_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sanlock_use_fusefs" boolean should be set in the system configuration. SELinux "sanlock_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sanlock_use_nfs" boolean should be set in the system configuration. SELinux "sanlock_use_samba" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sanlock_use_samba" boolean should be set in the system configuration. SELinux "saslauthd_read_shadow" Boolean Check Red Hat Enterprise Linux 7 The SELinux "saslauthd_read_shadow" boolean should be set in the system configuration. SELinux "secadm_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "secadm_exec_content" boolean should be set in the system configuration. SELinux "secure_mode" Boolean Check Red Hat Enterprise Linux 7 The SELinux "secure_mode" boolean should be set in the system configuration. SELinux "secure_mode_insmod" Boolean Check Red Hat Enterprise Linux 7 The SELinux "secure_mode_insmod" boolean should be set in the system configuration. SELinux "secure_mode_policyload" Boolean Check Red Hat Enterprise Linux 7 The SELinux "secure_mode_policyload" boolean should be set in the system configuration. SELinux "selinuxuser_direct_dri_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_direct_dri_enabled" boolean should be set in the system configuration. SELinux "selinuxuser_execheap" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_execheap" boolean should be set in the system configuration. SELinux "selinuxuser_execmod" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_execmod" boolean should be set in the system configuration. SELinux "selinuxuser_execstack" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_execstack" boolean should be set in the system configuration. SELinux "selinuxuser_mysql_connect_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_mysql_connect_enabled" boolean should be set in the system configuration. SELinux "selinuxuser_ping" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_ping" boolean should be set in the system configuration. SELinux "selinuxuser_postgresql_connect_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_postgresql_connect_enabled" boolean should be set in the system configuration. SELinux "selinuxuser_rw_noexattrfile" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_rw_noexattrfile" boolean should be set in the system configuration. SELinux "selinuxuser_share_music" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_share_music" boolean should be set in the system configuration. SELinux "selinuxuser_tcp_server" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_tcp_server" boolean should be set in the system configuration. SELinux "selinuxuser_udp_server" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_udp_server" boolean should be set in the system configuration. SELinux "selinuxuser_use_ssh_chroot" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_use_ssh_chroot" boolean should be set in the system configuration. SELinux "sge_domain_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sge_domain_can_network_connect" boolean should be set in the system configuration. SELinux "sge_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sge_use_nfs" boolean should be set in the system configuration. SELinux "smartmon_3ware" Boolean Check Red Hat Enterprise Linux 7 The SELinux "smartmon_3ware" boolean should be set in the system configuration. SELinux "smbd_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "smbd_anon_write" boolean should be set in the system configuration. SELinux "spamassassin_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "spamassassin_can_network" boolean should be set in the system configuration. SELinux "spamd_enable_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "spamd_enable_home_dirs" boolean should be set in the system configuration. SELinux "squid_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "squid_connect_any" boolean should be set in the system configuration. SELinux "squid_use_tproxy" Boolean Check Red Hat Enterprise Linux 7 The SELinux "squid_use_tproxy" boolean should be set in the system configuration. SELinux "ssh_chroot_rw_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ssh_chroot_rw_homedirs" boolean should be set in the system configuration. SELinux "ssh_keysign" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ssh_keysign" boolean should be set in the system configuration. SELinux "ssh_sysadm_login" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ssh_sysadm_login" boolean should be set in the system configuration. SELinux "staff_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "staff_exec_content" boolean should be set in the system configuration. SELinux "staff_use_svirt" Boolean Check Red Hat Enterprise Linux 7 The SELinux "staff_use_svirt" boolean should be set in the system configuration. SELinux "swift_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "swift_can_network" boolean should be set in the system configuration. SELinux "sysadm_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sysadm_exec_content" boolean should be set in the system configuration. SELinux "telepathy_connect_all_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "telepathy_connect_all_ports" boolean should be set in the system configuration. SELinux "telepathy_tcp_connect_generic_network_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "telepathy_tcp_connect_generic_network_ports" boolean should be set in the system configuration. SELinux "tftp_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tftp_anon_write" boolean should be set in the system configuration. SELinux "tftp_home_dir" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tftp_home_dir" boolean should be set in the system configuration. SELinux "tmpreaper_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tmpreaper_use_nfs" boolean should be set in the system configuration. SELinux "tmpreaper_use_samba" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tmpreaper_use_samba" boolean should be set in the system configuration. SELinux "tor_bind_all_unreserved_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tor_bind_all_unreserved_ports" boolean should be set in the system configuration. SELinux "tor_can_network_relay" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tor_can_network_relay" boolean should be set in the system configuration. SELinux "unconfined_chrome_sandbox_transition" Boolean Check Red Hat Enterprise Linux 7 The SELinux "unconfined_chrome_sandbox_transition" boolean should be set in the system configuration. SELinux "unconfined_login" Boolean Check Red Hat Enterprise Linux 7 The SELinux "unconfined_login" boolean should be set in the system configuration. SELinux "unconfined_mozilla_plugin_transition" Boolean Check Red Hat Enterprise Linux 7 The SELinux "unconfined_mozilla_plugin_transition" boolean should be set in the system configuration. SELinux "unprivuser_use_svirt" Boolean Check Red Hat Enterprise Linux 7 The SELinux "unprivuser_use_svirt" boolean should be set in the system configuration. SELinux "use_ecryptfs_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "use_ecryptfs_home_dirs" boolean should be set in the system configuration. SELinux "use_fusefs_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "use_fusefs_home_dirs" boolean should be set in the system configuration. SELinux "use_lpd_server" Boolean Check Red Hat Enterprise Linux 7 The SELinux "use_lpd_server" boolean should be set in the system configuration. SELinux "use_nfs_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "use_nfs_home_dirs" boolean should be set in the system configuration. SELinux "use_samba_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "use_samba_home_dirs" boolean should be set in the system configuration. SELinux "user_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "user_exec_content" boolean should be set in the system configuration. SELinux "varnishd_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "varnishd_connect_any" boolean should be set in the system configuration. SELinux "virt_read_qemu_ga_data" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_read_qemu_ga_data" boolean should be set in the system configuration. SELinux "virt_rw_qemu_ga_data" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_rw_qemu_ga_data" boolean should be set in the system configuration. SELinux "virt_sandbox_use_all_caps" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_sandbox_use_all_caps" boolean should be set in the system configuration. SELinux "virt_sandbox_use_audit" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_sandbox_use_audit" boolean should be set in the system configuration. SELinux "virt_sandbox_use_mknod" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_sandbox_use_mknod" boolean should be set in the system configuration. SELinux "virt_sandbox_use_netlink" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_sandbox_use_netlink" boolean should be set in the system configuration. SELinux "virt_sandbox_use_sys_admin" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_sandbox_use_sys_admin" boolean should be set in the system configuration. SELinux "virt_transition_userdomain" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_transition_userdomain" boolean should be set in the system configuration. SELinux "virt_use_comm" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_comm" boolean should be set in the system configuration. SELinux "virt_use_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_execmem" boolean should be set in the system configuration. SELinux "virt_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_fusefs" boolean should be set in the system configuration. SELinux "virt_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_nfs" boolean should be set in the system configuration. SELinux "virt_use_rawip" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_rawip" boolean should be set in the system configuration. SELinux "virt_use_samba" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_samba" boolean should be set in the system configuration. SELinux "virt_use_sanlock" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_sanlock" boolean should be set in the system configuration. SELinux "virt_use_usb" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_usb" boolean should be set in the system configuration. SELinux "virt_use_xserver" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_xserver" boolean should be set in the system configuration. SELinux "webadm_manage_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "webadm_manage_user_files" boolean should be set in the system configuration. SELinux "webadm_read_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "webadm_read_user_files" boolean should be set in the system configuration. SELinux "wine_mmap_zero_ignore" Boolean Check Red Hat Enterprise Linux 7 The SELinux "wine_mmap_zero_ignore" boolean should be set in the system configuration. SELinux "xdm_bind_vnc_tcp_port" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xdm_bind_vnc_tcp_port" boolean should be set in the system configuration. SELinux "xdm_exec_bootloader" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xdm_exec_bootloader" boolean should be set in the system configuration. SELinux "xdm_sysadm_login" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xdm_sysadm_login" boolean should be set in the system configuration. SELinux "xdm_write_home" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xdm_write_home" boolean should be set in the system configuration. SELinux "xen_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xen_use_nfs" boolean should be set in the system configuration. SELinux "xend_run_blktap" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xend_run_blktap" boolean should be set in the system configuration. SELinux "xend_run_qemu" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xend_run_qemu" boolean should be set in the system configuration. SELinux "xguest_connect_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xguest_connect_network" boolean should be set in the system configuration. SELinux "xguest_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xguest_exec_content" boolean should be set in the system configuration. SELinux "xguest_mount_media" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xguest_mount_media" boolean should be set in the system configuration. SELinux "xguest_use_bluetooth" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xguest_use_bluetooth" boolean should be set in the system configuration. SELinux "xserver_clients_write_xshm" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xserver_clients_write_xshm" boolean should be set in the system configuration. SELinux "xserver_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xserver_execmem" boolean should be set in the system configuration. SELinux "xserver_object_manager" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xserver_object_manager" boolean should be set in the system configuration. SELinux "zabbix_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "zabbix_can_network" boolean should be set in the system configuration. SELinux "zarafa_setrlimit" Boolean Check Red Hat Enterprise Linux 7 The SELinux "zarafa_setrlimit" boolean should be set in the system configuration. SELinux "zebra_write_config" Boolean Check Red Hat Enterprise Linux 7 The SELinux "zebra_write_config" boolean should be set in the system configuration. SELinux "zoneminder_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "zoneminder_anon_write" boolean should be set in the system configuration. SELinux "zoneminder_run_sudo" Boolean Check Red Hat Enterprise Linux 7 The SELinux "zoneminder_run_sudo" boolean should be set in the system configuration. Service abrtd Disabled Red Hat Enterprise Linux 7 The abrtd service should be disabled if possible. Service acpid Disabled Red Hat Enterprise Linux 7 The acpid service should be disabled if possible. Service atd Disabled Red Hat Enterprise Linux 7 The atd service should be disabled if possible. Service auditd Enabled Red Hat Enterprise Linux 7 The auditd service should be enabled if possible. Service autofs Disabled Red Hat Enterprise Linux 7 The autofs service should be disabled if possible. Service avahi-daemon Disabled Red Hat Enterprise Linux 7 The avahi-daemon service should be disabled if possible. Service bluetooth Disabled Red Hat Enterprise Linux 7 The bluetooth service should be disabled if possible. Service certmonger Disabled Red Hat Enterprise Linux 7 The certmonger service should be disabled if possible. Service cgconfig Disabled Red Hat Enterprise Linux 7 The cgconfig service should be disabled if possible. Service cgred Disabled Red Hat Enterprise Linux 7 The cgred service should be disabled if possible. Service chronyd Enabled Red Hat Enterprise Linux 7 The chronyd service should be enabled if possible. Service cpupower Disabled Red Hat Enterprise Linux 7 The cpupower service should be disabled if possible. Service crond Enabled Red Hat Enterprise Linux 7 The crond service should be enabled if possible. Service cups Disabled Red Hat Enterprise Linux 7 The cups service should be disabled if possible. Service debug-shell Disabled Red Hat Enterprise Linux 7 The debug-shell service should be disabled if possible. Service dhcpd Disabled Red Hat Enterprise Linux 7 The dhcpd service should be disabled if possible. Service docker Enabled Red Hat Enterprise Linux 7 The docker service should be enabled if possible. Service dovecot Disabled Red Hat Enterprise Linux 7 The dovecot service should be disabled if possible. Service firewalld Enabled Red Hat Enterprise Linux 7 The firewalld service should be enabled if possible. Service httpd Disabled Red Hat Enterprise Linux 7 The httpd service should be disabled if possible. Service irqbalance Enabled Red Hat Enterprise Linux 7 The irqbalance service should be enabled if possible. Service kdump Disabled Red Hat Enterprise Linux 7 The kdump service should be disabled if possible. Service mdmonitor Disabled Red Hat Enterprise Linux 7 The mdmonitor service should be disabled if possible. Service messagebus Disabled Red Hat Enterprise Linux 7 The messagebus service should be disabled if possible. Service named Disabled Red Hat Enterprise Linux 7 The named service should be disabled if possible. Service nfs Disabled Red Hat Enterprise Linux 7 The nfs service should be disabled if possible. Service nfslock Disabled Red Hat Enterprise Linux 7 The nfslock service should be disabled if possible. Service ntpd Disabled Red Hat Enterprise Linux 7 The ntpd service should be disabled if possible. Service ntpd Enabled Red Hat Enterprise Linux 7 The ntpd service should be enabled if possible. Service ntpdate Disabled Red Hat Enterprise Linux 7 The ntpdate service should be disabled if possible. Service oddjobd Disabled Red Hat Enterprise Linux 7 The oddjobd service should be disabled if possible. Service pcscd Enabled Red Hat Enterprise Linux 7 The pcscd service should be enabled if possible. Service portreserve Disabled Red Hat Enterprise Linux 7 The portreserve service should be disabled if possible. Service postfix Enabled Red Hat Enterprise Linux 7 The postfix service should be enabled if possible. Service psacct Enabled Red Hat Enterprise Linux 7 The psacct service should be enabled if possible. Service qpidd Disabled Red Hat Enterprise Linux 7 The qpidd service should be disabled if possible. Service quota_nld Disabled Red Hat Enterprise Linux 7 The quota_nld service should be disabled if possible. Service rdisc Disabled Red Hat Enterprise Linux 7 The rdisc service should be disabled if possible. Service rexec Disabled Red Hat Enterprise Linux 7 The rexec service should be disabled if possible. Service rhnsd Disabled Red Hat Enterprise Linux 7 The rhnsd service should be disabled if possible. Service rhsmcertd Disabled Red Hat Enterprise Linux 7 The rhsmcertd service should be disabled if possible. Service rlogin Disabled Red Hat Enterprise Linux 7 The rlogin service should be disabled if possible. Service rpcbind Disabled Red Hat Enterprise Linux 7 The rpcbind service should be disabled if possible. Service rpcgssd Disabled Red Hat Enterprise Linux 7 The rpcgssd service should be disabled if possible. Service rpcidmapd Disabled Red Hat Enterprise Linux 7 The rpcidmapd service should be disabled if possible. Service rpcsvcgssd Disabled Red Hat Enterprise Linux 7 The rpcsvcgssd service should be disabled if possible. Service rsh Disabled Red Hat Enterprise Linux 7 The rsh service should be disabled if possible. Service rsyslog Enabled Red Hat Enterprise Linux 7 The rsyslog service should be enabled if possible. Service saslauthd Disabled Red Hat Enterprise Linux 7 The saslauthd service should be disabled if possible. Service smartd Disabled Red Hat Enterprise Linux 7 The smartd service should be disabled if possible. Service smb Disabled Red Hat Enterprise Linux 7 The smb service should be disabled if possible. Service snmpd Disabled Red Hat Enterprise Linux 7 The snmpd service should be disabled if possible. Service squid Disabled Red Hat Enterprise Linux 7 The squid service should be disabled if possible. Service sshd Disabled Red Hat Enterprise Linux 7 The sshd service should be disabled if possible. Service sshd Enabled Red Hat Enterprise Linux 7 The sshd service should be enabled if possible. Service sssd Disabled Red Hat Enterprise Linux 7 The sssd service should be disabled if possible. Service sssd Enabled Red Hat Enterprise Linux 7 The sssd service should be enabled if possible. Service sysstat Disabled Red Hat Enterprise Linux 7 The sysstat service should be disabled if possible. Service telnet Disabled Red Hat Enterprise Linux 7 The telnet service should be disabled if possible. Service tftp Disabled Red Hat Enterprise Linux 7 The tftp service should be disabled if possible. Service vsftpd Disabled Red Hat Enterprise Linux 7 The vsftpd service should be disabled if possible. Service xinetd Disabled Red Hat Enterprise Linux 7 The xinetd service should be disabled if possible. Service ypbind Disabled Red Hat Enterprise Linux 7 The ypbind service should be disabled if possible. Service zebra Disabled Red Hat Enterprise Linux 7 The zebra service should be disabled if possible. Kernel "fs.suid_dumpable" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "fs.suid_dumpable" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.dmesg_restrict" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "kernel.dmesg_restrict" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.kexec_load_disabled" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "kernel.kexec_load_disabled" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.kptr_restrict" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "kernel.kptr_restrict" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.randomize_va_space" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "kernel.randomize_va_space" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.yama.ptrace_scope" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "kernel.yama.ptrace_scope" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.accept_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.accept_source_route" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.log_martians" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.log_martians" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.rp_filter" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.rp_filter" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.secure_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.secure_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.send_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.send_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.accept_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.accept_source_route" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.log_martians" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.log_martians" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.rp_filter" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.rp_filter" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.secure_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.secure_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.send_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.send_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.ip_forward" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.ip_forward" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.tcp_syncookies" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.tcp_syncookies" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.accept_ra" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.all.accept_ra" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.accept_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.all.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.accept_source_route" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.all.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.all.disable_ipv6" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.forwarding" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.all.forwarding" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.default.accept_ra" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.default.accept_ra" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.default.accept_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.default.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.default.accept_source_route" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.default.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "fs.suid_dumpable" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "fs.suid_dumpable" parameter should be set to "0" in system runtime. Kernel "kernel.dmesg_restrict" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "kernel.dmesg_restrict" parameter should be set to "1" in system runtime. Kernel "kernel.kexec_load_disabled" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "kernel.kexec_load_disabled" parameter should be set to "1" in system runtime. Kernel "kernel.kptr_restrict" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "kernel.kptr_restrict" parameter should be set to "1" in system runtime. Kernel "kernel.randomize_va_space" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "kernel.randomize_va_space" parameter should be set to "2" in system runtime. Kernel "kernel.yama.ptrace_scope" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "kernel.yama.ptrace_scope" parameter should be set to "1" in system runtime. Kernel "net.ipv4.conf.all.accept_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.accept_source_route" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.log_martians" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.log_martians" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.rp_filter" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.rp_filter" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.secure_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.secure_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.send_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.send_redirects" parameter should be set to "0" in system runtime. Kernel "net.ipv4.conf.default.accept_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.accept_source_route" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.log_martians" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.log_martians" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.rp_filter" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.rp_filter" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.secure_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.secure_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.send_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.send_redirects" parameter should be set to "0" in system runtime. Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.icmp_echo_ignore_broadcasts" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.icmp_ignore_bogus_error_responses" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.ip_forward" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.ip_forward" parameter should be set to "0" in system runtime. Kernel "net.ipv4.tcp_syncookies" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.tcp_syncookies" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.accept_ra" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_ra" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.accept_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.accept_source_route" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in system runtime. Kernel "net.ipv6.conf.all.forwarding" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.forwarding" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.default.accept_ra" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_ra" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.default.accept_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.default.accept_source_route" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "fs.suid_dumpable" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "fs.suid_dumpable" parameter should be set to "0" in the system configuration. Kernel "kernel.dmesg_restrict" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "kernel.dmesg_restrict" parameter should be set to "1" in the system configuration. Kernel "kernel.kexec_load_disabled" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "kernel.kexec_load_disabled" parameter should be set to "1" in the system configuration. Kernel "kernel.kptr_restrict" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "kernel.kptr_restrict" parameter should be set to "1" in the system configuration. Kernel "kernel.randomize_va_space" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "kernel.randomize_va_space" parameter should be set to "2" in the system configuration. Kernel "kernel.yama.ptrace_scope" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "kernel.yama.ptrace_scope" parameter should be set to "1" in the system configuration. Kernel "net.ipv4.conf.all.accept_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.accept_source_route" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.accept_source_route" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.log_martians" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.log_martians" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.rp_filter" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.rp_filter" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.secure_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.secure_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.send_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.send_redirects" parameter should be set to "0" in the system configuration. Kernel "net.ipv4.conf.default.accept_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.accept_source_route" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.accept_source_route" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.log_martians" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.log_martians" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.rp_filter" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.rp_filter" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.secure_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.secure_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.send_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.send_redirects" parameter should be set to "0" in the system configuration. Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.icmp_echo_ignore_broadcasts" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.icmp_ignore_bogus_error_responses" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.ip_forward" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.ip_forward" parameter should be set to "0" in the system configuration. Kernel "net.ipv4.tcp_syncookies" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.tcp_syncookies" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.accept_ra" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_ra" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.accept_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.accept_source_route" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_source_route" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in the system configuration. Kernel "net.ipv6.conf.all.forwarding" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.forwarding" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.default.accept_ra" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_ra" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.default.accept_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.default.accept_source_route" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_source_route" parameter should be set to the appropriate value in the system configuration. Check pam_pwquality Existence in system-auth Red Hat Enterprise Linux 7 Check that pam_pwquality.so exists in system-auth Record Any Attempts to Run semanage Red Hat Enterprise Linux 7 Test if auditctl is in use for audit rules. Record Any Attempts to Run semanage Red Hat Enterprise Linux 7 Test if augenrules is enabled for audit rules. Record Events that Modify the System's Network Environment Red Hat Enterprise Linux 7 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. Record Events that Modify the System's Network Environment Red Hat Enterprise Linux 7 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. 'log_group' Not Set To 'root' In /etc/audit/auditd.conf Red Hat Enterprise Linux 7 Verify 'log_group' is not set to 'root' in /etc/audit/auditd.conf. Verify GRUB_DISABLE_RECOVERY Set to true Red Hat Enterprise Linux 7 GRUB_DISABLE_RECOVERY set to 'true' in /etc/default/grub Specify Multiple Remote chronyd NTP Servers for Time Data Red Hat Enterprise Linux 7 Multiple chronyd NTP Servers for time synchronization should be specified. Specify a Remote NTP Server for Time Data Red Hat Enterprise Linux 7 A remote NTP Server for time synchronization should be specified (and dependencies are met) GRUB_CMDLINE_LINUX_DEFAULT existance check Red Hat Enterprise Linux 7 Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub. Install McAfee Host-Based Intrusion Detection Software (HBSS) Red Hat Enterprise Linux 7 McAfee Host-Based Intrusion Detection Software (HBSS) software should be installed. CentOS 6 Red Hat Enterprise Linux 7 The operating system installed on the system is CentOS 6 CentOS 7 Red Hat Enterprise Linux 7 The operating system installed on the system is CentOS 7 CentOS 8 Red Hat Enterprise Linux 7 The operating system installed on the system is CentOS 8 Debian 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Debian 8 Installed operating system is Fedora Red Hat Enterprise Linux 7 The operating system installed on the system is Fedora Oracle Linux 6 Red Hat Enterprise Linux 7 The operating system installed on the system is Oracle Linux 6 Oracle Linux 7 Red Hat Enterprise Linux 7 The operating system installed on the system is Oracle Linux 7 Oracle Linux 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Oracle Linux 8 openSUSE Red Hat Enterprise Linux 7 The operating system installed on the system is openSUSE. openSUSE Leap 15 Red Hat Enterprise Linux 7 The operating system installed on the system is openSUSE Leap 15. openSUSE Leap 42 Red Hat Enterprise Linux 7 The operating system installed on the system is openSUSE Leap 42. Installed operating system is part of the Unix family Red Hat Enterprise Linux 7 The operating system installed on the system is part of the Unix OS family Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Enterprise Linux 8 Red Hat Virtualization 4 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Virtualization Host 4 or Red Hat Enterprise Host. Scientific Linux 6 Red Hat Enterprise Linux 7 The operating system installed on the system is Scientific Linux 6 Scientific Linux 7 Red Hat Enterprise Linux 7 The operating system installed on the system is Scientific Linux 7 Scientific Linux 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Scientific Linux 8 SUSE Linux Enterprise 11 Red Hat Enterprise Linux 7 The operating system installed on the system is SUSE Linux Enterprise 11. SUSE Linux Enterprise 12 Red Hat Enterprise Linux 7 The operating system installed on the system is SUSE Linux Enterprise 12. Ubuntu Red Hat Enterprise Linux 7 The operating system installed is an Ubuntu System Ubuntu 1404 Red Hat Enterprise Linux 7 The operating system installed on the system is Ubuntu 1404 Ubuntu 1604 Red Hat Enterprise Linux 7 The operating system installed on the system is Ubuntu 1604 Ubuntu 1804 Red Hat Enterprise Linux 7 The operating system installed on the system is Ubuntu 1804 WRLinux Red Hat Enterprise Linux 7 The operating system installed on the system is Wind River Linux Red Hat OpenShift Container Platform Red Hat Enterprise Linux 7 The application installed installed on the system is OpenShift 3. Red Hat OpenStack Platform Red Hat Enterprise Linux 7 The application installed installed on the system is Red Hat OpenStack Platform 13. Red Hat Virtualization 4 Red Hat Enterprise Linux 7 The application installed installed on the system is Red Hat Virtualization 4. Package gdm is installed Red Hat Enterprise Linux 7 Checks if package gdm is installed. Package libuser is installed Red Hat Enterprise Linux 7 Checks if package libuser is installed. Package nss-pam-ldapd is installed Red Hat Enterprise Linux 7 Checks if package nss-pam-ldapd is installed. Package pam is installed Red Hat Enterprise Linux 7 Checks if package pam is installed. Package shadow-utils is installed Red Hat Enterprise Linux 7 Checks if package shadow-utils is installed. Package systemd is installed Red Hat Enterprise Linux 7 Checks if package systemd is installed. Package yum is installed Red Hat Enterprise Linux 7 Checks if package yum is installed. Check if the scan target is a container Red Hat Enterprise Linux 7 Check if file /.dockerenv exists, if it does then we consider to be a docker filesystem. Check if the scan target is a machine Red Hat Enterprise Linux 7 Check if file /.dockerenv exists, if it doesn't then we consider to be host filesystem or virtual machine. No CD/DVD drive is configured to automount in /etc/fstab Red Hat Enterprise Linux 7 Check the /etc/fstab and check if a CD/DVD drive is not configured for automount. Device Files for Removable Media Partitions Does Not Exist on the System Red Hat Enterprise Linux 7 Verify if device file representing removable partitions exist on the system SSHD is not required to be installed or requirement not set Red Hat Enterprise Linux 7 If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good. SSHD is required to be installed or requirement not set Red Hat Enterprise Linux 7 If SSHD is required, we check it is installed. If SSH requirement is unset, we are good. It doesn't matter if sshd is installed or not Red Hat Enterprise Linux 7 Test if value sshd_required is 0. OpenSSH Server is 7.4 or newer Red Hat Enterprise Linux 7 Check if version of OpenSSH Server is equal or higher than 7.4 Verify The SSSD Configuration File Exists Red Hat Enterprise Linux 7 The /etc/sssd/sssd.conf file should exist if it is in use. Kernel Runtime Parameter IPv6 Check Red Hat Enterprise Linux 7 Disables IPv6 for all network interfaces. Test for 64-bit Architecture Red Hat Enterprise Linux 7 Generic test for 64-bit architectures to be used by other tests Test for aarch_64 Architecture Red Hat Enterprise Linux 7 Generic test for aarch_64 architecture to be used by other tests Test for PPC and PPCLE Architecture Red Hat Enterprise Linux 7 Generic test for PPC PPC64LE architecture to be used by other tests Test for x86 Architecture Red Hat Enterprise Linux 7 Generic test for x86 architecture to be used by other tests Test for x86_64 Architecture Red Hat Enterprise Linux 7 Generic test for x86_64 architecture to be used by other tests Value of 'var_accounts_user_umask' variable represented as octal number Red Hat Enterprise Linux 7 Value of 'var_accounts_user_umask' variable represented as octal number Value of 'var_removable_partition' variable is set to '/dev/cdrom' Red Hat Enterprise Linux 7 Verify if value of 'var_removable_partition' variable is set to '/dev/cdrom' Value of 'var_umask_for_daemons' variable represented as octal number Red Hat Enterprise Linux 7 Value of 'var_umask_for_daemons' variable represented as octal number Audit Discretionary Access Control Modification Events - chmod Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - chown Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fchmod Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fchmodat Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fchown Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fchownat Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fremovexattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fsetxattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - lchown Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - lremovexattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - lsetxattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - removexattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - setxattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Ensure auditd Collects Write Events to /etc/group Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/group Ensure auditd Collects Write Events to /etc/group Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/group Ensure auditd Collects Write Events to /etc/group Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/group Ensure auditd Collects Write Events to /etc/passwd Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/passwd Ensure auditd Collects Write Events to /etc/passwd Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/passwd Ensure auditd Collects Write Events to /etc/passwd Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/passwd Record Any Attempts to Run chcon Red Hat Enterprise Linux 7 Audit rules about the information on the use of chcon is enabled. Record Any Attempts to Run restorecon Red Hat Enterprise Linux 7 Audit rules about the information on the use of restorecon is enabled. Record Any Attempts to Run semanage Red Hat Enterprise Linux 7 Audit rules about the information on the use of semanage is enabled. Record Any Attempts to Run setfiles Red Hat Enterprise Linux 7 Audit rules about the information on the use of setfiles is enabled. Record Any Attempts to Run setsebool Red Hat Enterprise Linux 7 Audit rules about the information on the use of setsebool is enabled. Record Any Attempts to Run seunshare Red Hat Enterprise Linux 7 Audit rules about the information on the use of seunshare is enabled. Audit File Deletion Events - rename Red Hat Enterprise Linux 7 The deletion of files should be audited. Audit File Deletion Events - renameat Red Hat Enterprise Linux 7 The deletion of files should be audited. Audit File Deletion Events - rmdir Red Hat Enterprise Linux 7 The deletion of files should be audited. Audit File Deletion Events - unlink Red Hat Enterprise Linux 7 The deletion of files should be audited. Audit File Deletion Events - unlinkat Red Hat Enterprise Linux 7 The deletion of files should be audited. Record Attempts to Alter Login and Logout Events - faillock Red Hat Enterprise Linux 7 Audit rules should be configured to log successful and unsuccessful login and logout events. Record Attempts to Alter Login and Logout Events - lastlog Red Hat Enterprise Linux 7 Audit rules should be configured to log successful and unsuccessful login and logout events. Record Attempts to Alter Login and Logout Events - tallylog Red Hat Enterprise Linux 7 Audit rules should be configured to log successful and unsuccessful login and logout events. Ensure auditd Collects Information on the Use of Privileged Commands - at Red Hat Enterprise Linux 7 Audit rules about the information on the use of at is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - chage Red Hat Enterprise Linux 7 Audit rules about the information on the use of chage is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - chsh Red Hat Enterprise Linux 7 Audit rules about the information on the use of chsh is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - crontab Red Hat Enterprise Linux 7 Audit rules about the information on the use of crontab is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd Red Hat Enterprise Linux 7 Audit rules about the information on the use of gpasswd is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - mount Red Hat Enterprise Linux 7 Audit rules about the information on the use of mount is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap Red Hat Enterprise Linux 7 Audit rules about the information on the use of newgidmap is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Red Hat Enterprise Linux 7 Audit rules about the information on the use of newgrp is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap Red Hat Enterprise Linux 7 Audit rules about the information on the use of newuidmap is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Red Hat Enterprise Linux 7 Audit rules about the information on the use of pam_timestamp_check is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - passwd Red Hat Enterprise Linux 7 Audit rules about the information on the use of passwd is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - postdrop Red Hat Enterprise Linux 7 Audit rules about the information on the use of postdrop is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - postqueue Red Hat Enterprise Linux 7 Audit rules about the information on the use of postqueue is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown Red Hat Enterprise Linux 7 Audit rules about the information on the use of pt_chown is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - ssh_keysign Red Hat Enterprise Linux 7 Audit rules about the information on the use of ssh_keysign is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - su Red Hat Enterprise Linux 7 Audit rules about the information on the use of su is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - sudo Red Hat Enterprise Linux 7 Audit rules about the information on the use of sudo is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit Red Hat Enterprise Linux 7 Audit rules about the information on the use of sudoedit is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - umount Red Hat Enterprise Linux 7 Audit rules about the information on the use of umount is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Red Hat Enterprise Linux 7 Audit rules about the information on the use of unix_chkpwd is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - userhelper Red Hat Enterprise Linux 7 Audit rules about the information on the use of userhelper is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl Red Hat Enterprise Linux 7 Audit rules about the information on the use of usernetctl is enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - chmod Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - chown Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - creat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchmod Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchmodat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchown Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchownat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fremovexattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fsetxattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - ftruncate Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - lchown Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - lremovexattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - lsetxattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - open Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open_by_handle_at o_creat Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open_by_handle_at O_CREAT is enabled. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open_by_handle_at o_trunc Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open_by_handle_at O_TRUNC is enabled. Ensure auditd Rules For Unauthorized Attempts To open_by_handle_at Are Ordered Correctly Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open_by_handle_at is configured in the proper rule order. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_creat Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open O_CREAT is enabled. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_trunc Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled. Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open is configured in the proper rule order. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - openat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - openat o_creat Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of openat O_CREAT is enabled. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - openat o_trunc Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of openat O_TRUNC is enabled. Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of openat is configured in the proper rule order. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - removexattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - rename Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - renameat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - setxattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - truncate Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - unlink Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - unlinkat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Audit User/Group Modification - group Red Hat Enterprise Linux 7 Audit user/group modification. Audit User/Group Modification - gshadow Red Hat Enterprise Linux 7 Audit user/group modification. Audit User/Group Modification - opasswd Red Hat Enterprise Linux 7 Audit user/group modification. Audit User/Group Modification - passwd Red Hat Enterprise Linux 7 Audit user/group modification. Audit User/Group Modification - shadow Red Hat Enterprise Linux 7 Audit user/group modification. Ensure GRUB 2 is configured to run Linux operating system with argument audit=1 Red Hat Enterprise Linux 7 Look for argument audit=1 in the kernel line in /etc/default/grub. Ensure GRUB 2 is configured to run Linux operating system with argument audit_backlog_limit=8192 Red Hat Enterprise Linux 7 Look for argument audit_backlog_limit=8192 in the kernel line in /etc/default/grub. Ensure GRUB 2 is configured to run Linux operating system with argument page_poison=1 Red Hat Enterprise Linux 7 Look for argument page_poison=1 in the kernel line in /etc/default/grub. Ensure GRUB 2 is configured to run Linux operating system with argument slub_debug=P Red Hat Enterprise Linux 7 Look for argument slub_debug=P in the kernel line in /etc/default/grub. Ensure GRUB 2 is configured to run Linux operating system with argument vsyscall=none Red Hat Enterprise Linux 7 Look for argument vsyscall=none in the kernel line in /etc/default/grub. Mount Remote Filesystems with nodev Red Hat Enterprise Linux 7 The nodev option should be enabled for all NFS mounts in /etc/fstab. Add nodev Option to Removable Media Partitions Red Hat Enterprise Linux 7 The nodev option should be enabled for all removable devices mounts in /etc/fstab. Mount Remote Filesystems with noexec Red Hat Enterprise Linux 7 The noexec option should be enabled for all NFS mounts in /etc/fstab. Add noexec Option to Removable Media Partitions Red Hat Enterprise Linux 7 The noexec option should be enabled for all removable devices mounts in /etc/fstab. Mount Remote Filesystems with nosuid Red Hat Enterprise Linux 7 The nosuid option should be enabled for all NFS mounts in /etc/fstab. Add nosuid Option to Removable Media Partitions Red Hat Enterprise Linux 7 The nosuid option should be enabled for all removable devices mounts in /etc/fstab. Package nss-pam-ldapd Removed Red Hat Enterprise Linux 7 The RPM package nss-pam-ldapd should be removed. Package samba-common Installed Red Hat Enterprise Linux 7 The RPM package samba-common should be installed. /etc/sudoers ^(?!#).*[\s]+\!authenticate.*$ 1 /etc/sudoers.d ^.*$ ^(?!#).*[\s]+\!authenticate.*$ 1 /etc/sudoers ^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/sudoers.d ^.*$ ^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/sudoers ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/sudoers.d ^.*$ ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/dconf/profile/user ^user-db:user\nsystem-db:local$ 1 /etc/dconf/db/gdm ^/etc/dconf/db/gdm.d/.* oval:ssg-var_dconf_gdm_db_modified_time:var:1 /etc/dconf/db/local ^/etc/dconf/db/local.d/.* oval:ssg-var_dconf_local_db_modified_time:var:1 /etc/dconf/profile/user ^(.*)$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/system/location]([^\n]*\n+)+?enabled=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/system/location/enabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/clocks]([^\n]*\n+)+?geolocation=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/clocks/geolocation$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/settings-daemon/plugins/media-keys]([^\n]*\n+)+?logout=[\s]''$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/settings-daemon/plugins/media-keys/logout$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/lockdown]([^\n]*\n+)+?user-administration-disabled=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/lockdown/user-administration-disabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/settings-daemon/plugins/power]([^\n]*\n+)+?active=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/settings-daemon/plugins/power/active$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/Vino]([^\n]*\n+)+?require-encryption=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/Vino/require-encryption$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/Vino]([^\n]*\n+)+?authentication-methods=\['vnc'\]$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/Vino/authentication-methods$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/nm-applet]([^\n]*\n+)+?suppress-wireless-networks-available=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/nm-applet/suppress-wireless-networks-available$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/nm-applet]([^\n]*\n+)+?disable-wifi-create=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/nm-applet/disable-wifi-create$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?enable-smartcard-authentication=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/enable-smartcard-authentication$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?allowed-failures=3$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/allowed-failures$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?disable-user-list=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/disable-user-list$ 1 /etc/gdm/custom.conf ^\[daemon]([^\n]*\n+)+?AutomaticLoginEnable=[Ff]alse$ 1 /etc/gdm/custom.conf ^\[daemon]([^\n]*\n+)+?TimedLoginEnable=[Ff]alse$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?disable-restart-buttons=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/disable-restart-buttons$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-delay=uint32[\s][0-9]*$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^lock-delay[\s=]*uint32[\s]([^=\s]*) 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/session/idle-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-enabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?show-full-name-in-top-bar=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/session]([^\n]*\n+)+?idle-delay=uint32[\s][0-9]*$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/session/idle-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^idle-delay[\s=]*uint32[\s]([^=\s]*) 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=(string[\s])?\'\'$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/picture-uri$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-enabled$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/idle-activation-enabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/idle-activation-enabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/thumbnailers]([^\n]*\n+)+?disable-all=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/thumbnailers/disable-all$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/automount$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/automount-open$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/autorun-never$ 1 /etc/sysconfig/prelink ^[\s]*PRELINKING=no[\s]* 1 .* .* .* .* .* ^/(bin|sbin|lib|lib64|usr)/.+$ oval:ssg-state_files_fail_md5_hash:ste:1 .* .* .* .* .* .* oval:ssg-state_files_fail_mode:ste:1 .* .* .* .* .* .* oval:ssg-state_files_fail_user_ownership:ste:1 .* .* .* .* .* .* oval:ssg-state_files_fail_group_ownership:ste:1 /etc/crontab ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 /etc/cron.d ^.*$ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 /var/spool/cron/root ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 ^/etc/cron.(daily|weekly|monthly)$ ^.*$ ^\s*/usr/sbin/aide[\s]*\-\-check.*$ 1 /etc/aide.conf ^(?!ALLXTRAHASHES)[A-Z]*[\s]*=[\s]*([a-z0-9\+]*)$ 1 /etc/aide.conf ^@@define[\s]DBDIR[\s]+(/.*)$ 1 /etc/aide.conf ^database_out=file:@@{DBDIR}/([a-z.]+)$ 1 /etc/aide.conf ^database=file:@@{DBDIR}/([a-z.]+)$ 1 /etc/crontab ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 /var/spool/cron/root ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 ^/etc/cron.(d|daily|weekly|monthly)$ ^.*$ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 /etc/aide.conf ^[A-Z]*[\s]*=[\s]*.*(sha1|rmd160|sha256|whirlpool|tiger|haval|gost|crc32).*$ 0 /etc/aide.conf ^[A-Z]*[\s]*=[\s]*([a-z0-9\+]*)$ 1 /etc/aide.conf ^(?!ALLXTRAHASHES)[A-Z]*[\s]*=[\s]*([a-z0-9\+]*)$ 1 dracut-fips /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/selinux/config ^[\s]*SELINUX[\s]*=[\s]*enforcing[\s]*$ 1 McAfeeVSEForLinux MFErt MFEcma /opt/NAI/LinuxShield/engine/dat ^.*\.dat$ oval:ssg-variable_mcafee_dat_files_mtime:var:1 MFEhiplsm /opt/McAfee/auditengine/bin auditmanager /opt/McAfee/accm/bin accm /etc/yum.conf ^\s*repo_gpgcheck\s*=\s*(1|True|yes)\s*$ 1 /etc/yum.conf ^\s*clean_requirements_on_remove\s*=\s*(1|True|yes)\s*$ 1 /etc/yum.repos.d .* ^\s*gpgcheck\s*=\s*0\s*$ 1 gpg-pubkey /etc/yum.conf ^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$ 1 /etc/yum.conf ^\s*gpgcheck\s*=\s*1\s*$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /boot/efi/EFI/redhat/grub.cfg ^/boot/efi/EFI/(redhat|fedora)/grub.cfg$ ^/boot/efi/EFI/(redhat|fedora)/grub.cfg$ ^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$ 1 ^/boot/efi/EFI/(redhat|fedora)/user.cfg$ ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ 1 ^/boot/efi/EFI/(redhat|fedora)/grub.cfg$ ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1 /boot/grub2/grub.cfg /boot/grub2/grub.cfg ^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$ 1 /boot/grub2/user.cfg ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ 1 /boot/grub2/grub.cfg ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1 /etc/selinux/config ^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*) 1 /etc/default/grub ^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$ 1 /etc/grub2.cfg ^.*(selinux|enforcing)=0.*$ 1 /etc/grub.d ^.*$ ^.*(selinux|enforcing)=0.*$ 1 /etc/selinux/config ^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$ 1 /proc ^.*$ oval:ssg-state_selinux_confinement_of_daemons:ste:1 /dev ^.*$ oval:ssg-state_selinux_all_devicefiles_labeled:ste:1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/init.d/functions ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 oval:ssg-var_etc_init_d_functions_umask_as_number:var:1 kernel-PAE /proc/cpuinfo ^flags[\s]+:.*[\s]+pae[\s]+.*[\s]+nx[\s]+.*$ 1 /etc/sysconfig/kernel ^\s*DEFAULTKERNEL[\s]*=[\s]*kernel-PAE$ 1 /etc/sysctl.conf ^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$ 1 kernel.exec-shield /boot/grub2/grub.cfg [\s]*noexec[\s]*=[\s]*off 1 /etc/security/limits.conf ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:hard|-)[\s]+core 1 ^/\w.*$ oval:ssg-state_local_nodev:ste:1 /etc/fstab ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1 ^/var/tmp$ /etc/mtab ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1 ^/tmp$ / oval:ssg-state_gid_is_user_and_world_writable:ste:1 / ^.*$ oval:ssg-state_file_permissions_unauthorized_sgid:ste:1 oval:ssg-state_sgid_whitelist:ste:1 / ^.*$ oval:ssg-state_file_permissions_unauthorized_suid:ste:1 oval:ssg-state_suid_whitelist:ste:1 / .* oval:ssg-state_file_permissions_ungroupowned:ste:1 /etc/group ^[^:]+:[^:]*:([\d]+):[^:]*$ 1 .* / .* oval:ssg-file_permissions_unowned_userid_list_match:ste:1 / ^.*$ oval:ssg-state_file_permissions_unauthorized_world_write:ste:1 oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1 oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1 oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1 / oval:ssg-state_world_writable_and_not_sticky:ste:1 /boot ^System\.map.*$ ^\/lib(|64)|^\/usr\/lib(|64) oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1 oval:ssg-perms_state_symlink:ste:1 ^\/lib(|64)|^\/usr\/lib(|64) ^.*$ oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1 oval:ssg-perms_state_symlink:ste:1 ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec oval:ssg-state_owner_binaries_not_root:ste:1 ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec ^.*$ oval:ssg-state_owner_binaries_not_root:ste:1 ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec ^.*$ oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1 oval:ssg-state_perms_binary_files_symlink:ste:1 ^\/lib(|64)\/|^\/usr\/lib(|64)\/ oval:ssg-state_owner_libraries_not_root:ste:1 ^\/lib(|64)\/|^\/usr\/lib(|64)\/ ^.*$ oval:ssg-state_owner_libraries_not_root:ste:1 /etc/issue 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/banner-message-text$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^banner-message-text=[\s]*'*(.*?)'$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/banner-message-enable$ 1 /etc/systemd/system.conf ^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ 1 /etc/systemd/system/ctrl-alt-del.target /usr/lib/systemd/system/rescue.service ^ExecStart=\-.*/sbin/sulogin 1 /usr/lib/systemd/system/runlevel1.target ^Requires=.*rescue.service 1 /etc/systemd/system ^rescue.service$ /etc/systemd/system ^runlevel1.target$ ^/etc/opensc.*.conf$ ^[\s]+force_card_driver[\s]+=[\s]+(\S+);$ 1 /etc/pam_pkcs11/pam_pkcs11.conf ^[\s]*cert_policy[ ]=(.*)$ 1 /etc/pam.d/system-auth 1 /etc/pam.d/system-auth 1 /etc/pam.d/smartcard-auth 1 ^/etc/opensc.*.conf$ ^[\s]+card_drivers[\s]+=[\s]+(\S+);$ 1 /etc/pki/nssdb/pkcs11.txt ^library=opensc.*.so$ 1 /etc/login.defs .*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_warn_age_instance_value:var:1 /etc/login.defs .*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_max_days_instance_value:var:1 /etc/login.defs .*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_min_len_instance_value:var:1 /etc/login.defs .*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_min_days_instance_value:var:1 /etc/default/useradd ^\s*INACTIVE\s*=\s*(\d+)\s*$ 1 /etc/passwd ^([^:]+):.*$ 1 oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1 /etc/group ^.*:x:([0-9]+): 1 /etc/passwd ^.*:[0-9]+:([0-9]+): 1 .* /etc/pam.d/system-auth \s*nullok\s* 1 /home ^\.netrc$ /etc/securetty ^ttyS[0-9]+$ 1 /etc/securetty ^vc/[0-9]+$ 1 /etc/passwd ^(?!root:)[^:]*:[^:]*:0 1 /etc/securetty ^.*$ 1 /etc/securetty ^$ 1 /etc/login.defs .*\n(?!#|SYS_)(UID_MIN[\s]+[\d]+)\s*\n 1 /etc/login.defs .*\n[^#]*(SYS_UID_MIN[\s]+[\d]+)\s*\n 1 /etc/login.defs .*\n[^#]*(SYS_UID_MAX[\s]+[\d]+)\s*\n 1 /etc/passwd ^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$ 1 oval:ssg-variable_default_range_quad_expr:var:1 oval:ssg-variable_reserved_range_quad_expr:var:1 oval:ssg-variable_dynalloc_range_quad_expr:var:1 /etc/pam.d/postlogin [\n][\s]*session[\s]+\[default=1\][\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*\n[\s]*session[\s]+optional[\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*[\n] 1 /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*account\s+required\s+pam_faillock\.so.*$ 1 /etc/pam.d/system-auth ^\s*account\s+required\s+pam_faillock\.so.*$ 1 /etc/pam.d/system-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=([a-z0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=([a-z0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=([a-z0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=([a-z0-9]*).*$ 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+\[.*default=([0-9]+).*\][\s]+pam_unix\.so 1 /etc/pam.d/system-auth 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+\[[^\]]*default=([0-9]+)[^\]]*\][\s]+pam_unix\.so 1 /etc/pam.d/password-auth 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[^\]]*\]))[^\n]+pam_unix\.so(?:.*[\n])*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[^\n]+deny=([0-9]+) 1 /etc/pam.d/system-auth [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[[^\]]*\]))[\s]+pam_unix\.so(?:.*[\n])*[^\n]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+) 1 /etc/pam.d/password-auth [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] 1 /etc/pam.d/system-auth ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*remember=([0-9]*).*$ 1 /etc/libuser.conf ^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$ 1 /etc/login.defs .*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n 1 oval:ssg-variable_last_encrypt_method_instance_value:var:1 /etc/pam.d/system-auth ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ 1 /etc/profile ^[\s]*TMOUT[\s]*=[\s]*(.*)[\s]*$ 1 /etc/profile.d ^.*\.sh$ ^[\s]*TMOUT[\s]*=[\s]*(.*)[\s]*$ 1 /home oval:ssg-state_home_dirs_home_itself:ste:1 oval:ssg-state_home_dirs_wrong_perm:ste:1 /etc/login.defs ^[\s]*(?i)CREATE_HOME(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/security/limits.conf ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins 1 /etc/login.defs ^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*) 1 /etc/profile ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 oval:ssg-var_etc_profile_umask_as_number:var:1 /etc/csh.cshrc ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1 /etc/bashrc ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 oval:ssg-var_etc_bashrc_umask_as_number:var:1 /etc/login.defs ^[\s]*UMASK[\s]+([^#\s]*) 1 oval:ssg-var_etc_login_defs_umask_as_number:var:1 PATH PATH oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1 oval:ssg-state_accounts_root_path_dirs_symlink:ste:1 /etc/enterprise_app/app.conf ^[\s]*mode (.*) 1 /var/log/audit oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 /var/log/audit ^.*$ oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 /var/log/audit oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 /var/log/audit ^.*$ oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 /var/log/audit ^.*$ oval:ssg-state_not_mode_0750:ste:1 /var/log/audit ^.*$ oval:ssg-state_not_mode_0700:ste:1 ^/etc/audit/rules\.d/.*\.rules$ ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-f\s+2\s*$ 1 /etc/audit/audit.rules ^\-f\s+2\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-e\s+2\s*$ 1 /etc/audit/audit.rules ^\-e\s+2\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /var/log/audit ^.*$ oval:ssg-state_not_mode_0640:ste:1 /var/log/audit ^.*$ oval:ssg-state_not_mode_0600:ste:1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s+]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/usr/sbin/modprobe[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/usr/sbin/modprobe[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/usr/sbin/insmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/usr/sbin/insmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/usr/sbin/rmmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/usr/sbin/rmmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 / [a-z]+ oval:ssg-state_setuid_or_setgid_set:ste:1 oval:ssg-state_dev_proc_sys_dirs:ste:1 oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1 /etc/audit/audit.rules ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1 /etc/audit/auditd.conf ^[ ]*flush[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audisp/audisp-remote.conf ^[ ]*remote_server[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audisp/audisp-remote.conf ^[ ]*enable_krb5[ ]+=[ ]+yes[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*num_logs[ ]+=[ ]+(\d+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audisp/plugins.d/syslog.conf ^[ ]*active[ ]+=[ ]+yes[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$ 1 /etc/audit/auditd.conf ^[\s]*space_left[\s]+=[\s]+(\d+)[\s]*$ 1 ^.*$ oval:ssg-state_promisc:ste:1 /etc/sysconfig/network-scripts ifcfg-.* ^[\s]*DHCP_HOSTNAME[\s]*=.*$ 1 ^/etc/dhclient.*\.conf$ ^[\s]*send[\s]+host-name.*$ 1 /etc/dhcp ^.*$ ^[\s]*send[\s]+host-name.*$ 1 /etc/resolv.conf ^[\s]*nameserver[\s]+([0-9\.]+)$ 1 /etc/sysconfig/network ^[\s]*NOZEROCONF[\s]*=[\s]*yes 1 /etc/firewalld/firewalld.conf ^DefaultZone=drop$ 1 /etc/netconfig ^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$ 1 /etc/netconfig ^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*options\s+ipv6\s+.*disable=1.*$ 1 /etc/sysconfig/network-scripts ifcfg-.* ^IPV6ADDR=.+$ 1 /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_PRIVACY=rfc3041$ 1 /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_DEFAULTGW=.+$ 1 /proc/net/wireless ^\s*[-\w]+: 1 /etc/logrotate.conf (?:daily)*.*(?=[\n][\s]*daily)(.*)$ 1 oval:ssg-state_another_rotate_interval_after_daily:ste:1 /etc/cron.daily/logrotate ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ 1 /etc/rsyslog.conf ^[\s]*\$(?:Input(?:TCP|RELP)|UDP)ServerRun 1 /etc/rsyslog.conf ^\*\.\*[\s]+(?:@|\:omrelp\:) 1 /etc/rsyslog.d .* ^\*\.\*[\s]+(?:@|\:omrelp\:) 1 /etc/rsyslog.conf ^\$IncludeConfig[\s]+([^\s;]+) 1 ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 /etc/rsyslog.conf ^[\s]*cron\.\*[\s]+/var/log/cron$ 1 /etc/rsyslog.d ^.*$ ^[\s]*cron\.\*[\s]+/var/log/cron$ 1 /etc/rsyslog.conf ^\$IncludeConfig[\s]+([^\s;]+) 1 ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 /etc/rsyslog.conf ^\$IncludeConfig[\s]+([^\s;]+) 1 ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 /etc/logwatch/conf/logwatch.conf ^[\s]HostLimit[\s]*=[\s]*no[\s]*$ 1 /etc/logwatch/conf/logwatch.conf ^[\s]SplitHosts[\s]*=[\s]*yes[\s]*$ 1 /etc/systemd/system/default.target /etc/cups/cupsd.conf ^[\s]*Browsing[\s]+(?:Off|No) 1 /etc/cups/cupsd.conf ^[\s]*BrowseAllow[\s]+(?:none) 1 /etc/cups/cupsd.conf ^[\s]*Port[\s]+(\d)+ 1 /etc/cups/cupsd.conf ^[\s]*Listen[\s]+(?:localhost|127\.0\.0\.1|::1):(\d)+ 1 /etc/httpd/conf.modules.d/ ^.*$ /var/log/httpd /etc/httpd/conf ^.*$ /etc/httpd/conf /etc/httpd/conf.d/ ^.*$ /etc/fstab ^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+) 1 /etc/mtab ^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+) 1 /etc/samba/smb.conf ^[\s]*client[\s]+signing[\s]*=[\s]*mandatory 1 /etc/firewalld/services ^.*\.xml$ /service/service[@name='ssh'] /etc/firewalld/services ^.*\.xml$ /service/port[@port='22'] /etc/firewalld/zones ^.*\.xml$ /zone/service[@name='ssh'] /etc/firewalld/zones ^.*\.xml$ /zone/port[@port='22'] /etc/ssh/sshd_config ^[\s]*(?i)PermitEmptyPasswords(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)IgnoreRhosts(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Ciphers(?-i)[\s]+((aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|aes192-cbc|aes256-cbc|3des-cbc|rijndael-cbc@lysator\.liu\.se),?)+[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)KerberosAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Compression(?-i)[\s]+(no|delayed)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PermitUserEnvironment(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)RhostsRSAAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)IgnoreUserKnownHosts(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)StrictModes(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 oval:ssg-var_sshd_config_macs:var:1 /etc/ssh/sshd_config ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)GSSAPIAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)X11Forwarding(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/firewalld/services ^.*\.xml$ /service/service[@name='ssh'] /etc/firewalld/services ^.*\.xml$ <port.*port="(\d+)" 1 /etc/firewalld/zones ^.*\.xml$ /zone/service[@name='ssh'] /etc/firewalld/zones ^.*\.xml$ <port.*port="(\d+)" 1 /etc/firewalld/zones /zone/service[@name='ssh'] /etc/sysconfig/network-scripts ifcfg-.* ^ZONE=(.*)$ 1 /etc/ssh/sshd_config ^[\s]*(?i)UsePrivilegeSeparation(?-i)[\s]+sandbox[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PrintLastLog(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)MACs(?-i)[\s]+((hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|hmac-ripemd160),?)+[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)LogLevel(?-i)[\s]+INFO[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Ciphers(?-i)[\s]+((chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)+[\s]*(?:|(?:#.*))?$ 1 /etc/exports ^(.*?(\binsecure_locks\b)[^$]*)$ 1 /etc/exports ^\/.*\((\S+)\)$ 0 /etc/exports ^\/.*$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 /etc/cron.allow /etc/cron.allow /etc/postfix/main.cf ^[\s]*inet_interfaces[\s]*=[\s]*localhost[\s]*$ 1 /etc/postfix/main.cf ^[\s]*smtpd_banner[\s]*=[\s]*\$myhostname[\s]+ESMTP[\s]*$ 1 /etc/sysconfig/network-scripts ifcfg-.* ^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*) 1 /etc/sysconfig/docker ^(?!#)\s*OPTIONS\s*=.*[\s'](--selinux-enabled)[\s'].*$ 1 /etc/docker/daemon.json ^(?!#)\s*"selinux-enabled":[\s]+true(|,)[\s]*$ 1 ^(?!#).*(?:--storage-opt[\s=]dm\.thinpooldev=([^\s]*)).*$ 1 ^(?!#)\s*STORAGE_DRIVER\s*=\s*"?([a-z]*)"?\s*$ 1 /etc/ntp.conf ^[\s]*server[\s]+.+$ 1 /etc/ntp.conf ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) 1 /etc/chrony.conf ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) 1 /etc/ntp.conf ^server[\s]+[\S]+[\s]+(.*) 1 /etc/chrony.conf ^server[\s]+[\S]+[\s]+(.*) 1 /etc/ntp.conf ^([\s]*server[\s]+.+$){2,}$ 1 /etc/xinetd.d/tftp ^[\s]*server_args[\s]+=.*[\s]+\-s[\s]+.+$ 1 / \.shosts / shosts\.equiv$ /root ^\.(r|s)hosts$ /home ^\.(r|s)hosts$ /etc ^s?hosts\.equiv$ /etc/snmp/snmpd.conf ^[\s]*(com2se|rocommunity|rwcommunity) 1 /etc/snmp/snmpd.conf ^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private) 1 /etc/vsftpd/vsftpd.conf ^[\s]*banner_file=/etc/issue[\s]*$ 1 /etc/vsftpd/vsftpd.conf ^[\s]*xferlog_enable[\s]*=[\s]*YES$ 1 /etc/vsftpd/vsftpd.conf ^[\s]*xferlog_std_format[\s]*=[\s]*NO$ 1 /etc/vsftpd/vsftpd.conf ^[\s]*log_ftp_protocol[\s]*=[\s]*YES$ 1 /etc/dovecot/conf.d/10-ssl.conf ^[\s]*ssl[\s]*=[\s]*(yes|required)[\s]*$ 1 /etc/dovecot/conf.d/10-auth.conf ^[\s]*disable_plaintext_auth[\s]*=[\s]*yes[\s]*$ 1 /etc/sssd/sssd.conf ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1$ 1 /etc/sssd/sssd.conf ^[\s]*\[sssd]([^\n\[\]]*\n+)+?[\s]*services.*pam.*$ 1 /etc/sssd/sssd.conf ^[\s]*\[nss](?:[^\n\[]*\n+)+?[\s]*memcache_timeout[\s]*=[\s]*(\d+)$ 1 /etc/sssd/sssd.conf ^[\s]*\[ssh](?:[^\n\[]*\n+)+?[\s]*ssh_known_hosts_timeout[\s]*=[\s]*(\d+)$ 1 /etc/sssd/sssd.conf ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*pam_cert_auth[\s]*=[\s]*true$ 1 /etc/sysconfig/authconfig ^USELDAPAUTH=((?i)yes)[ ]*$ 1 /etc/sssd/sssd.conf ^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_id_use_start_tls[ ]*=[ ]*((?i)true)[ ]*$ 1 /etc/sssd/sssd.conf ^[\s]*\[domain\/[^]]*](?:[^\n[\]]*\n+)+?[\s]*ldap_tls_cacertdir[\s]+=[\s]+([^\s]+)[\s]*$ 1 /etc/sysconfig/authconfig ^[\s]*USELDAPAUTH=yes[\s]*$ 1 /etc/nslcd.conf ^[\s]*tls_cacertdir[\s]+/etc/pki/tls/CA$ 1 /etc/nslcd.conf ^[\s]*tls_cacertfile[\s]+/etc/pki/tls/CA/.*\.(pem|crt)$ 1 /etc/nslcd.conf ^[\s]*ssl[\s]+start_tls[\s]*$ 1 /etc/security/pwquality.conf ^dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^difok[\s]*=[\s]*(\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^maxclassrepeat[\s]*=[\s]*(\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^maxrepeat[\s]*=[\s]*(\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^minclass[\s]*=[\s]*(\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^minlen[\s]*=[\s]*(\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^ucredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 /boot/efi/EFI/redhat grub.cfg /etc group /etc gshadow /etc passwd /etc shadow /boot/grub2 grub.cfg /boot/efi/EFI/redhat grub.cfg /etc group /etc gshadow /etc passwd /etc shadow /boot/grub2 grub.cfg /etc cron.allow /etc group /etc gshadow /etc passwd /etc shadow /boot/grub2 grub.cfg /etc/httpd/conf.modules.d ^.*$ /etc/ssh ^.*_key$ /etc/ssh ^.*.pub$ /etc/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /dev/shm /dev/shm /dev/shm /home /home /tmp /tmp /tmp /var/tmp /var/tmp /var/tmp abrt acpid aide at audit authconfig-gtk autofs avahi bind bluez certmonger chrony cronie cups cyrus-sasl dbus dconf dhcp docker dovecot esc firewalld gdm gdm httpd iputils irqbalance kernel-tools kexec-tools libcgroup-tools libcgroup libreswan mcstrans mdadm net-snmp nfs-utils ntp ntp ntpdate oddjob openldap-servers opensc openssh-server openssh-server pam_pkcs11 pcsc-lite policycoreutils portreserve postfix prelink psacct qpid-cpp-server quagga quota-nld rhnsd rsh-server rsh rsyslog samba-common samba screen sendmail setroubleshoot smartmontools squid sssd sssd subscription-manager sysstat systemd systemd talk-server talk tcp_wrappers telnet-server telnet tftp-server tftp vsftpd vsftpd xinetd xinetd xorg-x11-server-common ypbind ypserv /home /tmp /var /var/log /var/log/audit /var/tmp SELinux abrt_anon_write abrt_handle_event abrt_upload_watch_anon_write antivirus_can_scan_system antivirus_use_jit auditadm_exec_content authlogin_nsswitch_use_ldap authlogin_radius authlogin_yubikey awstats_purge_apache_log_files boinc_execmem cdrecord_read_content cluster_can_network_connect cluster_manage_all_files cluster_use_execmem cobbler_anon_write cobbler_can_network_connect cobbler_use_cifs cobbler_use_nfs collectd_tcp_network_connect condor_tcp_network_connect conman_can_network container_connect_any cron_can_relabel cron_system_cronjob_use_shares cron_userdomain_transition cups_execmem cvs_read_shadow daemons_dump_core daemons_enable_cluster_mode daemons_use_tcp_wrapper daemons_use_tty dbadm_exec_content dbadm_manage_user_files dbadm_read_user_files deny_execmem deny_ptrace dhcpc_exec_iptables dhcpd_use_ldap domain_fd_use domain_kernel_load_modules entropyd_use_audio exim_can_connect_db exim_manage_user_files exim_read_user_files fcron_crond fenced_can_network_connect fenced_can_ssh fips_mode ftpd_anon_write ftpd_connect_all_unreserved ftpd_connect_db ftpd_full_access ftpd_use_cifs ftpd_use_fusefs ftpd_use_nfs ftpd_use_passive_mode git_cgi_enable_homedirs git_cgi_use_cifs git_cgi_use_nfs git_session_bind_all_unreserved_ports git_session_users git_system_enable_homedirs git_system_use_cifs git_system_use_nfs gitosis_can_sendmail glance_api_can_network glance_use_execmem glance_use_fusefs global_ssp gluster_anon_write gluster_export_all_ro gluster_export_all_rw gpg_web_anon_write gssd_read_tmp guest_exec_content haproxy_connect_any httpd_anon_write httpd_builtin_scripting httpd_can_check_spam httpd_can_connect_ftp httpd_can_connect_ldap httpd_can_connect_mythtv httpd_can_connect_zabbix httpd_can_network_connect httpd_can_network_connect_cobbler httpd_can_network_connect_db httpd_can_network_memcache httpd_can_network_relay httpd_can_sendmail httpd_dbus_avahi httpd_dbus_sssd httpd_dontaudit_search_dirs httpd_enable_cgi httpd_enable_ftp_server httpd_enable_homedirs httpd_execmem httpd_graceful_shutdown httpd_manage_ipa httpd_mod_auth_ntlm_winbind httpd_mod_auth_pam httpd_read_user_content httpd_run_ipa httpd_run_preupgrade httpd_run_stickshift httpd_serve_cobbler_files httpd_setrlimit httpd_ssi_exec httpd_sys_script_anon_write httpd_tmp_exec httpd_tty_comm httpd_unified httpd_use_cifs httpd_use_fusefs httpd_use_gpg httpd_use_nfs httpd_use_openstack httpd_use_sasl httpd_verify_dns icecast_use_any_tcp_ports irc_use_any_tcp_ports irssi_use_full_network kdumpgui_run_bootloader kerberos_enabled ksmtuned_use_cifs ksmtuned_use_nfs logadm_exec_content logging_syslogd_can_sendmail logging_syslogd_run_nagios_plugins logging_syslogd_use_tty login_console_enabled logrotate_use_nfs logwatch_can_network_connect_mail lsmd_plugin_connect_any mailman_use_fusefs mcelog_client mcelog_exec_scripts mcelog_foreground mcelog_server minidlna_read_generic_user_content mmap_low_allowed mock_enable_homedirs mount_anyfile mozilla_plugin_bind_unreserved_ports mozilla_plugin_can_network_connect mozilla_plugin_use_bluejeans mozilla_plugin_use_gps mozilla_plugin_use_spice mozilla_read_content mpd_enable_homedirs mpd_use_cifs mpd_use_nfs mplayer_execstack mysql_connect_any nagios_run_pnp4nagios nagios_run_sudo named_tcp_bind_http_port named_write_master_zones neutron_can_network nfs_export_all_ro nfs_export_all_rw nfsd_anon_write nis_enabled nscd_use_shm openshift_use_nfs openvpn_can_network_connect openvpn_enable_homedirs openvpn_run_unconfined pcp_bind_all_unreserved_ports pcp_read_generic_logs piranha_lvs_can_network_connect polipo_connect_all_unreserved polipo_session_bind_all_unreserved_ports polipo_session_users polipo_use_cifs polipo_use_nfs polyinstantiation_enabled postfix_local_write_mail_spool postgresql_can_rsync postgresql_selinux_transmit_client_label postgresql_selinux_unconfined_dbadm postgresql_selinux_users_ddl pppd_can_insmod pppd_for_user privoxy_connect_any prosody_bind_http_port puppetagent_manage_all_files puppetmaster_use_db racoon_read_shadow rsync_anon_write rsync_client rsync_export_all_ro rsync_full_access samba_create_home_dirs samba_domain_controller samba_enable_home_dirs samba_export_all_ro samba_export_all_rw samba_load_libgfapi samba_portmapper samba_run_unconfined samba_share_fusefs samba_share_nfs sanlock_use_fusefs sanlock_use_nfs sanlock_use_samba saslauthd_read_shadow secadm_exec_content secure_mode secure_mode_insmod secure_mode_policyload selinuxuser_direct_dri_enabled selinuxuser_execheap selinuxuser_execmod selinuxuser_execstack selinuxuser_mysql_connect_enabled selinuxuser_ping selinuxuser_postgresql_connect_enabled selinuxuser_rw_noexattrfile selinuxuser_share_music selinuxuser_tcp_server selinuxuser_udp_server selinuxuser_use_ssh_chroot sge_domain_can_network_connect sge_use_nfs smartmon_3ware smbd_anon_write spamassassin_can_network spamd_enable_home_dirs squid_connect_any squid_use_tproxy ssh_chroot_rw_homedirs ssh_keysign ssh_sysadm_login staff_exec_content staff_use_svirt swift_can_network sysadm_exec_content telepathy_connect_all_ports telepathy_tcp_connect_generic_network_ports tftp_anon_write tftp_home_dir tmpreaper_use_nfs tmpreaper_use_samba tor_bind_all_unreserved_ports tor_can_network_relay unconfined_chrome_sandbox_transition unconfined_login unconfined_mozilla_plugin_transition unprivuser_use_svirt use_ecryptfs_home_dirs use_fusefs_home_dirs use_lpd_server use_nfs_home_dirs use_samba_home_dirs user_exec_content varnishd_connect_any virt_read_qemu_ga_data virt_rw_qemu_ga_data virt_sandbox_use_all_caps virt_sandbox_use_audit virt_sandbox_use_mknod virt_sandbox_use_netlink virt_sandbox_use_sys_admin virt_transition_userdomain virt_use_comm virt_use_execmem virt_use_fusefs virt_use_nfs virt_use_rawip virt_use_samba virt_use_sanlock virt_use_usb virt_use_xserver webadm_manage_user_files webadm_read_user_files wine_mmap_zero_ignore xdm_bind_vnc_tcp_port xdm_exec_bootloader xdm_sysadm_login xdm_write_home xen_use_nfs xend_run_blktap xend_run_qemu xguest_connect_network xguest_exec_content xguest_mount_media xguest_use_bluetooth xserver_clients_write_xshm xserver_execmem xserver_object_manager zabbix_can_network zarafa_setrlimit zebra_write_config zoneminder_anon_write zoneminder_run_sudo multi-user.target multi-user.target abrtd\.(service|socket) ActiveState multi-user.target multi-user.target acpid\.(service|socket) ActiveState multi-user.target multi-user.target atd\.(service|socket) ActiveState multi-user.target multi-user.target auditd\.(socket|service) ActiveState multi-user.target multi-user.target autofs\.(service|socket) ActiveState multi-user.target multi-user.target avahi-daemon\.(service|socket) ActiveState multi-user.target multi-user.target bluetooth\.(service|socket) ActiveState multi-user.target multi-user.target certmonger\.(service|socket) ActiveState multi-user.target multi-user.target cgconfig\.(service|socket) ActiveState multi-user.target multi-user.target cgred\.(service|socket) ActiveState multi-user.target multi-user.target chronyd\.(socket|service) ActiveState multi-user.target multi-user.target cpupower\.(service|socket) ActiveState multi-user.target multi-user.target crond\.(socket|service) ActiveState multi-user.target multi-user.target cups\.(service|socket) ActiveState multi-user.target multi-user.target debug-shell\.(service|socket) ActiveState multi-user.target multi-user.target dhcpd\.(service|socket) ActiveState multi-user.target multi-user.target docker\.(socket|service) ActiveState multi-user.target multi-user.target dovecot\.(service|socket) ActiveState multi-user.target multi-user.target firewalld\.(socket|service) ActiveState multi-user.target multi-user.target httpd\.(service|socket) ActiveState multi-user.target multi-user.target irqbalance\.(socket|service) ActiveState multi-user.target multi-user.target kdump\.(service|socket) ActiveState multi-user.target multi-user.target mdmonitor\.(service|socket) ActiveState multi-user.target multi-user.target messagebus\.(service|socket) ActiveState multi-user.target multi-user.target nails\.(socket|service) ActiveState multi-user.target multi-user.target named\.(service|socket) ActiveState multi-user.target multi-user.target netconsole\.(service|socket) ActiveState multi-user.target multi-user.target nfs\.(service|socket) ActiveState multi-user.target multi-user.target nfslock\.(service|socket) ActiveState multi-user.target multi-user.target ntpd\.(service|socket) ActiveState multi-user.target multi-user.target ntpd\.(socket|service) ActiveState multi-user.target multi-user.target ntpdate\.(service|socket) ActiveState multi-user.target multi-user.target oddjobd\.(service|socket) ActiveState multi-user.target multi-user.target pcscd\.(socket|service) ActiveState multi-user.target multi-user.target portreserve\.(service|socket) ActiveState multi-user.target multi-user.target postfix\.(socket|service) ActiveState multi-user.target multi-user.target psacct\.(socket|service) ActiveState multi-user.target multi-user.target qpidd\.(service|socket) ActiveState multi-user.target multi-user.target quota_nld\.(service|socket) ActiveState multi-user.target multi-user.target rdisc\.(service|socket) ActiveState multi-user.target multi-user.target rexec\.(service|socket) ActiveState multi-user.target multi-user.target rhnsd\.(service|socket) ActiveState multi-user.target multi-user.target rhsmcertd\.(service|socket) ActiveState multi-user.target multi-user.target rlogin\.(service|socket) ActiveState multi-user.target multi-user.target rpcbind\.(service|socket) ActiveState multi-user.target multi-user.target rpcgssd\.(service|socket) ActiveState multi-user.target multi-user.target rpcidmapd\.(service|socket) ActiveState multi-user.target multi-user.target rpcsvcgssd\.(service|socket) ActiveState multi-user.target multi-user.target rsh\.(service|socket) ActiveState multi-user.target multi-user.target rsyslog\.(socket|service) ActiveState multi-user.target multi-user.target saslauthd\.(service|socket) ActiveState multi-user.target multi-user.target smartd\.(service|socket) ActiveState multi-user.target multi-user.target smb\.(service|socket) ActiveState multi-user.target multi-user.target snmpd\.(service|socket) ActiveState multi-user.target multi-user.target squid\.(service|socket) ActiveState multi-user.target multi-user.target sshd\.(service|socket) ActiveState multi-user.target multi-user.target sshd\.(socket|service) ActiveState multi-user.target multi-user.target sssd\.(service|socket) ActiveState multi-user.target multi-user.target sssd\.(socket|service) ActiveState multi-user.target multi-user.target sysstat\.(service|socket) ActiveState multi-user.target multi-user.target telnet\.(service|socket) ActiveState multi-user.target multi-user.target tftp\.(service|socket) ActiveState multi-user.target multi-user.target vsftpd\.(service|socket) ActiveState multi-user.target multi-user.target xinetd\.(service|socket) ActiveState multi-user.target multi-user.target ypbind\.(service|socket) ActiveState multi-user.target multi-user.target zebra\.(service|socket) ActiveState fs.suid_dumpable kernel.dmesg_restrict kernel.kexec_load_disabled kernel.kptr_restrict kernel.randomize_va_space kernel.yama.ptrace_scope net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.log_martians net.ipv4.conf.all.rp_filter net.ipv4.conf.all.secure_redirects net.ipv4.conf.all.send_redirects net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.log_martians net.ipv4.conf.default.rp_filter net.ipv4.conf.default.secure_redirects net.ipv4.conf.default.send_redirects net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_ignore_bogus_error_responses net.ipv4.ip_forward net.ipv4.tcp_syncookies net.ipv6.conf.all.accept_ra net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_source_route net.ipv6.conf.all.disable_ipv6 net.ipv6.conf.all.forwarding net.ipv6.conf.default.accept_ra net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_source_route /etc/sysctl.conf ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ 1 /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1 /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/augenrules.*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/auditd.conf ^[ ]*log_group[ ]+=[ ]+root[ ]*$ 1 /etc/default/grub ^\s*GRUB_DISABLE_RECOVERY=(.*)$ 1 /etc/chrony.conf ^([\s]*server[\s]+.+$){2,}$ 1 /etc/chrony.conf ^[\s]*server[\s]+.+$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT=.*$ 1 centos-release centos-release centos-release /etc/debian_version /etc/debian_version ^8.[0-9]+$ 1 fedora-release /etc/system-release-cpe ^cpe:\/o:fedoraproject:fedora:[\d]+$ 1 oraclelinux-release oraclelinux-release oraclelinux-release openSUSE-release openSUSE-release openSUSE-release redhat-release-client redhat-release-workstation redhat-release-server redhat-release-computenode redhat-release-client redhat-release-workstation redhat-release-server redhat-release-computenode redhat-release-virtualization-host /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1 redhat-release redhat-release-virtualization-host /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1 sl-release sl-release sl-release sled-release sles-release sled-release sles-release /etc/lsb-release /etc/lsb-release ^DISTRIB_ID=Ubuntu$ 1 /etc/lsb-release ^DISTRIB_CODENAME=trusty$ 1 /etc/lsb-release ^DISTRIB_CODENAME=xenial$ 1 /etc/lsb-release ^DISTRIB_CODENAME=bionic$ 1 /etc/wrlinux-release atomic-openshift atomic-openshift-node atomic-openshift-hyperkube rhosp-release rhvm-appliance gdm libuser nss-pam-ldapd pam shadow-utils systemd yum /.dockerenv /.dockerenv /etc/fstab 1 oval:ssg-sshd_required:var:1 oval:ssg-sshd_required:var:1 oval:ssg-sshd_required:var:1 openssh-server openssh-server /etc/sssd/sssd.conf oval:ssg-var_accounts_user_umask_umask_as_number:var:1 oval:ssg-var_removable_partition:var:1 oval:ssg-var_umask_for_daemons_umask_as_number:var:1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 /etc/fstab 1 ^.*$ oval:ssg-state_nodev_runtime_cd_dvd_drive:ste:1 /etc/fstab 1 ^.*$ oval:ssg-state_nodev_runtime_not_cd_dvd_drive:ste:1 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 /etc/fstab 1 ^.*$ oval:ssg-state_noexec_runtime_cd_dvd_drive:ste:1 /etc/fstab 1 ^.*$ oval:ssg-state_noexec_runtime_not_cd_dvd_drive:ste:1 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 /etc/fstab 1 ^.*$ oval:ssg-state_nosuid_runtime_cd_dvd_drive:ste:1 /etc/fstab 1 ^.*$ oval:ssg-state_nosuid_runtime_not_cd_dvd_drive:ste:1 nss-pam-ldapd samba-common service-db:keyfile/user fail fail fail fail ^.*xattrs.*$ ^.*sha512.*$ ^.*acl.*$ ^.*fips=1.*$ 4ae0493b fd431d51 45700c69 2fa658e0 53a7ff4b f4a80eb5 4e0fd3a3 c105b9de ^.*iommu=force.*$ false false false false false false initrc_t device_t ^.*nousb.*$ 1 0 0 0 ^/dev/.*$ nodev 1000 true true true regular true ^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$ ^/proc/.*$ ^/sys/.*$ false true 0 false false false false false false false false false false true true symbolic link 0 true true symbolic link 0 /etc/systemd/system/ctrl-alt-del.target /dev/null ^.*ocsp_on.*$ -1 x|\* 0 0 0 SHA512 /home true true true true true true true ^[:\.] :: \.\. [:\.]$ ^[^/] [^\\]:[^/] true true symbolic link travel 0 0 0 0 true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true ^\/(dev|proc|sys)\/.*$ PROMISC }[^{]+[\n][\s]*(weekly|monthly|yearly)|[\n][\s]*(weekly|monthly|yearly)[^}]+{ regular 0 regular 0 regular false false false false false false false /etc/systemd/system/default.target ^/lib/systemd/system/multi-user.target$ false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false 2 sec=(krb5i|ntlmv2i) 0 0 ^.*,sec=krb5\:krb5i\:krb5p.*$ ^.*sec=krb5:krb5i:krb5p.*$ 0 0 ^(static|none)$ devicemapper maxpoll \d+ 0 0 0 0 0 0 0 0 0 0 0 0 false false false true true false true false false true false false false false false true true false true false false true false false false false false false false false false false false false false false false false false true true false true false false true false false false false false false false false false false false false false false false false false true true false false false false false false false false false false true true false true false false false false false false false false true true false true false false false false false false false false true true false true false false true false false nodev noexec nosuid nodev nosuid nodev noexec nosuid nodev noexec nosuid SELinux abrt_anon_write abrt_handle_event abrt_upload_watch_anon_write antivirus_can_scan_system antivirus_use_jit auditadm_exec_content authlogin_nsswitch_use_ldap authlogin_radius authlogin_yubikey awstats_purge_apache_log_files boinc_execmem cdrecord_read_content cluster_can_network_connect cluster_manage_all_files cluster_use_execmem cobbler_anon_write cobbler_can_network_connect cobbler_use_cifs cobbler_use_nfs collectd_tcp_network_connect condor_tcp_network_connect conman_can_network container_connect_any cron_can_relabel cron_system_cronjob_use_shares cron_userdomain_transition cups_execmem cvs_read_shadow daemons_dump_core daemons_enable_cluster_mode daemons_use_tcp_wrapper daemons_use_tty dbadm_exec_content dbadm_manage_user_files dbadm_read_user_files deny_execmem deny_ptrace dhcpc_exec_iptables dhcpd_use_ldap domain_fd_use domain_kernel_load_modules entropyd_use_audio exim_can_connect_db exim_manage_user_files exim_read_user_files fcron_crond fenced_can_network_connect fenced_can_ssh fips_mode ftpd_anon_write ftpd_connect_all_unreserved ftpd_connect_db ftpd_full_access ftpd_use_cifs ftpd_use_fusefs ftpd_use_nfs ftpd_use_passive_mode git_cgi_enable_homedirs git_cgi_use_cifs git_cgi_use_nfs git_session_bind_all_unreserved_ports git_session_users git_system_enable_homedirs git_system_use_cifs git_system_use_nfs gitosis_can_sendmail glance_api_can_network glance_use_execmem glance_use_fusefs global_ssp gluster_anon_write gluster_export_all_ro gluster_export_all_rw gpg_web_anon_write gssd_read_tmp guest_exec_content haproxy_connect_any httpd_anon_write httpd_builtin_scripting httpd_can_check_spam httpd_can_connect_ftp httpd_can_connect_ldap httpd_can_connect_mythtv httpd_can_connect_zabbix httpd_can_network_connect httpd_can_network_connect_cobbler httpd_can_network_connect_db httpd_can_network_memcache httpd_can_network_relay httpd_can_sendmail httpd_dbus_avahi httpd_dbus_sssd httpd_dontaudit_search_dirs httpd_enable_cgi httpd_enable_ftp_server httpd_enable_homedirs httpd_execmem httpd_graceful_shutdown httpd_manage_ipa httpd_mod_auth_ntlm_winbind httpd_mod_auth_pam httpd_read_user_content httpd_run_ipa httpd_run_preupgrade httpd_run_stickshift httpd_serve_cobbler_files httpd_setrlimit httpd_ssi_exec httpd_sys_script_anon_write httpd_tmp_exec httpd_tty_comm httpd_unified httpd_use_cifs httpd_use_fusefs httpd_use_gpg httpd_use_nfs httpd_use_openstack httpd_use_sasl httpd_verify_dns icecast_use_any_tcp_ports irc_use_any_tcp_ports irssi_use_full_network kdumpgui_run_bootloader kerberos_enabled ksmtuned_use_cifs ksmtuned_use_nfs logadm_exec_content logging_syslogd_can_sendmail logging_syslogd_run_nagios_plugins logging_syslogd_use_tty login_console_enabled logrotate_use_nfs logwatch_can_network_connect_mail lsmd_plugin_connect_any mailman_use_fusefs mcelog_client mcelog_exec_scripts mcelog_foreground mcelog_server minidlna_read_generic_user_content mmap_low_allowed mock_enable_homedirs mount_anyfile mozilla_plugin_bind_unreserved_ports mozilla_plugin_can_network_connect mozilla_plugin_use_bluejeans mozilla_plugin_use_gps mozilla_plugin_use_spice mozilla_read_content mpd_enable_homedirs mpd_use_cifs mpd_use_nfs mplayer_execstack mysql_connect_any nagios_run_pnp4nagios nagios_run_sudo named_tcp_bind_http_port named_write_master_zones neutron_can_network nfs_export_all_ro nfs_export_all_rw nfsd_anon_write nis_enabled nscd_use_shm openshift_use_nfs openvpn_can_network_connect openvpn_enable_homedirs openvpn_run_unconfined pcp_bind_all_unreserved_ports pcp_read_generic_logs piranha_lvs_can_network_connect polipo_connect_all_unreserved polipo_session_bind_all_unreserved_ports polipo_session_users polipo_use_cifs polipo_use_nfs polyinstantiation_enabled postfix_local_write_mail_spool postgresql_can_rsync postgresql_selinux_transmit_client_label postgresql_selinux_unconfined_dbadm postgresql_selinux_users_ddl pppd_can_insmod pppd_for_user privoxy_connect_any prosody_bind_http_port puppetagent_manage_all_files puppetmaster_use_db racoon_read_shadow rsync_anon_write rsync_client rsync_export_all_ro rsync_full_access samba_create_home_dirs samba_domain_controller samba_enable_home_dirs samba_export_all_ro samba_export_all_rw samba_load_libgfapi samba_portmapper samba_run_unconfined samba_share_fusefs samba_share_nfs sanlock_use_fusefs sanlock_use_nfs sanlock_use_samba saslauthd_read_shadow secadm_exec_content secure_mode secure_mode_insmod secure_mode_policyload selinuxuser_direct_dri_enabled selinuxuser_execheap selinuxuser_execmod selinuxuser_execstack selinuxuser_mysql_connect_enabled selinuxuser_ping selinuxuser_postgresql_connect_enabled selinuxuser_rw_noexattrfile selinuxuser_share_music selinuxuser_tcp_server selinuxuser_udp_server selinuxuser_use_ssh_chroot sge_domain_can_network_connect sge_use_nfs smartmon_3ware smbd_anon_write spamassassin_can_network spamd_enable_home_dirs squid_connect_any squid_use_tproxy ssh_chroot_rw_homedirs ssh_keysign ssh_sysadm_login staff_exec_content staff_use_svirt swift_can_network sysadm_exec_content telepathy_connect_all_ports telepathy_tcp_connect_generic_network_ports tftp_anon_write tftp_home_dir tmpreaper_use_nfs tmpreaper_use_samba tor_bind_all_unreserved_ports tor_can_network_relay unconfined_chrome_sandbox_transition unconfined_login unconfined_mozilla_plugin_transition unprivuser_use_svirt use_ecryptfs_home_dirs use_fusefs_home_dirs use_lpd_server use_nfs_home_dirs use_samba_home_dirs user_exec_content varnishd_connect_any virt_read_qemu_ga_data virt_rw_qemu_ga_data virt_sandbox_use_all_caps virt_sandbox_use_audit virt_sandbox_use_mknod virt_sandbox_use_netlink virt_sandbox_use_sys_admin virt_transition_userdomain virt_use_comm virt_use_execmem virt_use_fusefs virt_use_nfs virt_use_rawip virt_use_samba virt_use_sanlock virt_use_usb virt_use_xserver webadm_manage_user_files webadm_read_user_files wine_mmap_zero_ignore xdm_bind_vnc_tcp_port xdm_exec_bootloader xdm_sysadm_login xdm_write_home xen_use_nfs xend_run_blktap xend_run_qemu xguest_connect_network xguest_exec_content xguest_mount_media xguest_use_bluetooth xserver_clients_write_xshm xserver_execmem xserver_object_manager zabbix_can_network zarafa_setrlimit zebra_write_config zoneminder_anon_write zoneminder_run_sudo abrtd.service abrtd.socket inactive acpid.service acpid.socket inactive atd.service atd.socket inactive auditd.service auditd.socket active autofs.service autofs.socket inactive avahi-daemon.service avahi-daemon.socket inactive bluetooth.service bluetooth.socket inactive certmonger.service certmonger.socket inactive cgconfig.service cgconfig.socket inactive cgred.service cgred.socket inactive chronyd.service chronyd.socket active cpupower.service cpupower.socket inactive crond.service crond.socket active cups.service cups.socket inactive debug-shell.service debug-shell.socket inactive dhcpd.service dhcpd.socket inactive docker.service docker.socket active dovecot.service dovecot.socket inactive firewalld.service firewalld.socket active httpd.service httpd.socket inactive irqbalance.service irqbalance.socket active kdump.service kdump.socket inactive mdmonitor.service mdmonitor.socket inactive messagebus.service messagebus.socket inactive nails.service nails.socket active named.service named.socket inactive netconsole.service netconsole.socket inactive nfs.service nfs.socket inactive nfslock.service nfslock.socket inactive ntpd.service ntpd.socket inactive ntpd.service ntpd.socket active ntpdate.service ntpdate.socket inactive oddjobd.service oddjobd.socket inactive pcscd.service pcscd.socket active portreserve.service portreserve.socket inactive postfix.service postfix.socket active psacct.service psacct.socket active qpidd.service qpidd.socket inactive quota_nld.service quota_nld.socket inactive rdisc.service rdisc.socket inactive rexec.service rexec.socket inactive rhnsd.service rhnsd.socket inactive rhsmcertd.service rhsmcertd.socket inactive rlogin.service rlogin.socket inactive rpcbind.service rpcbind.socket inactive rpcgssd.service rpcgssd.socket inactive rpcidmapd.service rpcidmapd.socket inactive rpcsvcgssd.service rpcsvcgssd.socket inactive rsh.service rsh.socket inactive rsyslog.service rsyslog.socket active saslauthd.service saslauthd.socket inactive smartd.service smartd.socket inactive smb.service smb.socket inactive snmpd.service snmpd.socket inactive squid.service squid.socket inactive sshd.service sshd.socket inactive sshd.service sshd.socket active sssd.service sssd.socket inactive sssd.service sssd.socket active sysstat.service sysstat.socket inactive telnet.service telnet.socket inactive tftp.service tftp.socket inactive vsftpd.service vsftpd.socket inactive xinetd.service xinetd.socket inactive ypbind.service ypbind.socket inactive zebra.service zebra.socket inactive 0 1 1 1 2 1 0 0 0 1 ^true|"true"$ ^6.*$ ^7.*$ ^8.*$ ^6Server$ ^7.*$ ^8.*$ openSUSE-release ^15.*$ ^42.*$ unix ^6.*$ ^6.*$ ^6.*$ ^6.*$ unix ^7.*$ ^7.*$ ^7.*$ ^7.*$ 7 unix ^8.*$ ^4.*$ 7 ^6.*$ ^7.*$ ^8.*$ unix ^11.*$ ^11.*$ unix ^12.*$ ^12.*$ unix ^3.*$ ^3.*$ ^3.*$ ^13.*$ ^4.*$ 1 2 0 0:7.4 0:7.4 aarch64 ppc64 ppc64le i686 x86_64 /dev/cdrom ^.*audit=1.*$ ^.*audit_backlog_limit=8192.*$ ^.*page_poison=1.*$ ^.*slub_debug=P.*$ ^.*vsyscall=none.*$ ^.*nodev.*$ ^.*,?nodev,?.*$ nodev ^.*,?nodev,?.* nodev ^.*noexec.*$ ^.*,?noexec,?.*$ noexec ^.*,?noexec,?.* noexec ^.*nosuid.*$ ^.*,?nosuid,?.*$ nosuid ^.*,?nosuid,?.* nosuid / / 64 8 /usr/bin/cgclassify /usr/bin/cgexec /usr/sbin/netreport /usr/lib/vte-2.90/gnome-pty-helper /usr/lib/vte-2.91/gnome-pty-helper /usr/lib64/vte/gnome-pty-helper /usr/lib64/vte-2.90/gnome-pty-helper /usr/lib64/vte-2.91/gnome-pty-helper /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache /usr/libexec/openssh/ssh-keysign /usr/bin/crontab /usr/bin/gnomine /usr/bin/iagno /usr/bin/locate /usr/bin/lockfile /usr/bin/same-gnome /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/bin/write /usr/lib/vte/gnome-pty-helper /usr/libexec/kde4/kdesud /usr/libexec/utempter/utempter /usr/lib/mailman/cgi-bin/admindb /usr/lib/mailman/cgi-bin/admin /usr/lib/mailman/cgi-bin/confirm /usr/lib/mailman/cgi-bin/create /usr/lib/mailman/cgi-bin/edithtml /usr/lib/mailman/cgi-bin/listinfo /usr/lib/mailman/cgi-bin/options /usr/lib/mailman/cgi-bin/private /usr/lib/mailman/cgi-bin/rmlist /usr/lib/mailman/cgi-bin/roster /usr/lib/mailman/cgi-bin/subscribe /usr/lib/mailman/mail/mailman /usr/sbin/lockdev /usr/sbin/postdrop /usr/sbin/postqueue /usr/sbin/sendmail.sendmail /usr/bin/abrt-action-install-debuginfo-to-abrt-cache /usr/bin/at /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/crontab /usr/bin/fusermount /usr/bin/gpasswd /usr/bin/ksu /usr/bin/mount /usr/bin/newgrp /usr/bin/passwd /usr/bin/pkexec /usr/bin/staprun /usr/bin/sudoedit /usr/bin/sudo /usr/bin/su /usr/bin/umount /usr/bin/Xorg /usr/lib64/amanda/application/amgtar /usr/lib64/amanda/application/amstar /usr/lib64/amanda/calcsize /usr/lib64/amanda/dumper /usr/lib64/amanda/killpgrp /usr/lib64/amanda/planner /usr/lib64/amanda/rundump /usr/lib64/amanda/runtar /usr/lib64/dbus-1/dbus-daemon-launch-helper /usr/lib/amanda/application/amgtar /usr/lib/amanda/application/amstar /usr/lib/amanda/calcsize /usr/lib/amanda/dumper /usr/lib/amanda/killpgrp /usr/lib/amanda/planner /usr/lib/amanda/rundump /usr/lib/amanda/runtar /usr/lib/dbus-1/dbus-daemon-launch-helper /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache /usr/libexec/cockpit-session /usr/libexec/dbus-1/dbus-daemon-launch-helper /usr/libexec/kde4/kpac_dhcp_helper /usr/libexec/qemu-bridge-helper /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper /usr/libexec/sssd/krb5_child /usr/libexec/sssd/ldap_child /usr/libexec/sssd/proxy_child /usr/libexec/sssd/selinux_child /usr/lib/polkit-1/polkit-agent-helper-1 /usr/sbin/amcheck /usr/sbin/amservice /usr/sbin/mount.nfs /usr/sbin/pam_timestamp_check /usr/sbin/unix_chkpwd /usr/sbin/userhelper /usr/sbin/usernetctl \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid \nauth[\s]+\[success=done[\s]authinfo_unavail=ignore[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]nodebug\n \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n.* \npassword[\s]+required[\s]+pam_pkcs11.so\n -1 -1 -1 -1 -1 pam_unix(?:.*[\n](?:.*[\n]){ })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) pam_unix(?:.*[\n](?:.*[\n]){ })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) 64 8 64 8 64 8 64 8 ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ %^/etc/rsyslog.conf$ %^/etc/rsyslog.conf$ %^/etc/rsyslog.conf$ .xml /etc/sysconfig/docker-storage /usr/lib/docker-storage-setup/docker-storage-setup /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 64 8 64 8 ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chmod)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chmod)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chown)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chown)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(creat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(creat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmod)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmod)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmodat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmodat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchown)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchown)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchownat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchownat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fremovexattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fremovexattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fsetxattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fsetxattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(ftruncate)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(ftruncate)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lchown)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lchown)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lremovexattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lremovexattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lsetxattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lsetxattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(removexattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(removexattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(rename)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(rename)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(renameat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(renameat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(setxattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(setxattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(truncate)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(truncate)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlink)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlink)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlinkat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlinkat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ xccdf-create-ocil.xslt from SCAP Security Guide ssg: 0.1.43 2.0 2019-06-12T12:11:03-04:00 Uninstall rsh Package ocil:ssg-package_rsh_removed_action:testaction:1 Disable rlogin Service ocil:ssg-service_rlogin_disabled_action:testaction:1 Disable rexec Service ocil:ssg-service_rexec_disabled_action:testaction:1 Remove Host-Based Authentication Files ocil:ssg-no_host_based_files_action:testaction:1 Disable rsh Service ocil:ssg-service_rsh_disabled_action:testaction:1 Remove User Host-Based Authentication Files ocil:ssg-no_user_host_based_files_action:testaction:1 Uninstall rsh-server Package ocil:ssg-package_rsh-server_removed_action:testaction:1 Remove Rsh Trust Files ocil:ssg-no_rsh_trust_files_action:testaction:1 Remove telnet Clients ocil:ssg-package_telnet_removed_action:testaction:1 Disable telnet Service ocil:ssg-service_telnet_disabled_action:testaction:1 Uninstall telnet-server Package ocil:ssg-package_telnet-server_removed_action:testaction:1 Remove NIS Client ocil:ssg-package_ypbind_removed_action:testaction:1 Disable ypbind Service ocil:ssg-service_ypbind_disabled_action:testaction:1 Uninstall ypserv Package ocil:ssg-package_ypserv_removed_action:testaction:1 Disable tftp Service ocil:ssg-service_tftp_disabled_action:testaction:1 Remove tftp Daemon ocil:ssg-package_tftp_removed_action:testaction:1 Uninstall tftp-server Package ocil:ssg-package_tftp-server_removed_action:testaction:1 Ensure tftp Daemon Uses Secure Mode ocil:ssg-tftpd_uses_secure_mode_action:testaction:1 Install tcp_wrappers Package ocil:ssg-package_tcp_wrappers_installed_action:testaction:1 Disable xinetd Service ocil:ssg-service_xinetd_disabled_action:testaction:1 Uninstall xinetd Package ocil:ssg-package_xinetd_removed_action:testaction:1 Uninstall talk Package ocil:ssg-package_talk_removed_action:testaction:1 Uninstall talk-server Package ocil:ssg-package_talk-server_removed_action:testaction:1 Create Warning Banners for All FTP Users ocil:ssg-ftp_present_banner_action:testaction:1 Enable Logging of All FTP Transactions ocil:ssg-ftp_log_transactions_action:testaction:1 Disable vsftpd Service ocil:ssg-service_vsftpd_disabled_action:testaction:1 Uninstall vsftpd Package ocil:ssg-package_vsftpd_removed_action:testaction:1 Configure SNMP Service to Use Only SNMPv3 or Newer ocil:ssg-snmpd_use_newer_protocol_action:testaction:1 Ensure Default SNMP Password Is Not Used ocil:ssg-snmpd_not_default_password_action:testaction:1 Uninstall net-snmp Package ocil:ssg-package_net-snmp_removed_action:testaction:1 Disable snmpd Service ocil:ssg-service_snmpd_disabled_action:testaction:1 Verify Group Who Owns /etc/cron.allow file ocil:ssg-file_groupowner_cron_allow_action:testaction:1 Verify User Who Owns /etc/cron.allow file ocil:ssg-file_owner_cron_allow_action:testaction:1 Disable anacron Service ocil:ssg-disable_anacron_action:testaction:1 Enable cron Service ocil:ssg-service_crond_enabled_action:testaction:1 Disable At Service (atd) ocil:ssg-service_atd_disabled_action:testaction:1 Enable cron Service ocil:ssg-service_cron_enabled_action:testaction:1 Disable X Windows Startup By Setting Default Target ocil:ssg-xwindows_runlevel_target_action:testaction:1 Remove the X Windows Package Group ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 Uninstall quagga Package ocil:ssg-package_quagga_removed_action:testaction:1 Disable Quagga Service ocil:ssg-service_zebra_disabled_action:testaction:1 Disable named Service ocil:ssg-service_named_disabled_action:testaction:1 Uninstall bind Package ocil:ssg-package_bind_removed_action:testaction:1 Uninstall openldap-servers Package ocil:ssg-package_openldap-servers_removed_action:testaction:1 Enable the LDAP Client For Use in Authconfig ocil:ssg-enable_ldap_client_action:testaction:1 Configure Certificate Directives for LDAP Use of TLS ocil:ssg-ldap_client_tls_cacertpath_action:testaction:1 Configure LDAP Client to Use TLS For All Transactions ocil:ssg-ldap_client_start_tls_action:testaction:1 Disable DHCP Client in ifcfg ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1 Uninstall DHCP Server Package ocil:ssg-package_dhcp_removed_action:testaction:1 Disable DHCP Service ocil:ssg-service_dhcpd_disabled_action:testaction:1 Disable Samba ocil:ssg-service_smb_disabled_action:testaction:1 Uninstall Samba Package ocil:ssg-package_samba_removed_action:testaction:1 Install the Samba Common Package ocil:ssg-package_samba-common_installed_action:testaction:1 Require Client SMB Packet Signing, if using smbclient ocil:ssg-require_smb_client_signing_action:testaction:1 Require Client SMB Packet Signing, if using mount.cifs ocil:ssg-mount_option_smb_client_signing_action:testaction:1 Disable httpd Service ocil:ssg-service_httpd_disabled_action:testaction:1 Uninstall httpd Package ocil:ssg-package_httpd_removed_action:testaction:1 HTTPD Log Files Must Be Owned By Root ocil:ssg-http_configure_log_file_ownership_action:testaction:1 Set Permissions on the /var/log/httpd/ Directory ocil:ssg-dir_perms_var_log_httpd_action:testaction:1 Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/ ocil:ssg-file_permissions_httpd_server_modules_files_action:testaction:1 Set Permissions on the /etc/httpd/conf/ Directory ocil:ssg-dir_perms_etc_httpd_conf_action:testaction:1 Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/ ocil:ssg-file_permissions_httpd_server_conf_d_files_action:testaction:1 Set Permissions on All Configuration Files Inside /etc/httpd/conf/ ocil:ssg-file_permissions_httpd_server_conf_files_action:testaction:1 Ensure Remote Administrative Access Is Encrypted ocil:ssg-httpd_configure_remote_session_encryption_action:testaction:1 Scan All Uploaded Content for Malicious Software ocil:ssg-httpd_antivirus_scan_uploads_action:testaction:1 Configure firewall to Allow Access to the Web Server ocil:ssg-httpd_configure_firewall_action:testaction:1 Enable Transport Layer Security (TLS) Encryption ocil:ssg-httpd_configure_tls_action:testaction:1 Require Client Certificates ocil:ssg-httpd_require_client_certs_action:testaction:1 Configure A Valid Server Certificate ocil:ssg-httpd_configure_valid_server_cert_action:testaction:1 Ignore HTTPD .htaccess Files ocil:ssg-httpd_ignore_htaccess_files_action:testaction:1 Disable Anonymous FTP Access ocil:ssg-httpd_disable_anonymous_ftp_access_action:testaction:1 Remove Write Permissions From Filesystem Paths And Server Scripts ocil:ssg-httpd_configure_script_permissions_action:testaction:1 Web Content Directories Must Not Be Shared Anonymously ocil:ssg-httpd_anonymous_content_sharing_action:testaction:1 Enable log_config_module For HTTPD Logging ocil:ssg-httpd_enable_log_config_action:testaction:1 Configure HTTP PERL Scripts To Use TAINT Option ocil:ssg-httpd_configure_perl_taint_action:testaction:1 Ensure Web Content Located on Separate partition ocil:ssg-partition_for_web_content_action:testaction:1 Disable Web Content Symbolic Links ocil:ssg-httpd_disable_content_symlinks_action:testaction:1 Remove .java And .jpp Files ocil:ssg-httpd_limit_java_files_action:testaction:1 Each Web Content Directory Must Contain An index.html File ocil:ssg-httpd_configure_documentroot_action:testaction:1 The robots.txt Files Must Not Exist ocil:ssg-httpd_remove_robots_file_action:testaction:1 Configure A Banner Page For Each Website ocil:ssg-httpd_configure_banner_page_action:testaction:1 Encrypt All File Uploads ocil:ssg-httpd_encrypt_file_uploads_action:testaction:1 Enable HTTPD Error Logging ocil:ssg-httpd_enable_error_logging_action:testaction:1 A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension ocil:ssg-httpd_nipr_accredited_dmz_action:testaction:1 A private web server must be located on a separate controlled access subnet ocil:ssg-httpd_private_server_on_separate_subnet_action:testaction:1 Configure The Number of Allowed Simultaneous Requests ocil:ssg-httpd_configure_max_keepalive_requests_action:testaction:1 Public web server resources must not be shared with private assets ocil:ssg-httpd_public_resources_not_shared_action:testaction:1 The web server password(s) must be entrusted to the SA or Web Manager ocil:ssg-httpd_entrust_passwords_action:testaction:1 Configure Error Log Format ocil:ssg-httpd_configure_log_format_action:testaction:1 Backup interactive scripts on the production web server are prohibited ocil:ssg-httpd_remove_backups_action:testaction:1 MIME types for csh or sh shell programs must be disabled ocil:ssg-httpd_disable_mime_types_action:testaction:1 Enable HTTPD System Logging ocil:ssg-httpd_enable_system_logging_action:testaction:1 Enable HTTPD LogLevel ocil:ssg-httpd_enable_loglevel_action:testaction:1 Installation of a compiler on production web server is prohibited ocil:ssg-httpd_no_compilers_in_prod_action:testaction:1 Configure SSSD LDAP Backend Client CA Certificate Location ocil:ssg-sssd_ldap_configure_tls_ca_dir_action:testaction:1 Configure SSSD LDAP Backend to Use TLS For All Transactions ocil:ssg-sssd_ldap_start_tls_action:testaction:1 Configure SSSD LDAP Backend Client CA Certificate ocil:ssg-sssd_ldap_configure_tls_ca_action:testaction:1 Configure SSSD's Memory Cache to Expire ocil:ssg-sssd_memcache_timeout_action:testaction:1 Configure PAM in SSSD Services ocil:ssg-sssd_enable_pam_services_action:testaction:1 Enable Smartcards in SSSD ocil:ssg-sssd_enable_smartcards_action:testaction:1 Configure SSSD to Expire Offline Credentials ocil:ssg-sssd_offline_cred_expiration_action:testaction:1 Install the SSSD Package ocil:ssg-package_sssd_installed_action:testaction:1 Configure SSSD to Expire SSH Known Hosts ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1 Enable the SSSD Service ocil:ssg-service_sssd_enabled_action:testaction:1 Enable systemd_timesyncd Service ocil:ssg-service_timesyncd_enabled_action:testaction:1 Configure Time Service Maxpoll Interval ocil:ssg-chronyd_or_ntpd_set_maxpoll_action:testaction:1 Enable the NTP Daemon ocil:ssg-service_chronyd_or_ntpd_enabled_action:testaction:1 Enable the NTP Daemon ocil:ssg-service_ntpd_enabled_action:testaction:1 Specify a Remote NTP Server ocil:ssg-chronyd_or_ntpd_specify_remote_server_action:testaction:1 Specify a Remote NTP Server ocil:ssg-ntpd_specify_remote_server_action:testaction:1 Enable the NTP Daemon ocil:ssg-service_ntp_enabled_action:testaction:1 Uninstall Automatic Bug Reporting Tool (abrt) ocil:ssg-package_abrt_removed_action:testaction:1 Disable Control Group Rules Engine (cgred) ocil:ssg-service_cgred_disabled_action:testaction:1 Disable D-Bus IPC Service (messagebus) ocil:ssg-service_messagebus_disabled_action:testaction:1 Disable Advanced Configuration and Power Interface (acpid) ocil:ssg-service_acpid_disabled_action:testaction:1 Disable Network Router Discovery Daemon (rdisc) ocil:ssg-service_rdisc_disabled_action:testaction:1 Disable Network Console (netconsole) ocil:ssg-service_netconsole_disabled_action:testaction:1 Disable Certmonger Service (certmonger) ocil:ssg-service_certmonger_disabled_action:testaction:1 Disable Quota Netlink (quota_nld) ocil:ssg-service_quota_nld_disabled_action:testaction:1 Enable Process Accounting (psacct) ocil:ssg-service_psacct_enabled_action:testaction:1 Disable Red Hat Network Service (rhnsd) ocil:ssg-service_rhnsd_disabled_action:testaction:1 Install the psacct package ocil:ssg-package_psacct_installed_action:testaction:1 Disable Software RAID Monitor (mdmonitor) ocil:ssg-service_mdmonitor_disabled_action:testaction:1 Enable IRQ Balance (irqbalance) ocil:ssg-service_irqbalance_enabled_action:testaction:1 Disable Odd Job Daemon (oddjobd) ocil:ssg-service_oddjobd_disabled_action:testaction:1 Disable SMART Disk Monitoring Service (smartd) ocil:ssg-service_smartd_disabled_action:testaction:1 Disable Apache Qpid (qpidd) ocil:ssg-service_qpidd_disabled_action:testaction:1 Disable Automatic Bug Reporting Tool (abrtd) ocil:ssg-service_abrtd_disabled_action:testaction:1 Disable CPU Speed (cpupower) ocil:ssg-service_cpupower_disabled_action:testaction:1 Disable Cyrus SASL Authentication Daemon (saslauthd) ocil:ssg-service_saslauthd_disabled_action:testaction:1 Disable Control Group Config (cgconfig) ocil:ssg-service_cgconfig_disabled_action:testaction:1 Disable ntpdate Service (ntpdate) ocil:ssg-service_ntpdate_disabled_action:testaction:1 Disable KDump Kernel Crash Analyzer (kdump) ocil:ssg-service_kdump_disabled_action:testaction:1 Disable Red Hat Subscription Manager Daemon (rhsmcertd) ocil:ssg-service_rhsmcertd_disabled_action:testaction:1 Disable Portreserve (portreserve) ocil:ssg-service_portreserve_disabled_action:testaction:1 Disable System Statistics Reset Service (sysstat) ocil:ssg-service_sysstat_disabled_action:testaction:1 Enable Use of Strict Mode Checking ocil:ssg-sshd_enable_strictmodes_action:testaction:1 Disable SSH Support for User Known Hosts ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1 Disable SSH Access via Empty Passwords ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 Set SSH Client Alive Max Count ocil:ssg-sshd_set_keepalive_action:testaction:1 Set SSH Idle Timeout Interval ocil:ssg-sshd_set_idle_timeout_action:testaction:1 Enable SSH Warning Banner ocil:ssg-sshd_enable_warning_banner_action:testaction:1 Use Only FIPS 140-2 Validated MACs ocil:ssg-sshd_use_approved_macs_action:testaction:1 Do Not Allow SSH Environment Options ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1 Disable Kerberos Authentication ocil:ssg-sshd_disable_kerb_auth_action:testaction:1 Allow Only SSH Protocol 2 ocil:ssg-sshd_allow_only_protocol2_action:testaction:1 Disable SSH Support for .rhosts Files ocil:ssg-sshd_disable_rhosts_action:testaction:1 Disable SSH Support for Rhosts RSA Authentication ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 Set LogLevel to INFO ocil:ssg-sshd_set_loglevel_info_action:testaction:1 Enable Encrypted X11 Forwarding ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1 Use Only FIPS 140-2 Validated Ciphers ocil:ssg-sshd_use_approved_ciphers_action:testaction:1 Disable Host-Based Authentication ocil:ssg-disable_host_auth_action:testaction:1 Enable SSH Server firewalld Firewall Exception ocil:ssg-firewalld_sshd_port_enabled_action:testaction:1 Set SSH authentication attempt limit ocil:ssg-sshd_set_max_auth_tries_action:testaction:1 Use Only Strong MACs ocil:ssg-sshd_use_strong_macs_action:testaction:1 Enable Use of Privilege Separation ocil:ssg-sshd_use_priv_separation_action:testaction:1 Enable SSH Print Last Log ocil:ssg-sshd_print_last_log_action:testaction:1 Use Only Strong Ciphers ocil:ssg-sshd_use_strong_ciphers_action:testaction:1 Disable GSSAPI Authentication ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1 Disable Compression Or Set Compression to delayed ocil:ssg-sshd_disable_compression_action:testaction:1 Disable SSH Root Login ocil:ssg-sshd_disable_root_login_action:testaction:1 Install the OpenSSH Server Package ocil:ssg-package_openssh-server_installed_action:testaction:1 Enable the OpenSSH Service ocil:ssg-service_sshd_enabled_action:testaction:1 Verify Permissions on SSH Server Public *.pub Key Files ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1 Verify Permissions on SSH Server Private *_key Key Files ocil:ssg-file_permissions_sshd_private_key_action:testaction:1 Configure System to Forward All Mail For The Root Account ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1 Disable Postfix Network Listening ocil:ssg-postfix_network_listening_disabled_action:testaction:1 Prevent Unrestricted Mail Relaying ocil:ssg-postfix_prevent_unrestricted_relay_action:testaction:1 Uninstall Sendmail Package ocil:ssg-package_sendmail_removed_action:testaction:1 Enable Postfix Service ocil:ssg-service_postfix_enabled_action:testaction:1 Disable Dovecot Service ocil:ssg-service_dovecot_disabled_action:testaction:1 Uninstall dovecot Package ocil:ssg-package_dovecot_removed_action:testaction:1 Ensure All-Squashing Disabled On All Exports ocil:ssg-no_all_squash_exports_action:testaction:1 Use Kerberos Security on All Exports ocil:ssg-use_kerberos_security_all_exports_action:testaction:1 Ensure Insecure File Locking is Not Allowed ocil:ssg-no_insecure_locks_exports_action:testaction:1 Mount Remote Filesystems with noexec ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1 Mount Remote Filesystems with Kerberos Security ocil:ssg-mount_option_krb_sec_remote_filesystems_action:testaction:1 Mount Remote Filesystems with nosuid ocil:ssg-mount_option_nosuid_remote_filesystems_action:testaction:1 Mount Remote Filesystems with nodev ocil:ssg-mount_option_nodev_remote_filesystems_action:testaction:1 Specify UID and GID for Anonymous NFS Connections ocil:ssg-nfs_no_anonymous_action:testaction:1 Disable Network File System (nfs) ocil:ssg-service_nfs_disabled_action:testaction:1 Disable Secure RPC Server Service (rpcsvcgssd) ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 Disable Printer Browsing Entirely if Possible ocil:ssg-cups_disable_browsing_action:testaction:1 Disable the CUPS Service ocil:ssg-service_cups_disabled_action:testaction:1 Install the docker Package ocil:ssg-package_docker_installed_action:testaction:1 Enable the Docker service ocil:ssg-service_docker_enabled_action:testaction:1 Disable Avahi Server Software ocil:ssg-service_avahi-daemon_disabled_action:testaction:1 Disable Squid ocil:ssg-service_squid_disabled_action:testaction:1 Uninstall squid Package ocil:ssg-package_squid_removed_action:testaction:1 Configure auditd flush priority ocil:ssg-auditd_data_retention_flush_action:testaction:1 Encrypt Audit Records Sent With audispd Plugin ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1 Configure audispd Plugin To Send Logs To Remote Server ocil:ssg-auditd_audispd_configure_remote_server_action:testaction:1 Configure audispd's Plugin network_failure_action On Network Failure ocil:ssg-auditd_audispd_network_failure_action_action:testaction:1 Configure auditd Disk Full Action when Disk Space Is Full ocil:ssg-auditd_data_disk_full_action_action:testaction:1 Configure auditd Max Log File Size ocil:ssg-auditd_data_retention_max_log_file_action:testaction:1 Configure auditd space_left on Low Disk Space ocil:ssg-auditd_data_retention_space_left_action:testaction:1 Configure auditd mail_acct Action on Low Disk Space ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 Configure auditd to use audispd's syslog plugin ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 Configure auditd admin_space_left Action on Low Disk Space ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1 Configure auditd max_log_file_action Upon Reaching Maximum Log Size ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1 Configure auditd space_left Action on Low Disk Space ocil:ssg-auditd_data_retention_space_left_action_action:testaction:1 Configure auditd Disk Error Action on Disk Error ocil:ssg-auditd_data_disk_error_action_action:testaction:1 Configure auditd Number of Logs Retained ocil:ssg-auditd_data_retention_num_logs_action:testaction:1 Configure audispd's Plugin disk_full_action When Disk Is Full ocil:ssg-auditd_audispd_disk_full_action_action:testaction:1 Ensure auditd Collects Information on Kernel Module Unloading - rmmod ocil:ssg-audit_rules_kernel_module_loading_rmmod_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading and Unloading ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 Ensure auditd Collects Information on Kernel Module Unloading - delete_module ocil:ssg-audit_rules_kernel_module_loading_delete_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading - insmod ocil:ssg-audit_rules_kernel_module_loading_insmod_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe ocil:ssg-audit_rules_kernel_module_loading_modprobe_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading - create_module ocil:ssg-audit_rules_kernel_module_loading_create_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading - init_module ocil:ssg-audit_rules_kernel_module_loading_init_action:testaction:1 Record Attempts to Alter Logon and Logout Events - lastlog ocil:ssg-audit_rules_login_events_lastlog_action:testaction:1 Record Attempts to Alter Logon and Logout Events - faillock ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 Record Attempts to Alter Logon and Logout Events - tallylog ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1 Record Attempts to Alter Time Through stime ocil:ssg-audit_rules_time_stime_action:testaction:1 Record attempts to alter time through settimeofday ocil:ssg-audit_rules_time_settimeofday_action:testaction:1 Record Attempts to Alter the localtime File ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 Record Attempts to Alter Time Through clock_settime ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 Record attempts to alter time through adjtimex ocil:ssg-audit_rules_time_adjtimex_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchown ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - setxattr ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - chown ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchownat ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lchown ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - chmod ocil:ssg-audit_rules_dac_modification_chmod_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - removexattr ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchmod ocil:ssg-audit_rules_dac_modification_fchmod_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lsetxattr ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fremovexattr ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lremovexattr ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fsetxattr ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchmodat ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1 Record Any Attempts to Run seunshare ocil:ssg-audit_rules_execution_seunshare_action:testaction:1 Record Any Attempts to Run setfiles ocil:ssg-audit_rules_execution_setfiles_action:testaction:1 Record Any Attempts to Run setsebool ocil:ssg-audit_rules_execution_setsebool_action:testaction:1 Record Any Attempts to Run semanage ocil:ssg-audit_rules_execution_semanage_action:testaction:1 Record Any Attempts to Run chcon ocil:ssg-audit_rules_execution_chcon_action:testaction:1 Record Any Attempts to Run restorecon ocil:ssg-audit_rules_execution_restorecon_action:testaction:1 Ensure auditd Collects File Deletion Events by User - rmdir ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1 Ensure auditd Collects File Deletion Events by User - unlinkat ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1 Ensure auditd Collects File Deletion Events by User ocil:ssg-audit_rules_file_deletion_events_action:testaction:1 Ensure auditd Collects File Deletion Events by User - rename ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 Ensure auditd Collects File Deletion Events by User - renameat ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1 Ensure auditd Collects File Deletion Events by User - unlink ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - passwd ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - sudo ocil:ssg-audit_rules_privileged_commands_sudo_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl ocil:ssg-audit_rules_privileged_commands_usernetctl_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - postdrop ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - chsh ocil:ssg-audit_rules_privileged_commands_chsh_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap ocil:ssg-audit_rules_privileged_commands_newgidmap_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - postqueue ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - chage ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - userhelper ocil:ssg-audit_rules_privileged_commands_userhelper_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - at ocil:ssg-audit_rules_privileged_commands_at_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - crontab ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - umount ocil:ssg-audit_rules_privileged_commands_umount_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit ocil:ssg-audit_rules_privileged_commands_sudoedit_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - mount ocil:ssg-audit_rules_privileged_commands_mount_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap ocil:ssg-audit_rules_privileged_commands_newuidmap_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd ocil:ssg-audit_rules_privileged_commands_gpasswd_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands ocil:ssg-audit_rules_privileged_commands_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - su ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - newgrp ocil:ssg-audit_rules_privileged_commands_newgrp_action:testaction:1 Record Unsuccessul Delete Attempts to Files - renameat ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_action:testaction:1 Record Unauthorized Creation Attempts to Files - open_by_handle_at O_CREAT ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 Record Unauthorized Modification Attempts to Files - open O_TRUNC ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1 Record Unsuccessul Ownership Changes to Files - fchownat ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_action:testaction:1 Record Unauthorized Creation Attempts to Files - openat O_CREAT ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_action:testaction:1 Record Unsuccessul Ownership Changes to Files - lchown ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_action:testaction:1 Record Unsuccessul Permission Changes to Files - fchmodat ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1 Record Unsuccessul Permission Changes to Files - removexattr ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_action:testaction:1 Record Unsuccessul Ownership Changes to Files - chown ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 Record Unsuccessul Ownership Changes to Files - fchown ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - truncate ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1 Record Unsuccessul Permission Changes to Files - setxattr ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1 Record Unsuccessul Permission Changes to Files - lremovexattr ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - creat ocil:ssg-audit_rules_unsuccessful_file_modification_creat_action:testaction:1 Record Unauthorized Creation Attempts to Files - open O_CREAT ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1 Record Unsuccessul Permission Changes to Files - fremovexattr ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_action:testaction:1 Record Unsuccessul Delete Attempts to Files - unlink ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_action:testaction:1 Record Unsuccessul Permission Changes to Files - fsetxattr ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1 Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_action:testaction:1 Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - open ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 Record Unsuccessul Permission Changes to Files - lsetxattr ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_action:testaction:1 Record Unsuccessul Permission Changes to Files - chmod ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1 Record Unsuccessul Delete Attempts to Files - unlinkat ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1 Record Unauthorized Modification Attempts to Files - openat O_TRUNC ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_action:testaction:1 Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) ocil:ssg-audit_rules_unsuccessful_file_modification_action:testaction:1 Record Unsuccessul Permission Changes to Files - fchmod ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_action:testaction:1 Record Unauthorized Modification Attempts to Files - open_by_handle_at O_TRUNC ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - openat ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 Record Unsuccessul Delete Attempts to Files - rename ocil:ssg-audit_rules_unsuccessful_file_modification_rename_action:testaction:1 Ensure auditd Collects System Administrator Actions ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1 Record Events that Modify the System's Network Environment ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1 Record Events that Modify User/Group Information ocil:ssg-audit_rules_usergroup_modification_action:testaction:1 Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_action:testaction:1 Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1 Record Events that Modify User/Group Information via open syscall - /etc/passwd ocil:ssg-audit_rules_etc_passwd_open_action:testaction:1 System Audit Logs Must Have Mode 0750 or Less Permissive ocil:ssg-directory_permissions_var_log_audit_action:testaction:1 Record Events that Modify User/Group Information via openat syscall - /etc/group ocil:ssg-audit_rules_etc_group_openat_action:testaction:1 Record Events that Modify User/Group Information via open syscall - /etc/group ocil:ssg-audit_rules_etc_group_open_action:testaction:1 Record Events that Modify User/Group Information - /etc/shadow ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1 Record Events that Modify User/Group Information via openat syscall - /etc/passwd ocil:ssg-audit_rules_etc_passwd_openat_action:testaction:1 Record Access Events to Audit Log directory ocil:ssg-directory_access_var_log_audit_action:testaction:1 Ensure auditd Collects Information on Exporting to Media (successful) ocil:ssg-audit_rules_media_export_action:testaction:1 Record Events that Modify User/Group Information - /etc/security/opasswd ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1 System Audit Logs Must Be Owned By Root ocil:ssg-file_ownership_var_log_audit_action:testaction:1 Record Events that Modify the System's Mandatory Access Controls ocil:ssg-audit_rules_mac_modification_action:testaction:1 Shutdown System When Auditing Failures Occur ocil:ssg-audit_rules_system_shutdown_action:testaction:1 System Audit Logs Must Have Mode 0640 or Less Permissive ocil:ssg-file_permissions_var_log_audit_action:testaction:1 Record Events that Modify User/Group Information - /etc/gshadow ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 Record Events that Modify User/Group Information - /etc/passwd ocil:ssg-audit_rules_usergroup_modification_passwd_action:testaction:1 Record Events that Modify User/Group Information - /etc/group ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1 Extend Audit Backlog Limit for the Audit Daemon ocil:ssg-grub2_audit_backlog_limit_argument_action:testaction:1 Enable Auditing for Processes Which Start Prior to the Audit Daemon ocil:ssg-grub2_audit_argument_action:testaction:1 Enable auditd Service ocil:ssg-service_auditd_enabled_action:testaction:1 Ensure Logs Sent To Remote Host ocil:ssg-rsyslog_remote_loghost_action:testaction:1 Ensure Log Files Are Owned By Appropriate User ocil:ssg-rsyslog_files_ownership_action:testaction:1 Ensure Log Files Are Owned By Appropriate Group ocil:ssg-rsyslog_files_groupownership_action:testaction:1 Ensure cron Is Logging To Rsyslog ocil:ssg-rsyslog_cron_logging_action:testaction:1 Ensure System Log Files Have Correct Permissions ocil:ssg-rsyslog_files_permissions_action:testaction:1 Enable syslog-ng Service ocil:ssg-service_syslogng_enabled_action:testaction:1 Ensure syslog-ng is Installed ocil:ssg-package_syslogng_installed_action:testaction:1 Ensure Logrotate Runs Periodically ocil:ssg-ensure_logrotate_activated_action:testaction:1 Enable rsyslog Service ocil:ssg-service_rsyslog_enabled_action:testaction:1 Ensure rsyslog is Installed ocil:ssg-package_rsyslog_installed_action:testaction:1 Configure Kernel Parameter for Accepting Source-Routed Packets for Interfaces By Default ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1 Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_action:testaction:1 Disable Kernel Parameter for IPv6 Forwarding ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1 Configure Accepting IPv6 Redirects on All Interfaces ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_action:testaction:1 Configure Accepting IPv6 Router Advertisements by Default ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_action:testaction:1 Configure Accepting IPv6 Router Advertisements on All Interfaces ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1 Configure Accepting IPv6 Redirects By Default ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_action:testaction:1 Disable IPv6 Networking Support Automatic Loading ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_action:testaction:1 Disable IPv6 Networking Support Automatic Loading ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1 Verify Any Configured IPSec Tunnel Connections ocil:ssg-libreswan_approved_tunnels_action:testaction:1 Install libreswan Package ocil:ssg-package_libreswan_installed_action:testaction:1 Verify ip6tables Enabled if Using IPv6 ocil:ssg-service_ip6tables_enabled_action:testaction:1 Verify iptables Enabled ocil:ssg-service_iptables_enabled_action:testaction:1 Set Default ip6tables Policy for Incoming Packets ocil:ssg-set_ip6tables_default_rule_action:testaction:1 Set Default iptables Policy for Forwarded Packets ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 Set Default iptables Policy for Incoming Packets ocil:ssg-set_iptables_default_rule_action:testaction:1 Set Default firewalld Zone for Incoming Packets ocil:ssg-set_firewalld_default_zone_action:testaction:1 Configure the Firewalld Ports ocil:ssg-configure_firewalld_ports_action:testaction:1 Configure firewalld To Rate Limit Connections ocil:ssg-configure_firewalld_rate_limiting_action:testaction:1 Verify firewalld Enabled ocil:ssg-service_firewalld_enabled_action:testaction:1 Install firewalld ocil:ssg-package_firewalld_installed_action:testaction:1 Configure Kernel Parameter for Accepting Source-Routed Packets By Default ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_action:testaction:1 Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1 Configure Kernel Parameter to Log Martian Packets By Default ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_action:testaction:1 Configure Kernel Parameter to Use Reverse Path Filtering by Default ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_action:testaction:1 Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_action:testaction:1 Configure Kernel Parameter to Use TCP Syncookies ocil:ssg-sysctl_net_ipv4_tcp_syncookies_action:testaction:1 Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_action:testaction:1 Configure Kernel Parameter to Log Martian Packets ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_action:testaction:1 Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_action:testaction:1 Configure Kernel Parameter to Ignore Bogus ICMP Error Responses ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_action:testaction:1 Configure Kernel Parameter for Accepting Secure Redirects By Default ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1 Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_action:testaction:1 Configure Kernel Parameter for Accepting ICMP Redirects By Default ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1 Disable Kernel Parameter for IP Forwarding ocil:ssg-sysctl_net_ipv4_ip_forward_action:testaction:1 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_action:testaction:1 Disable Kernel Parameter for Sending ICMP Redirects by Default ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 Disable DCCP Support ocil:ssg-kernel_module_dccp_disabled_action:testaction:1 Disable RDS Support ocil:ssg-kernel_module_rds_disabled_action:testaction:1 Disable TIPC Support ocil:ssg-kernel_module_tipc_disabled_action:testaction:1 Disable SCTP Support ocil:ssg-kernel_module_sctp_disabled_action:testaction:1 Disable Bluetooth Kernel Modules ocil:ssg-kernel_module_bluetooth_disabled_action:testaction:1 Disable Bluetooth Service ocil:ssg-service_bluetooth_disabled_action:testaction:1 Deactivate Wireless Network Interfaces ocil:ssg-wireless_disable_interfaces_action:testaction:1 Ensure System is Not Acting as a Network Sniffer ocil:ssg-network_sniffer_disabled_action:testaction:1 Configure Multiple DNS Servers in /etc/resolv.conf ocil:ssg-network_configure_name_resolution_action:testaction:1 Disable Client Dynamic DNS Updates ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 Set Boot Loader Password in grub2 ocil:ssg-grub2_password_action:testaction:1 Verify /boot/grub2/grub.cfg Permissions ocil:ssg-file_permissions_grub2_cfg_action:testaction:1 Verify /boot/grub2/grub.cfg User Ownership ocil:ssg-file_owner_grub2_cfg_action:testaction:1 Set the UEFI Boot Loader Password ocil:ssg-grub2_uefi_password_action:testaction:1 Boat Loader Is Not Installed On Removeable Media ocil:ssg-grub2_no_removeable_media_action:testaction:1 Verify /boot/efi/EFI/redhat/grub.cfg Group Ownership ocil:ssg-file_groupowner_efi_grub2_cfg_action:testaction:1 Verify /boot/grub2/grub.cfg Group Ownership ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1 UEFI Boat Loader Is Not Installed On Removeable Media ocil:ssg-uefi_no_removeable_media_action:testaction:1 Verify /boot/efi/EFI/redhat/grub.cfg User Ownership ocil:ssg-file_owner_efi_grub2_cfg_action:testaction:1 Verify /boot/efi/EFI/redhat/grub.cfg Permissions ocil:ssg-file_permissions_efi_grub2_cfg_action:testaction:1 Disable the openvpn_can_network_connect SELinux Boolean ocil:ssg-sebool_openvpn_can_network_connect_action:testaction:1 Disable the httpd_use_gpg SELinux Boolean ocil:ssg-sebool_httpd_use_gpg_action:testaction:1 Disable the ssh_sysadm_login SELinux Boolean ocil:ssg-sebool_ssh_sysadm_login_action:testaction:1 Disable the httpd_run_stickshift SELinux Boolean ocil:ssg-sebool_httpd_run_stickshift_action:testaction:1 Disable the polipo_connect_all_unreserved SELinux Boolean ocil:ssg-sebool_polipo_connect_all_unreserved_action:testaction:1 Disable the httpd_sys_script_anon_write SELinux Boolean ocil:ssg-sebool_httpd_sys_script_anon_write_action:testaction:1 Disable the pcp_bind_all_unreserved_ports SELinux Boolean ocil:ssg-sebool_pcp_bind_all_unreserved_ports_action:testaction:1 Disable the minidlna_read_generic_user_content SELinux Boolean ocil:ssg-sebool_minidlna_read_generic_user_content_action:testaction:1 Enable the auditadm_exec_content SELinux Boolean ocil:ssg-sebool_auditadm_exec_content_action:testaction:1 Disable the authlogin_radius SELinux Boolean ocil:ssg-sebool_authlogin_radius_action:testaction:1 Disable the logwatch_can_network_connect_mail SELinux Boolean ocil:ssg-sebool_logwatch_can_network_connect_mail_action:testaction:1 Disable the logrotate_use_nfs SELinux Boolean ocil:ssg-sebool_logrotate_use_nfs_action:testaction:1 Disable the git_cgi_use_cifs SELinux Boolean ocil:ssg-sebool_git_cgi_use_cifs_action:testaction:1 Disable the postgresql_can_rsync SELinux Boolean ocil:ssg-sebool_postgresql_can_rsync_action:testaction:1 disable the selinuxuser_execstack SELinux Boolean ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1 Disable the entropyd_use_audio SELinux Boolean ocil:ssg-sebool_entropyd_use_audio_action:testaction:1 Disable the httpd_execmem SELinux Boolean ocil:ssg-sebool_httpd_execmem_action:testaction:1 Enable the mount_anyfile SELinux Boolean ocil:ssg-sebool_mount_anyfile_action:testaction:1 Disable the smartmon_3ware SELinux Boolean ocil:ssg-sebool_smartmon_3ware_action:testaction:1 Disable the git_cgi_enable_homedirs SELinux Boolean ocil:ssg-sebool_git_cgi_enable_homedirs_action:testaction:1 Disable the mailman_use_fusefs SELinux Boolean ocil:ssg-sebool_mailman_use_fusefs_action:testaction:1 Disable the httpd_can_check_spam SELinux Boolean ocil:ssg-sebool_httpd_can_check_spam_action:testaction:1 Disable the fenced_can_ssh SELinux Boolean ocil:ssg-sebool_fenced_can_ssh_action:testaction:1 Disable the nagios_run_pnp4nagios SELinux Boolean ocil:ssg-sebool_nagios_run_pnp4nagios_action:testaction:1 Disable the httpd_can_network_connect SELinux Boolean ocil:ssg-sebool_httpd_can_network_connect_action:testaction:1 Disable the mozilla_plugin_can_network_connect SELinux Boolean ocil:ssg-sebool_mozilla_plugin_can_network_connect_action:testaction:1 Disable the git_session_bind_all_unreserved_ports SELinux Boolean ocil:ssg-sebool_git_session_bind_all_unreserved_ports_action:testaction:1 Disable the tmpreaper_use_samba SELinux Boolean ocil:ssg-sebool_tmpreaper_use_samba_action:testaction:1 Disable the selinuxuser_tcp_server SELinux Boolean ocil:ssg-sebool_selinuxuser_tcp_server_action:testaction:1 Disable the httpd_anon_write SELinux Boolean ocil:ssg-sebool_httpd_anon_write_action:testaction:1 Disable the httpd_can_connect_ldap SELinux Boolean ocil:ssg-sebool_httpd_can_connect_ldap_action:testaction:1 Disable the xen_use_nfs SELinux Boolean ocil:ssg-sebool_xen_use_nfs_action:testaction:1 Disable the daemons_use_tcp_wrapper SELinux Boolean ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1 Disable the ftpd_connect_db SELinux Boolean ocil:ssg-sebool_ftpd_connect_db_action:testaction:1 Disable the ftpd_use_nfs SELinux Boolean ocil:ssg-sebool_ftpd_use_nfs_action:testaction:1 Disable the cron_can_relabel SELinux Boolean ocil:ssg-sebool_cron_can_relabel_action:testaction:1 Disable the openvpn_run_unconfined SELinux Boolean ocil:ssg-sebool_openvpn_run_unconfined_action:testaction:1 Disable the zebra_write_config SELinux Boolean ocil:ssg-sebool_zebra_write_config_action:testaction:1 Disable the virt_rw_qemu_ga_data SELinux Boolean ocil:ssg-sebool_virt_rw_qemu_ga_data_action:testaction:1 Disable the condor_tcp_network_connect SELinux Boolean ocil:ssg-sebool_condor_tcp_network_connect_action:testaction:1 Disable the fcron_crond SELinux Boolean ocil:ssg-sebool_fcron_crond_action:testaction:1 Disable the nfsd_anon_write SELinux Boolean ocil:ssg-sebool_nfsd_anon_write_action:testaction:1 Enable the logadm_exec_content SELinux Boolean ocil:ssg-sebool_logadm_exec_content_action:testaction:1 Disable the httpd_dbus_sssd SELinux Boolean ocil:ssg-sebool_httpd_dbus_sssd_action:testaction:1 Disable the httpd_manage_ipa SELinux Boolean ocil:ssg-sebool_httpd_manage_ipa_action:testaction:1 Disable the haproxy_connect_any SELinux Boolean ocil:ssg-sebool_haproxy_connect_any_action:testaction:1 Disable the httpd_setrlimit SELinux Boolean ocil:ssg-sebool_httpd_setrlimit_action:testaction:1 Disable the antivirus_use_jit SELinux Boolean ocil:ssg-sebool_antivirus_use_jit_action:testaction:1 Disable the rsync_full_access SELinux Boolean ocil:ssg-sebool_rsync_full_access_action:testaction:1 Disable the httpd_run_ipa SELinux Boolean ocil:ssg-sebool_httpd_run_ipa_action:testaction:1 Configure the httpd_builtin_scripting SELinux Boolean ocil:ssg-sebool_httpd_builtin_scripting_action:testaction:1 Disable the staff_use_svirt SELinux Boolean ocil:ssg-sebool_staff_use_svirt_action:testaction:1 Enable the user_exec_content SELinux Boolean ocil:ssg-sebool_user_exec_content_action:testaction:1 Disable the samba_run_unconfined SELinux Boolean ocil:ssg-sebool_samba_run_unconfined_action:testaction:1 Disable the mozilla_plugin_use_spice SELinux Boolean ocil:ssg-sebool_mozilla_plugin_use_spice_action:testaction:1 Disable the mpd_use_nfs SELinux Boolean ocil:ssg-sebool_mpd_use_nfs_action:testaction:1 Disable the httpd_read_user_content SELinux Boolean ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 Disable the rsync_client SELinux Boolean ocil:ssg-sebool_rsync_client_action:testaction:1 Disable the dbadm_read_user_files SELinux Boolean ocil:ssg-sebool_dbadm_read_user_files_action:testaction:1 Disable the deny_ptrace SELinux Boolean ocil:ssg-sebool_deny_ptrace_action:testaction:1 Enable the nfs_export_all_rw SELinux Boolean ocil:ssg-sebool_nfs_export_all_rw_action:testaction:1 Disable the rsync_anon_write SELinux Boolean ocil:ssg-sebool_rsync_anon_write_action:testaction:1 Disable the httpd_can_network_memcache SELinux Boolean ocil:ssg-sebool_httpd_can_network_memcache_action:testaction:1 Enable the virt_sandbox_use_audit SELinux Boolean ocil:ssg-sebool_virt_sandbox_use_audit_action:testaction:1 Disable the mozilla_read_content SELinux Boolean ocil:ssg-sebool_mozilla_read_content_action:testaction:1 Disable the xserver_object_manager SELinux Boolean ocil:ssg-sebool_xserver_object_manager_action:testaction:1 Disable the httpd_tty_comm SELinux Boolean ocil:ssg-sebool_httpd_tty_comm_action:testaction:1 Disable the collectd_tcp_network_connect SELinux Boolean ocil:ssg-sebool_collectd_tcp_network_connect_action:testaction:1 Disable the xdm_sysadm_login SELinux Boolean ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1 Disable the pcp_read_generic_logs SELinux Boolean ocil:ssg-sebool_pcp_read_generic_logs_action:testaction:1 Enable the spamd_enable_home_dirs SELinux Boolean ocil:ssg-sebool_spamd_enable_home_dirs_action:testaction:1 Disable the xguest_mount_media SELinux Boolean ocil:ssg-sebool_xguest_mount_media_action:testaction:1 Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean ocil:ssg-sebool_polipo_session_bind_all_unreserved_ports_action:testaction:1 Disable the container_connect_any SELinux Boolean ocil:ssg-sebool_container_connect_any_action:testaction:1 Disable the tftp_anon_write SELinux Boolean ocil:ssg-sebool_tftp_anon_write_action:testaction:1 Disable the git_system_use_nfs SELinux Boolean ocil:ssg-sebool_git_system_use_nfs_action:testaction:1 Disable the virt_use_usb SELinux Boolean ocil:ssg-sebool_virt_use_usb_action:testaction:1 Disable the nis_enabled SELinux Boolean ocil:ssg-sebool_nis_enabled_action:testaction:1 Disable the selinuxuser_mysql_connect_enabled SELinux Boolean ocil:ssg-sebool_selinuxuser_mysql_connect_enabled_action:testaction:1 Disable the samba_share_fusefs SELinux Boolean ocil:ssg-sebool_samba_share_fusefs_action:testaction:1 Disable the httpd_enable_ftp_server SELinux Boolean ocil:ssg-sebool_httpd_enable_ftp_server_action:testaction:1 Disable the pppd_for_user SELinux Boolean ocil:ssg-sebool_pppd_for_user_action:testaction:1 Disable the virt_sandbox_use_all_caps SELinux Boolean ocil:ssg-sebool_virt_sandbox_use_all_caps_action:testaction:1 Disable the mozilla_plugin_use_gps SELinux Boolean ocil:ssg-sebool_mozilla_plugin_use_gps_action:testaction:1 Disable the samba_domain_controller SELinux Boolean ocil:ssg-sebool_samba_domain_controller_action:testaction:1 Disable the boinc_execmem SELinux Boolean ocil:ssg-sebool_boinc_execmem_action:testaction:1 Disable the use_fusefs_home_dirs SELinux Boolean ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 Disable the tmpreaper_use_nfs SELinux Boolean ocil:ssg-sebool_tmpreaper_use_nfs_action:testaction:1 Disable the sanlock_use_fusefs SELinux Boolean ocil:ssg-sebool_sanlock_use_fusefs_action:testaction:1 Disable the ssh_keysign SELinux Boolean ocil:ssg-sebool_ssh_keysign_action:testaction:1 Disable the httpd_tmp_exec SELinux Boolean ocil:ssg-sebool_httpd_tmp_exec_action:testaction:1 Disable the httpd_use_fusefs SELinux Boolean ocil:ssg-sebool_httpd_use_fusefs_action:testaction:1 Enable the staff_exec_content SELinux Boolean ocil:ssg-sebool_staff_exec_content_action:testaction:1 Enable the nscd_use_shm SELinux Boolean ocil:ssg-sebool_nscd_use_shm_action:testaction:1 Disable the global_ssp SELinux Boolean ocil:ssg-sebool_global_ssp_action:testaction:1 Disable the virt_use_fusefs SELinux Boolean ocil:ssg-sebool_virt_use_fusefs_action:testaction:1 Disable the gluster_anon_write SELinux Boolean ocil:ssg-sebool_gluster_anon_write_action:testaction:1 Disable the wine_mmap_zero_ignore SELinux Boolean ocil:ssg-sebool_wine_mmap_zero_ignore_action:testaction:1 Disable the fenced_can_network_connect SELinux Boolean ocil:ssg-sebool_fenced_can_network_connect_action:testaction:1 Disable the zabbix_can_network SELinux Boolean ocil:ssg-sebool_zabbix_can_network_action:testaction:1 Disable the virt_use_nfs SELinux Boolean ocil:ssg-sebool_virt_use_nfs_action:testaction:1 Disable the prosody_bind_http_port SELinux Boolean ocil:ssg-sebool_prosody_bind_http_port_action:testaction:1 Disable the use_samba_home_dirs SELinux Boolean ocil:ssg-sebool_use_samba_home_dirs_action:testaction:1 Enable the cron_userdomain_transition SELinux Boolean ocil:ssg-sebool_cron_userdomain_transition_action:testaction:1 Disable the spamassassin_can_network SELinux Boolean ocil:ssg-sebool_spamassassin_can_network_action:testaction:1 Disable the git_cgi_use_nfs SELinux Boolean ocil:ssg-sebool_git_cgi_use_nfs_action:testaction:1 Disable the secure_mode_insmod SELinux Boolean ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 Disable the mysql_connect_any SELinux Boolean ocil:ssg-sebool_mysql_connect_any_action:testaction:1 Disable the samba_load_libgfapi SELinux Boolean ocil:ssg-sebool_samba_load_libgfapi_action:testaction:1 Disable the samba_portmapper SELinux Boolean ocil:ssg-sebool_samba_portmapper_action:testaction:1 Disable the httpd_run_preupgrade SELinux Boolean ocil:ssg-sebool_httpd_run_preupgrade_action:testaction:1 Disable the virt_use_xserver SELinux Boolean ocil:ssg-sebool_virt_use_xserver_action:testaction:1 Disable the mplayer_execstack SELinux Boolean ocil:ssg-sebool_mplayer_execstack_action:testaction:1 Disable the selinuxuser_rw_noexattrfile SELinux Boolean ocil:ssg-sebool_selinuxuser_rw_noexattrfile_action:testaction:1 Disable the neutron_can_network SELinux Boolean ocil:ssg-sebool_neutron_can_network_action:testaction:1 Disable the ftpd_full_access SELinux Boolean ocil:ssg-sebool_ftpd_full_access_action:testaction:1 Disable the ftpd_use_fusefs SELinux Boolean ocil:ssg-sebool_ftpd_use_fusefs_action:testaction:1 Disable the deny_execmem SELinux Boolean ocil:ssg-sebool_deny_execmem_action:testaction:1 Disable the ssh_chroot_rw_homedirs SELinux Boolean ocil:ssg-sebool_ssh_chroot_rw_homedirs_action:testaction:1 Disable the httpd_mod_auth_pam SELinux Boolean ocil:ssg-sebool_httpd_mod_auth_pam_action:testaction:1 Disable the authlogin_yubikey SELinux Boolean ocil:ssg-sebool_authlogin_yubikey_action:testaction:1 Disable the virt_use_samba SELinux Boolean ocil:ssg-sebool_virt_use_samba_action:testaction:1 Disable the httpd_can_connect_ftp SELinux Boolean ocil:ssg-sebool_httpd_can_connect_ftp_action:testaction:1 Disable the abrt_anon_write SELinux Boolean ocil:ssg-sebool_abrt_anon_write_action:testaction:1 Disable the named_tcp_bind_http_port SELinux Boolean ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 Disable the squid_use_tproxy SELinux Boolean ocil:ssg-sebool_squid_use_tproxy_action:testaction:1 Disable the dhcpd_use_ldap SELinux Boolean ocil:ssg-sebool_dhcpd_use_ldap_action:testaction:1 Disable the tftp_home_dir SELinux Boolean ocil:ssg-sebool_tftp_home_dir_action:testaction:1 Disable the awstats_purge_apache_log_files SELinux Boolean ocil:ssg-sebool_awstats_purge_apache_log_files_action:testaction:1 Disable the samba_share_nfs SELinux Boolean ocil:ssg-sebool_samba_share_nfs_action:testaction:1 Disable the glance_use_fusefs SELinux Boolean ocil:ssg-sebool_glance_use_fusefs_action:testaction:1 Disable the sanlock_use_nfs SELinux Boolean ocil:ssg-sebool_sanlock_use_nfs_action:testaction:1 Configure the gluster_export_all_rw SELinux Boolean ocil:ssg-sebool_gluster_export_all_rw_action:testaction:1 Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean ocil:ssg-sebool_mozilla_plugin_bind_unreserved_ports_action:testaction:1 Enable the logging_syslogd_use_tty SELinux Boolean ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1 Enable the login_console_enabled SELinux Boolean ocil:ssg-sebool_login_console_enabled_action:testaction:1 Disable the glance_api_can_network SELinux Boolean ocil:ssg-sebool_glance_api_can_network_action:testaction:1 Disable the abrt_handle_event SELinux Boolean ocil:ssg-sebool_abrt_handle_event_action:testaction:1 Disable the gluster_export_all_ro SELinux Boolean ocil:ssg-sebool_gluster_export_all_ro_action:testaction:1 Disable the ksmtuned_use_nfs SELinux Boolean ocil:ssg-sebool_ksmtuned_use_nfs_action:testaction:1 Disable the puppetagent_manage_all_files SELinux Boolean ocil:ssg-sebool_puppetagent_manage_all_files_action:testaction:1 Disable the httpd_dontaudit_search_dirs SELinux Boolean ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 Disable the smbd_anon_write SELinux Boolean ocil:ssg-sebool_smbd_anon_write_action:testaction:1 Disable the cron_system_cronjob_use_shares SELinux Boolean ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1 Disable the mozilla_plugin_use_bluejeans SELinux Boolean ocil:ssg-sebool_mozilla_plugin_use_bluejeans_action:testaction:1 Disable the openvpn_enable_homedirs SELinux Boolean ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1 Disable the mcelog_server SELinux Boolean ocil:ssg-sebool_mcelog_server_action:testaction:1 Enable the mcelog_exec_scripts SELinux Boolean ocil:ssg-sebool_mcelog_exec_scripts_action:testaction:1 Disable the sge_use_nfs SELinux Boolean ocil:ssg-sebool_sge_use_nfs_action:testaction:1 Disable the webadm_read_user_files SELinux Boolean ocil:ssg-sebool_webadm_read_user_files_action:testaction:1 Disable the piranha_lvs_can_network_connect SELinux Boolean ocil:ssg-sebool_piranha_lvs_can_network_connect_action:testaction:1 Disable the domain_kernel_load_modules SELinux Boolean ocil:ssg-sebool_domain_kernel_load_modules_action:testaction:1 Disable the exim_manage_user_files SELinux Boolean ocil:ssg-sebool_exim_manage_user_files_action:testaction:1 Disable the virt_sandbox_use_netlink SELinux Boolean ocil:ssg-sebool_virt_sandbox_use_netlink_action:testaction:1 Enable the unconfined_chrome_sandbox_transition SELinux Boolean ocil:ssg-sebool_unconfined_chrome_sandbox_transition_action:testaction:1 Disable the httpd_verify_dns SELinux Boolean ocil:ssg-sebool_httpd_verify_dns_action:testaction:1 Disable the virt_read_qemu_ga_data SELinux Boolean ocil:ssg-sebool_virt_read_qemu_ga_data_action:testaction:1 Disable the glance_use_execmem SELinux Boolean ocil:ssg-sebool_glance_use_execmem_action:testaction:1 Disable the httpd_can_sendmail SELinux Boolean ocil:ssg-sebool_httpd_can_sendmail_action:testaction:1 Disable the httpd_enable_homedirs SELinux Boolean ocil:ssg-sebool_httpd_enable_homedirs_action:testaction:1 Disable the cdrecord_read_content SELinux Boolean ocil:ssg-sebool_cdrecord_read_content_action:testaction:1 Enable the unconfined_login SELinux Boolean ocil:ssg-sebool_unconfined_login_action:testaction:1 Disable the logging_syslogd_can_sendmail SELinux Boolean ocil:ssg-sebool_logging_syslogd_can_sendmail_action:testaction:1 Disable the gitosis_can_sendmail SELinux Boolean ocil:ssg-sebool_gitosis_can_sendmail_action:testaction:1 Disable the httpd_use_sasl SELinux Boolean ocil:ssg-sebool_httpd_use_sasl_action:testaction:1 Disable the git_system_use_cifs SELinux Boolean ocil:ssg-sebool_git_system_use_cifs_action:testaction:1 Disable the virt_use_comm SELinux Boolean ocil:ssg-sebool_virt_use_comm_action:testaction:1 Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean ocil:ssg-sebool_selinuxuser_postgresql_connect_enabled_action:testaction:1 Disable the dbadm_manage_user_files SELinux Boolean ocil:ssg-sebool_dbadm_manage_user_files_action:testaction:1 Disable the httpd_can_network_connect_db SELinux Boolean ocil:ssg-sebool_httpd_can_network_connect_db_action:testaction:1 Configure the httpd_enable_cgi SELinux Boolean ocil:ssg-sebool_httpd_enable_cgi_action:testaction:1 Enable the antivirus_can_scan_system SELinux Boolean ocil:ssg-sebool_antivirus_can_scan_system_action:testaction:1 Disable the zarafa_setrlimit SELinux Boolean ocil:ssg-sebool_zarafa_setrlimit_action:testaction:1 Disable the samba_export_all_ro SELinux Boolean ocil:ssg-sebool_samba_export_all_ro_action:testaction:1 Disable the zoneminder_anon_write SELinux Boolean ocil:ssg-sebool_zoneminder_anon_write_action:testaction:1 Disable the daemons_enable_cluster_mode SELinux Boolean ocil:ssg-sebool_daemons_enable_cluster_mode_action:testaction:1 Disable the httpd_can_connect_mythtv SELinux Boolean ocil:ssg-sebool_httpd_can_connect_mythtv_action:testaction:1 Disable the squid_connect_any SELinux Boolean ocil:ssg-sebool_squid_connect_any_action:testaction:1 Disable the varnishd_connect_any SELinux Boolean ocil:ssg-sebool_varnishd_connect_any_action:testaction:1 Disable the privoxy_connect_any SELinux Boolean ocil:ssg-sebool_privoxy_connect_any_action:testaction:1 Enable the xend_run_qemu SELinux Boolean ocil:ssg-sebool_xend_run_qemu_action:testaction:1 Disable the abrt_upload_watch_anon_write SELinux Boolean ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1 Disable the openshift_use_nfs SELinux Boolean ocil:ssg-sebool_openshift_use_nfs_action:testaction:1 Enable the unconfined_mozilla_plugin_transition SELinux Boolean ocil:ssg-sebool_unconfined_mozilla_plugin_transition_action:testaction:1 Disable the conman_can_network SELinux Boolean ocil:ssg-sebool_conman_can_network_action:testaction:1 Disable the cobbler_can_network_connect SELinux Boolean ocil:ssg-sebool_cobbler_can_network_connect_action:testaction:1 Disable the daemons_use_tty SELinux Boolean ocil:ssg-sebool_daemons_use_tty_action:testaction:1 Disable the zoneminder_run_sudo SELinux Boolean ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1 Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean ocil:ssg-sebool_postgresql_selinux_unconfined_dbadm_action:testaction:1 Disable the samba_export_all_rw SELinux Boolean ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 Enable the httpd_graceful_shutdown SELinux Boolean ocil:ssg-sebool_httpd_graceful_shutdown_action:testaction:1 Disable the pppd_can_insmod SELinux Boolean ocil:ssg-sebool_pppd_can_insmod_action:testaction:1 Disable the webadm_manage_user_files SELinux Boolean ocil:ssg-sebool_webadm_manage_user_files_action:testaction:1 Disable the secure_mode SELinux Boolean ocil:ssg-sebool_secure_mode_action:testaction:1 Disable the cluster_use_execmem SELinux Boolean ocil:ssg-sebool_cluster_use_execmem_action:testaction:1 Disable the httpd_serve_cobbler_files SELinux Boolean ocil:ssg-sebool_httpd_serve_cobbler_files_action:testaction:1 Disable the irssi_use_full_network SELinux Boolean ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 Disable the xdm_bind_vnc_tcp_port SELinux Boolean ocil:ssg-sebool_xdm_bind_vnc_tcp_port_action:testaction:1 Configure the selinuxuser_direct_dri_enabled SELinux Boolean ocil:ssg-sebool_selinuxuser_direct_dri_enabled_action:testaction:1 Disable the swift_can_network SELinux Boolean ocil:ssg-sebool_swift_can_network_action:testaction:1 Disable the httpd_can_connect_zabbix SELinux Boolean ocil:ssg-sebool_httpd_can_connect_zabbix_action:testaction:1 Disable the mcelog_foreground SELinux Boolean ocil:ssg-sebool_mcelog_foreground_action:testaction:1 Disable the cobbler_use_cifs SELinux Boolean ocil:ssg-sebool_cobbler_use_cifs_action:testaction:1 Disable the virt_sandbox_use_sys_admin SELinux Boolean ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 Disable the virt_use_execmem SELinux Boolean ocil:ssg-sebool_virt_use_execmem_action:testaction:1 Disable the exim_can_connect_db SELinux Boolean ocil:ssg-sebool_exim_can_connect_db_action:testaction:1 Disable the cluster_manage_all_files SELinux Boolean ocil:ssg-sebool_cluster_manage_all_files_action:testaction:1 Disable the xserver_execmem SELinux Boolean ocil:ssg-sebool_xserver_execmem_action:testaction:1 Disable the cobbler_use_nfs SELinux Boolean ocil:ssg-sebool_cobbler_use_nfs_action:testaction:1 Disable the cups_execmem SELinux Boolean ocil:ssg-sebool_cups_execmem_action:testaction:1 Disable the puppetmaster_use_db SELinux Boolean ocil:ssg-sebool_puppetmaster_use_db_action:testaction:1 Disable the xserver_clients_write_xshm SELinux Boolean ocil:ssg-sebool_xserver_clients_write_xshm_action:testaction:1 Disable the use_ecryptfs_home_dirs SELinux Boolean ocil:ssg-sebool_use_ecryptfs_home_dirs_action:testaction:1 Enable the dbadm_exec_content SELinux Boolean ocil:ssg-sebool_dbadm_exec_content_action:testaction:1 Disable the use_nfs_home_dirs SELinux Boolean ocil:ssg-sebool_use_nfs_home_dirs_action:testaction:1 Disable the tor_can_network_relay SELinux Boolean ocil:ssg-sebool_tor_can_network_relay_action:testaction:1 Disable the httpd_unified SELinux Boolean ocil:ssg-sebool_httpd_unified_action:testaction:1 Disable the mock_enable_homedirs SELinux Boolean ocil:ssg-sebool_mock_enable_homedirs_action:testaction:1 Disable the httpd_can_network_relay SELinux Boolean ocil:ssg-sebool_httpd_can_network_relay_action:testaction:1 Disable the xguest_exec_content SELinux Boolean ocil:ssg-sebool_xguest_exec_content_action:testaction:1 Disable the nagios_run_sudo SELinux Boolean ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 Disable the virt_transition_userdomain SELinux Boolean ocil:ssg-sebool_virt_transition_userdomain_action:testaction:1 Disable the httpd_ssi_exec SELinux Boolean ocil:ssg-sebool_httpd_ssi_exec_action:testaction:1 Disable the ksmtuned_use_cifs SELinux Boolean ocil:ssg-sebool_ksmtuned_use_cifs_action:testaction:1 Disable the mpd_use_cifs SELinux Boolean ocil:ssg-sebool_mpd_use_cifs_action:testaction:1 Disable the use_lpd_server SELinux Boolean ocil:ssg-sebool_use_lpd_server_action:testaction:1 Disable the polipo_use_nfs SELinux Boolean ocil:ssg-sebool_polipo_use_nfs_action:testaction:1 Disable the lsmd_plugin_connect_any SELinux Boolean ocil:ssg-sebool_lsmd_plugin_connect_any_action:testaction:1 Disable the ftpd_connect_all_unreserved SELinux Boolean ocil:ssg-sebool_ftpd_connect_all_unreserved_action:testaction:1 Disable the virt_use_rawip SELinux Boolean ocil:ssg-sebool_virt_use_rawip_action:testaction:1 Disable the gpg_web_anon_write SELinux Boolean ocil:ssg-sebool_gpg_web_anon_write_action:testaction:1 Disable the telepathy_connect_all_ports SELinux Boolean ocil:ssg-sebool_telepathy_connect_all_ports_action:testaction:1 Disable the tor_bind_all_unreserved_ports SELinux Boolean ocil:ssg-sebool_tor_bind_all_unreserved_ports_action:testaction:1 Disable the dhcpc_exec_iptables SELinux Boolean ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 Enable the domain_fd_use SELinux Boolean ocil:ssg-sebool_domain_fd_use_action:testaction:1 Disable the polipo_use_cifs SELinux Boolean ocil:ssg-sebool_polipo_use_cifs_action:testaction:1 Disable the samba_create_home_dirs SELinux Boolean ocil:ssg-sebool_samba_create_home_dirs_action:testaction:1 Disable the mmap_low_allowed SELinux Boolean ocil:ssg-sebool_mmap_low_allowed_action:testaction:1 Disable the selinuxuser_share_music SELinux Boolean ocil:ssg-sebool_selinuxuser_share_music_action:testaction:1 Disable the ftpd_use_cifs SELinux Boolean ocil:ssg-sebool_ftpd_use_cifs_action:testaction:1 Enable the xend_run_blktap SELinux Boolean ocil:ssg-sebool_xend_run_blktap_action:testaction:1 Disable the mcelog_client SELinux Boolean ocil:ssg-sebool_mcelog_client_action:testaction:1 Disable the cluster_can_network_connect SELinux Boolean ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 Enable the selinuxuser_execmod SELinux Boolean ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1 Disable the httpd_use_nfs SELinux Boolean ocil:ssg-sebool_httpd_use_nfs_action:testaction:1 Disable the cobbler_anon_write SELinux Boolean ocil:ssg-sebool_cobbler_anon_write_action:testaction:1 Disable the selinuxuser_udp_server SELinux Boolean ocil:ssg-sebool_selinuxuser_udp_server_action:testaction:1 Enable the gssd_read_tmp SELinux Boolean ocil:ssg-sebool_gssd_read_tmp_action:testaction:1 Disable the kdumpgui_run_bootloader SELinux Boolean ocil:ssg-sebool_kdumpgui_run_bootloader_action:testaction:1 Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean ocil:ssg-sebool_telepathy_tcp_connect_generic_network_ports_action:testaction:1 Disable the rsync_export_all_ro SELinux Boolean ocil:ssg-sebool_rsync_export_all_ro_action:testaction:1 Disable the xguest_connect_network SELinux Boolean ocil:ssg-sebool_xguest_connect_network_action:testaction:1 Disable the samba_enable_home_dirs SELinux Boolean ocil:ssg-sebool_samba_enable_home_dirs_action:testaction:1 Disable the virt_use_sanlock SELinux Boolean ocil:ssg-sebool_virt_use_sanlock_action:testaction:1 Disable the saslauthd_read_shadow SELinux Boolean ocil:ssg-sebool_saslauthd_read_shadow_action:testaction:1 Disable the xdm_write_home SELinux Boolean ocil:ssg-sebool_xdm_write_home_action:testaction:1 Disable the named_write_master_zones SELinux Boolean ocil:ssg-sebool_named_write_master_zones_action:testaction:1 Disable the polipo_session_users SELinux Boolean ocil:ssg-sebool_polipo_session_users_action:testaction:1 Enable the sysadm_exec_content SELinux Boolean ocil:ssg-sebool_sysadm_exec_content_action:testaction:1 Disable the xguest_use_bluetooth SELinux Boolean ocil:ssg-sebool_xguest_use_bluetooth_action:testaction:1 Disable the unprivuser_use_svirt SELinux Boolean ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 Enable the kerberos_enabled SELinux Boolean ocil:ssg-sebool_kerberos_enabled_action:testaction:1 Disable the sge_domain_can_network_connect SELinux Boolean ocil:ssg-sebool_sge_domain_can_network_connect_action:testaction:1 Disable the sanlock_use_samba SELinux Boolean ocil:ssg-sebool_sanlock_use_samba_action:testaction:1 Disable the irc_use_any_tcp_ports SELinux Boolean ocil:ssg-sebool_irc_use_any_tcp_ports_action:testaction:1 Disable the ftpd_anon_write SELinux Boolean ocil:ssg-sebool_ftpd_anon_write_action:testaction:1 Disable the guest_exec_content SELinux Boolean ocil:ssg-sebool_guest_exec_content_action:testaction:1 Disable the selinuxuser_execheap SELinux Boolean ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1 Disable the secure_mode_policyload SELinux Boolean ocil:ssg-sebool_secure_mode_policyload_action:testaction:1 Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean ocil:ssg-sebool_httpd_mod_auth_ntlm_winbind_action:testaction:1 Disable the httpd_use_openstack SELinux Boolean ocil:ssg-sebool_httpd_use_openstack_action:testaction:1 Disable the httpd_use_cifs SELinux Boolean ocil:ssg-sebool_httpd_use_cifs_action:testaction:1 Enable the postgresql_selinux_users_ddl SELinux Boolean ocil:ssg-sebool_postgresql_selinux_users_ddl_action:testaction:1 Enable the nfs_export_all_ro SELinux Boolean ocil:ssg-sebool_nfs_export_all_ro_action:testaction:1 Disable the daemons_dump_core SELinux Boolean ocil:ssg-sebool_daemons_dump_core_action:testaction:1 Enable the postfix_local_write_mail_spool SELinux Boolean ocil:ssg-sebool_postfix_local_write_mail_spool_action:testaction:1 Disable the xdm_exec_bootloader SELinux Boolean ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1 Disable the httpd_dbus_avahi SELinux Boolean ocil:ssg-sebool_httpd_dbus_avahi_action:testaction:1 Disable the exim_read_user_files SELinux Boolean ocil:ssg-sebool_exim_read_user_files_action:testaction:1 Disable the cvs_read_shadow SELinux Boolean ocil:ssg-sebool_cvs_read_shadow_action:testaction:1 Disable the racoon_read_shadow SELinux Boolean ocil:ssg-sebool_racoon_read_shadow_action:testaction:1 Disable the git_system_enable_homedirs SELinux Boolean ocil:ssg-sebool_git_system_enable_homedirs_action:testaction:1 Enable the fips_mode SELinux Boolean ocil:ssg-sebool_fips_mode_action:testaction:1 Disable the httpd_can_network_connect_cobbler SELinux Boolean ocil:ssg-sebool_httpd_can_network_connect_cobbler_action:testaction:1 Disable the polyinstantiation_enabled SELinux Boolean ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 Disable the icecast_use_any_tcp_ports SELinux Boolean ocil:ssg-sebool_icecast_use_any_tcp_ports_action:testaction:1 Disable the selinuxuser_use_ssh_chroot SELinux Boolean ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1 Disable the authlogin_nsswitch_use_ldap SELinux Boolean ocil:ssg-sebool_authlogin_nsswitch_use_ldap_action:testaction:1 Disable the virt_sandbox_use_mknod SELinux Boolean ocil:ssg-sebool_virt_sandbox_use_mknod_action:testaction:1 Enable the selinuxuser_ping SELinux Boolean ocil:ssg-sebool_selinuxuser_ping_action:testaction:1 Disable the logging_syslogd_run_nagios_plugins SELinux Boolean ocil:ssg-sebool_logging_syslogd_run_nagios_plugins_action:testaction:1 Disable the mpd_enable_homedirs SELinux Boolean ocil:ssg-sebool_mpd_enable_homedirs_action:testaction:1 Disable the ftpd_use_passive_mode SELinux Boolean ocil:ssg-sebool_ftpd_use_passive_mode_action:testaction:1 Enable the secadm_exec_content SELinux Boolean ocil:ssg-sebool_secadm_exec_content_action:testaction:1 Disable the postgresql_selinux_transmit_client_label SELinux Boolean ocil:ssg-sebool_postgresql_selinux_transmit_client_label_action:testaction:1 Disable the git_session_users SELinux Boolean ocil:ssg-sebool_git_session_users_action:testaction:1 Ensure SELinux Not Disabled in /etc/default/grub ocil:ssg-grub2_enable_selinux_action:testaction:1 Configure SELinux Policy ocil:ssg-selinux_policytype_action:testaction:1 Ensure No Device Files are Unlabeled by SELinux ocil:ssg-selinux_all_devicefiles_labeled_action:testaction:1 Map System Users To The Appropriate SELinux Role ocil:ssg-selinux_user_login_roles_action:testaction:1 Ensure SELinux State is Enforcing ocil:ssg-selinux_state_action:testaction:1 Set Password Minimum Length in login.defs ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1 Set Password Warning Age ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1 Set Password Minimum Age ocil:ssg-accounts_minimum_age_login_defs_action:testaction:1 Set Password Maximum Age ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 Set Existing Passwords Minimum Age ocil:ssg-accounts_password_set_min_life_existing_action:testaction:1 Set Existing Passwords Maximum Age ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1 Restrict Serial Port Root Logins ocil:ssg-restrict_serial_port_logins_action:testaction:1 Root Path Must Be Vendor Default ocil:ssg-root_path_default_action:testaction:1 Direct root Logins Not Allowed ocil:ssg-no_direct_root_logins_action:testaction:1 Restrict Web Browser Use for Administrative Accounts ocil:ssg-no_root_webbrowsing_action:testaction:1 Ensure that System Accounts Are Locked ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 Restrict Virtual Console Root Logins ocil:ssg-securetty_root_login_console_only_action:testaction:1 Ensure that System Accounts Do Not Run a Shell Upon Login ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 Verify Only Root Has UID 0 ocil:ssg-accounts_no_uid_except_zero_action:testaction:1 Use Centralized and Automated Authentication ocil:ssg-account_use_centralized_automated_auth_action:testaction:1 Ensure All Accounts on the System Have Unique Names ocil:ssg-account_unique_name_action:testaction:1 Set Account Expiration Following Inactivity ocil:ssg-account_disable_post_pw_expiration_action:testaction:1 Assign Expiration Date to Temporary Accounts ocil:ssg-account_temp_expire_date_action:testaction:1 Verify No netrc Files Exist ocil:ssg-no_netrc_files_action:testaction:1 Prevent Login to Accounts With Empty Password ocil:ssg-no_empty_passwords_action:testaction:1 Verify All Account Password Hashes are Shadowed ocil:ssg-accounts_password_all_shadowed_action:testaction:1 All GIDs referenced in /etc/passwd must be defined in /etc/group ocil:ssg-gid_passwd_group_same_action:testaction:1 Install the screen Package ocil:ssg-package_screen_installed_action:testaction:1 Install Smart Card Packages For Multifactor Authentication ocil:ssg-install_smartcard_packages_action:testaction:1 Configure opensc Smart Card Drivers ocil:ssg-configure_opensc_card_drivers_action:testaction:1 Configure NSS DB To Use opensc ocil:ssg-configure_opensc_nss_db_action:testaction:1 Configure Smart Card Certificate Status Checking ocil:ssg-smartcard_configure_cert_checking_action:testaction:1 Force opensc To Use Defined Smart Card Driver ocil:ssg-force_opensc_card_drivers_action:testaction:1 Install the pcsc-lite package ocil:ssg-package_pcsc-lite_installed_action:testaction:1 Enable the pcscd Service ocil:ssg-service_pcscd_enabled_action:testaction:1 Enable Smart Card Login ocil:ssg-smartcard_auth_action:testaction:1 Install the opensc Package For Multifactor Authentication ocil:ssg-package_opensc_installed_action:testaction:1 Require Authentication for Single User Mode ocil:ssg-require_singleuser_auth_action:testaction:1 Disable Ctrl-Alt-Del Burst Action ocil:ssg-disable_ctrlaltdel_burstaction_action:testaction:1 Verify that Interactive Boot is Disabled ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 Disable Ctrl-Alt-Del Reboot Activation ocil:ssg-disable_ctrlaltdel_reboot_action:testaction:1 Disable debug-shell SystemD Service ocil:ssg-service_debug-shell_disabled_action:testaction:1 Ensure that Root's Path Does Not Include World or Group-Writable Directories ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1 Ensure the Default Umask is Set Correctly For Interactive Users ocil:ssg-accounts_umask_interactive_users_action:testaction:1 Ensure the Default Umask is Set Correctly in login.defs ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1 Ensure the Default Bash Umask is Set Correctly ocil:ssg-accounts_umask_etc_bashrc_action:testaction:1 Ensure the Default C Shell Umask is Set Correctly ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 Ensure the Default Umask is Set Correctly in /etc/profile ocil:ssg-accounts_umask_etc_profile_action:testaction:1 Set Interactive Session Timeout ocil:ssg-accounts_tmout_action:testaction:1 Ensure that User Home Directories are not Group-Writable or World-Readable ocil:ssg-file_permissions_home_dirs_action:testaction:1 User Initialization Files Must Be Owned By the Primary User ocil:ssg-accounts_user_dot_user_ownership_action:testaction:1 All Interactive Users Home Directories Must Exist ocil:ssg-accounts_user_interactive_home_directory_exists_action:testaction:1 User Initialization Files Must Not Run World-Writable Programs ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1 Ensure Home Directories are Created for New Users ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1 Ensure the Logon Failure Delay is Set Correctly in login.defs ocil:ssg-accounts_logon_fail_delay_action:testaction:1 All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1 Ensure that Users Path Contains Only Local Directories ocil:ssg-accounts_user_home_paths_only_action:testaction:1 All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive ocil:ssg-accounts_users_home_files_permissions_action:testaction:1 Limit the Number of Concurrent Login Sessions Allowed Per User ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1 All Interactive User Home Directories Must Be Group-Owned By The Primary User ocil:ssg-file_groupownership_home_directories_action:testaction:1 All Interactive Users Must Have A Home Directory Defined ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1 Ensure All User Initialization Files Have Mode 0740 Or Less Permissive ocil:ssg-file_permission_user_init_files_action:testaction:1 All Interactive User Home Directories Must Be Owned By The Primary User ocil:ssg-file_ownership_home_directories_action:testaction:1 All User Files and Directories In The Home Directory Must Be Owned By The Primary User ocil:ssg-accounts_users_home_files_ownership_action:testaction:1 User Initialization Files Must Be Group-Owned By The Primary User ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1 All Interactive User Home Directories Must Have mode 0750 Or Less Permissive ocil:ssg-file_permissions_home_directories_action:testaction:1 Enable GNOME3 Login Warning Banner ocil:ssg-dconf_gnome_banner_enabled_action:testaction:1 Set the GNOME3 Login Warning Banner Text ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1 Enable GUI Warning Banner ocil:ssg-gconf_gdm_enable_warning_gui_banner_action:testaction:1 Set GUI Warning Banner Text ocil:ssg-gconf_gdm_set_login_banner_text_action:testaction:1 Modify the System Login Banner ocil:ssg-banner_etc_issue_action:testaction:1 Set Password Hashing Algorithm in /etc/login.defs ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 Set Password Hashing Algorithm in /etc/libuser.conf ocil:ssg-set_password_hashing_algorithm_libuserconf_action:testaction:1 Set PAM's Password Hashing Algorithm ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1 Configure the root Account for Failed Password Attempts ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1 Set Lockout Time for Failed Password Attempts ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1 Limit Password Reuse ocil:ssg-accounts_password_pam_unix_remember_action:testaction:1 Set Interval For Counting Failed Password Attempts ocil:ssg-accounts_passwords_pam_faillock_interval_action:testaction:1 Set Deny For Failed Password Attempts ocil:ssg-accounts_passwords_pam_faillock_deny_action:testaction:1 Set Password Minimum Length ocil:ssg-accounts_password_pam_minlen_action:testaction:1 Set Password to Maximum of Consecutive Repeating Characters from Same Character Class ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 Set Password Maximum Consecutive Repeating Characters ocil:ssg-accounts_password_pam_maxrepeat_action:testaction:1 Set Password Strength Minimum Digit Characters ocil:ssg-accounts_password_pam_dcredit_action:testaction:1 Set Password Strength Minimum Different Categories ocil:ssg-accounts_password_pam_minclass_action:testaction:1 Set Password Strength Minimum Different Characters ocil:ssg-accounts_password_pam_difok_action:testaction:1 Set Password Strength Minimum Special Characters ocil:ssg-accounts_password_pam_ocredit_action:testaction:1 Set Password Strength Minimum Lowercase Characters ocil:ssg-accounts_password_pam_lcredit_action:testaction:1 Set Password Strength Minimum Uppercase Characters ocil:ssg-accounts_password_pam_ucredit_action:testaction:1 Set Password Retry Prompts Permitted Per-Session ocil:ssg-accounts_password_pam_retry_action:testaction:1 Set Password Retry Prompts Permitted Per-Session ocil:ssg-cracklib_accounts_password_pam_retry_action:testaction:1 Set Password Strength Minimum Special Characters ocil:ssg-cracklib_accounts_password_pam_ocredit_action:testaction:1 Set Password Strength Minimum Digit Characters ocil:ssg-cracklib_accounts_password_pam_dcredit_action:testaction:1 Set Password Strength Minimum Different Categories ocil:ssg-cracklib_accounts_password_pam_minclass_action:testaction:1 Set Password Strength Minimum Uppercase Characters ocil:ssg-cracklib_accounts_password_pam_ucredit_action:testaction:1 Set Password Strength Minimum Lowercase Characters ocil:ssg-cracklib_accounts_password_pam_lcredit_action:testaction:1 Set Password Minimum Length ocil:ssg-cracklib_accounts_password_pam_minlen_action:testaction:1 Set Password to Maximum of Three Consecutive Repeating Characters ocil:ssg-cracklib_accounts_password_pam_maxrepeat_action:testaction:1 Set Password Strength Minimum Different Characters ocil:ssg-cracklib_accounts_password_pam_difok_action:testaction:1 Set Last Logon/Access Notification ocil:ssg-display_login_attempts_action:testaction:1 Encrypt Partitions ocil:ssg-encrypt_partitions_action:testaction:1 Ensure /home Located On Separate Partition ocil:ssg-partition_for_home_action:testaction:1 Ensure /srv Located On Separate Partition ocil:ssg-partition_for_srv_action:testaction:1 Ensure /var/tmp Located On Separate Partition ocil:ssg-partition_for_var_tmp_action:testaction:1 Ensure /tmp Located On Separate Partition ocil:ssg-partition_for_tmp_action:testaction:1 Ensure /var Located On Separate Partition ocil:ssg-partition_for_var_action:testaction:1 Ensure /var/log/audit Located On Separate Partition ocil:ssg-partition_for_var_log_audit_action:testaction:1 Ensure /var/log Located On Separate Partition ocil:ssg-partition_for_var_log_action:testaction:1 Ensure Users Re-Authenticate for Privilege Escalation - sudo ocil:ssg-sudo_require_authentication_action:testaction:1 Only the VDSM User Can Use sudo NOPASSWD ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate ocil:ssg-sudo_remove_no_authenticate_action:testaction:1 Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD ocil:ssg-sudo_remove_nopasswd_action:testaction:1 The Installed Operating System Is Vendor Supported ocil:ssg-installed_OS_is_vendor_supported_action:testaction:1 The Installed Operating System Is FIPS 140-2 Certified ocil:ssg-installed_OS_is_FIPS_certified_action:testaction:1 Install the dracut-fips Package ocil:ssg-package_dracut-fips_installed_action:testaction:1 Enable FIPS Mode in GRUB2 ocil:ssg-grub2_enable_fips_mode_action:testaction:1 Install the Policy Auditor (PA) Module ocil:ssg-install_mcafee_hbss_pa_action:testaction:1 Install the Asset Configuration Compliance Module (ACCM) ocil:ssg-install_mcafee_hbss_accm_action:testaction:1 Install the Host Intrusion Prevention System (HIPS) Module ocil:ssg-install_mcafee_hbss_hips_action:testaction:1 Enable nails Service ocil:ssg-service_nails_enabled_action:testaction:1 Install McAfee Virus Scanning Software ocil:ssg-install_mcafee_antivirus_action:testaction:1 Virus Scanning Software Definitions Are Updated ocil:ssg-mcafee_antivirus_definitions_updated_action:testaction:1 Install the McAfee Runtime Libraries and Linux Agent ocil:ssg-install_mcafee_cma_rt_action:testaction:1 Configure Backups of User Data ocil:ssg-configure_user_data_backups_action:testaction:1 Install Virus Scanning Software ocil:ssg-install_antivirus_action:testaction:1 Install Intrusion Detection Software ocil:ssg-install_hids_action:testaction:1 Verify and Correct File Permissions with RPM ocil:ssg-rpm_verify_permissions_action:testaction:1 Verify and Correct Ownership with RPM ocil:ssg-rpm_verify_ownership_action:testaction:1 Verify File Hashes with RPM ocil:ssg-rpm_verify_hashes_action:testaction:1 Install AIDE ocil:ssg-package_aide_installed_action:testaction:1 Configure AIDE to Verify Extended Attributes ocil:ssg-aide_verify_ext_attributes_action:testaction:1 Configure AIDE to Verify Access Control Lists (ACLs) ocil:ssg-aide_verify_acls_action:testaction:1 Configure AIDE to Use FIPS 140-2 for Validating Hashes ocil:ssg-aide_use_fips_hashes_action:testaction:1 Configure Notification of Post-AIDE Scan Details ocil:ssg-aide_scan_notification_action:testaction:1 Configure Periodic Execution of AIDE ocil:ssg-aide_periodic_cron_checking_action:testaction:1 Build and Test AIDE Database ocil:ssg-aide_build_database_action:testaction:1 Ensure gpgcheck Enabled for All yum Package Repositories ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 Ensure Software Patches Installed ocil:ssg-security_patches_up_to_date_action:testaction:1 Ensure gpgcheck Enabled for Local Packages ocil:ssg-ensure_gpgcheck_local_packages_action:testaction:1 Ensure Red Hat GPG Key Installed ocil:ssg-ensure_redhat_gpgkey_installed_action:testaction:1 Ensure gpgcheck Enabled for Repository Metadata ocil:ssg-ensure_gpgcheck_repo_metadata_action:testaction:1 Ensure yum Removes Previous Package Versions ocil:ssg-clean_components_post_updating_action:testaction:1 Ensure gpgcheck Enabled In Main yum Configuration ocil:ssg-ensure_gpgcheck_globally_activated_action:testaction:1 Implement Blank Screensaver ocil:ssg-gconf_gnome_screensaver_mode_blank_action:testaction:1 Enable Screen Lock Activation After Idle Period ocil:ssg-gconf_gnome_screensaver_lock_enabled_action:testaction:1 Set GNOME Screen Locking Keybindings ocil:ssg-gconf_gnome_screen_locking_keybindings_action:testaction:1 Ensure Users Cannot Change GNOME3 Session Idle Settings ocil:ssg-dconf_gnome_session_idle_user_locks_action:testaction:1 Set GNOME3 Screensaver Lock Delay After Activation Period ocil:ssg-dconf_gnome_screensaver_lock_delay_action:testaction:1 Disable Full User Name on Splash Shield ocil:ssg-dconf_gnome_screensaver_user_info_action:testaction:1 Ensure Users Cannot Change GNOME3 Screensaver Settings ocil:ssg-dconf_gnome_screensaver_user_locks_action:testaction:1 GNOME Desktop Screensaver Mandatory Use ocil:ssg-gconf_gnome_screensaver_idle_activation_enabled_action:testaction:1 Enable GNOME3 Screensaver Idle Activation ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_action:testaction:1 Set GNOME Login Maximum Allowed Inactivity Action ocil:ssg-gconf_gnome_screensaver_max_idle_action_action:testaction:1 Set GNOME3 Screensaver Inactivity Timeout ocil:ssg-dconf_gnome_screensaver_idle_delay_action:testaction:1 Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period ocil:ssg-dconf_gnome_screensaver_lock_locked_action:testaction:1 Set GNOME Login Maximum Allowed Inactivity ocil:ssg-gconf_gnome_screensaver_max_idle_time_action:testaction:1 Implement Blank Screensaver ocil:ssg-dconf_gnome_screensaver_mode_blank_action:testaction:1 Set GNOME Login Inactivity Timeout ocil:ssg-gconf_gnome_screensaver_idle_delay_action:testaction:1 Enable GNOME3 Screensaver Lock After Idle Period ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 Ensure Users Cannot Change GNOME3 Screensaver Idle Activation ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1 Disable GNOME Automounting ocil:ssg-gconf_gnome_disable_automount_action:testaction:1 Disable All GNOME Thumbnailers ocil:ssg-gconf_gnome_disable_thumbnailers_action:testaction:1 Disable All GNOME3 Thumbnailers ocil:ssg-dconf_gnome_disable_thumbnailers_action:testaction:1 Disable GNOME3 Automounting ocil:ssg-dconf_gnome_disable_automount_action:testaction:1 Disable Geolocation in GNOME3 ocil:ssg-dconf_gnome_disable_geolocation_action:testaction:1 Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME ocil:ssg-gconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 Disable the GNOME Clock Weather Feature ocil:ssg-gconf_gnome_disable_clock_weather_action:testaction:1 Disable the GNOME Clock Temperature Feature ocil:ssg-gconf_gnome_disable_clock_temperature_action:testaction:1 Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 Disable Power Settings in GNOME3 ocil:ssg-dconf_gnome_disable_power_settings_action:testaction:1 Disable User Administration in GNOME3 ocil:ssg-dconf_gnome_disable_user_admin_action:testaction:1 Enable the GNOME3 Login Smartcard Authentication ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 Disable the GNOME3 Login Restart and Shutdown Buttons ocil:ssg-dconf_gnome_disable_restart_shutdown_action:testaction:1 Disable the GNOME Login Restart and Shutdown Buttons ocil:ssg-gconf_gnome_disable_restart_shutdown_action:testaction:1 Disable GDM Automatic Login ocil:ssg-gnome_gdm_disable_automatic_login_action:testaction:1 Set the GNOME3 Login Number of Failures ocil:ssg-dconf_gnome_login_retries_action:testaction:1 Disable the GNOME3 Login User List ocil:ssg-dconf_gnome_disable_user_list_action:testaction:1 Disable the User List ocil:ssg-gconf_gdm_disable_user_list_action:testaction:1 Disable GDM Guest Login ocil:ssg-gnome_gdm_disable_guest_login_action:testaction:1 Disable WIFI Network Connection Creation in GNOME ocil:ssg-gconf_gnome_disable_wifi_create_action:testaction:1 Disable WIFI Network Connection Creation in GNOME3 ocil:ssg-dconf_gnome_disable_wifi_create_action:testaction:1 Disable WIFI Network Notification in GNOME3 ocil:ssg-dconf_gnome_disable_wifi_notification_action:testaction:1 Disable WIFI Network Connection Notification in GNOME ocil:ssg-gconf_gnome_disable_wifi_notification_action:testaction:1 Disable WIFI Network Disconnect Notification in GNOME ocil:ssg-gconf_gnome_disable_wifi_disconnect_action:testaction:1 Require Encryption for Remote Access in GNOME3 ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1 Require Credential Prompting for Remote Access in GNOME3 ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1 Remove the GDM Package Group ocil:ssg-package_gdm_removed_action:testaction:1 Force dconf to use the textfiles instead of a binary DB ocil:ssg-dconf_use_text_backend_action:testaction:1 Make sure that the dconf databases are up-to-date with regards to respective keyfiles ocil:ssg-dconf_db_up_to_date_action:testaction:1 Configure GNOME3 DConf User Profile ocil:ssg-enable_dconf_user_profile_action:testaction:1 Verify Permissions on shadow File ocil:ssg-file_permissions_etc_shadow_action:testaction:1 Verify User Who Owns shadow File ocil:ssg-file_owner_etc_shadow_action:testaction:1 Verify User Who Owns gshadow File ocil:ssg-file_owner_etc_gshadow_action:testaction:1 Verify Permissions on group File ocil:ssg-file_permissions_etc_group_action:testaction:1 Verify Group Who Owns gshadow File ocil:ssg-file_groupowner_etc_gshadow_action:testaction:1 Verify User Who Owns passwd File ocil:ssg-file_owner_etc_passwd_action:testaction:1 Verify Group Who Owns shadow File ocil:ssg-file_groupowner_etc_shadow_action:testaction:1 Verify User Who Owns group File ocil:ssg-file_owner_etc_group_action:testaction:1 Verify Group Who Owns group File ocil:ssg-file_groupowner_etc_group_action:testaction:1 Verify Permissions on gshadow File ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 Verify Group Who Owns passwd File ocil:ssg-file_groupowner_etc_passwd_action:testaction:1 Verify Permissions on passwd File ocil:ssg-file_permissions_etc_passwd_action:testaction:1 Verify that System Executables Have Restrictive Permissions ocil:ssg-file_permissions_binary_dirs_action:testaction:1 Verify that Shared Library Files Have Root Ownership ocil:ssg-file_ownership_library_dirs_action:testaction:1 Verify that System Executables Have Root Ownership ocil:ssg-file_ownership_binary_dirs_action:testaction:1 Verify that Shared Library Files Have Restrictive Permissions ocil:ssg-file_permissions_library_dirs_action:testaction:1 Ensure All SGID Executables Are Authorized ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1 Disallow creating symlinks to a file you not own ocil:ssg-sysctl_fs_protected_symlinks_action:testaction:1 Ensure All World-Writable Directories Are Owned by a System Account ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1 Ensure All Files Are Owned by a Group ocil:ssg-file_permissions_ungroupowned_action:testaction:1 Ensure All Files Are Owned by a User ocil:ssg-no_files_unowned_by_user_action:testaction:1 Disallow creating symlinks to a file you not own ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1 Ensure No World-Writable Files Exist ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 Verify that All World-Writable Directories Have Sticky Bits Set ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 Verify that local System.map file (if exists) is readable only by root ocil:ssg-file_permissions_systemmap_action:testaction:1 Ensure All SUID Executables Are Authorized ocil:ssg-file_permissions_unauthorized_suid_action:testaction:1 Disable Modprobe Loading of USB Storage Driver ocil:ssg-kernel_module_usb-storage_disabled_action:testaction:1 Disable the Automounter ocil:ssg-service_autofs_disabled_action:testaction:1 Add noexec Option to Removable Media Partitions ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1 Set Daemon Umask ocil:ssg-umask_for_daemons_action:testaction:1 Enable SLUB/SLAB allocator poisoning ocil:ssg-grub2_slub_debug_argument_action:testaction:1 Enable page allocator poisoning ocil:ssg-grub2_page_poison_argument_action:testaction:1 Disable Core Dumps for SUID programs ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1 Disable Core Dumps for All Users ocil:ssg-disable_users_coredumps_action:testaction:1 Restrict Exposed Kernel Pointer Addresses Access ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 Enable ExecShield via sysctl ocil:ssg-sysctl_kernel_exec_shield_action:testaction:1 Enable Randomized Layout of Virtual Address Space ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1 Disable kernel image loading ocil:ssg-sysctl_kernel_kexec_load_disabled_action:testaction:1 Disable vsyscalls ocil:ssg-grub2_vsyscall_argument_action:testaction:1 Restrict usage of ptrace to descendant processes ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1 Restrict Access to Kernel Message Buffer ocil:ssg-sysctl_kernel_dmesg_restrict_action:testaction:1 PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL The rsh package can be removed with the following command: $ sudo yum erase rsh Is it the case that ? To check that the rlogin service is disabled in system boot configuration with xinetd, run the following command: $ chkconfig rlogin --list Output should indicate the rlogin service has either not been installed, or has been disabled, as shown in the example below: $ chkconfig rlogin --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. rlogin off To check that the rlogin socket is disabled in system boot configuration with systemd, run the following command: $ systemctl is-enabled rlogin Output should indicate the rlogin socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rlogindisabled Run the following command to verify rlogin is not active (i.e. not running) through current runtime configuration: systemctl is-active rlogin If the socket is not running the command will return the following output: inactive Is it the case that service and/or socket are running? To check that the rexec service is disabled in system boot configuration with xinetd, run the following command: $ chkconfig rexec --list Output should indicate the rexec service has either not been installed, or has been disabled, as shown in the example below: $ chkconfig rexec --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. rexec off To check that the rexec socket is disabled in system boot configuration with systemd, run the following command: $ systemctl is-enabled rexec Output should indicate the rexec socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rexecdisabled Run the following command to verify rexec is not active (i.e. not running) through current runtime configuration: systemctl is-active rexec If the socket is not running the command will return the following output: inactive Is it the case that service and/or socket are running? To verify that there are no shosts.equiv files on the system, run the following command: $ find / -name shosts.equiv No output should be returned. Is it the case that these files exist? To check that the rsh service is disabled in system boot configuration with xinetd, run the following command: $ chkconfig rsh --list Output should indicate the rsh service has either not been installed, or has been disabled, as shown in the example below: $ chkconfig rsh --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. rsh off To check that the rsh socket is disabled in system boot configuration with systemd, run the following command: $ systemctl is-enabled rsh Output should indicate the rsh socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rshdisabled Run the following command to verify rsh is not active (i.e. not running) through current runtime configuration: systemctl is-active rsh If the socket is not running the command will return the following output: inactive Is it the case that service and/or socket are running? To verify that there are no /etc/shosts.equiv files on the system, run the following command: $ sudo find / -name '*.shosts' No output should be returned. Is it the case that these files exist? Run the following command to determine if the rsh-server package is installed: $ rpm -q rsh-server Is it the case that the package is installed? The existence of the file /etc/hosts.equiv or a file named .rhosts inside a user home directory indicates the presence of an Rsh trust relationship. Is it the case that these files exist? The telnet package can be removed with the following command: $ sudo yum erase telnet Is it the case that ? To check that the telnet service is disabled in system boot configuration with xinetd, run the following command: $ chkconfig telnet --list Output should indicate the telnet service has either not been installed, or has been disabled, as shown in the example below: $ chkconfig telnet --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. telnet off To check that the telnet socket is disabled in system boot configuration with systemd, run the following command: $ systemctl is-enabled telnet Output should indicate the telnet socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled telnetdisabled Run the following command to verify telnet is not active (i.e. not running) through current runtime configuration: systemctl is-active telnet If the socket is not running the command will return the following output: inactive Is it the case that service and/or socket are running? Run the following command to determine if the telnet-server package is installed: $ rpm -q telnet-server Is it the case that the package is installed? The ypbind package can be removed with the following command: $ sudo yum erase ypbind Is it the case that ? To check that the ypbind service is disabled in system boot configuration, run the following command: $ systemctl is-enabled ypbind Output should indicate the ypbind service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled ypbinddisabled Run the following command to verify ypbind is not active (i.e. not running) through current runtime configuration: $ systemctl is-active ypbind If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the ypserv package is installed: $ rpm -q ypserv Is it the case that the package is installed? To check that the tftp service is disabled in system boot configuration, run the following command: $ systemctl is-enabled tftp Output should indicate the tftp service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled tftpdisabled Run the following command to verify tftp is not active (i.e. not running) through current runtime configuration: $ systemctl is-active tftp If the service is not running the command will return the following output: inactive Is it the case that ? The tftp package can be removed with the following command: $ sudo yum erase tftp Is it the case that ? Run the following command to determine if the tftp-server package is installed: $ rpm -q tftp-server Is it the case that the package is installed? If TFTP is not installed, this is not applicable. To determine if TFTP is installed, run the following command: $ rpm -qa | grep tftp Verify tftp is configured by with the -s option by running the following command: grep "server_args" /etc/xinetd.d/tftp The output should indicate the server_args variable is configured with the -s flag, matching the example below: $ grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot Is it the case that this flag is missing? Run the following command to determine if the tcp_wrappers package is installed: $ rpm -q tcp_wrappers Is it the case that the package is not installed? If network services are using the xinetd service, this is not applicable. To check that the xinetd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled xinetd Output should indicate the xinetd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled xinetddisabled Run the following command to verify xinetd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active xinetd If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the xinetd package is installed: $ rpm -q xinetd Is it the case that the package is installed? Run the following command to determine if the talk package is installed: $ rpm -q talk Is it the case that the package is installed? Run the following command to determine if the talk-server package is installed: $ rpm -q talk-server Is it the case that the package is installed? If FTP services are not installed, this is not applicable. To verify this configuration, run the following command: grep "banner_file" /etc/vsftpd/vsftpd.conf The output should show the value of banner_file is set to /etc/issue, an example of which is shown below: $ sudo grep "banner_file" /etc/vsftpd/vsftpd.conf banner_file=/etc/issue Is it the case that it does not? Find if logging is applied to the FTP daemon. Procedures: If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file: $ grep vsftpd /etc/xinetd.d/* $ grep server_args vsftpd xinetd.d startup file This will indicate the vsftpd config file used when starting through xinetd. If the server_args line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. $ sudo grep xferlog_enable vsftpd config file Is it the case that xferlog_enable is missing, or is not set to yes? To check that the vsftpd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled vsftpd Output should indicate the vsftpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled vsftpddisabled Run the following command to verify vsftpd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active vsftpd If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the vsftpd package is installed: $ rpm -q vsftpd Is it the case that the package is installed? To ensure only SNMPv3 or newer is used, run the following command: $ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#" There should be no output. Is it the case that there is output? To ensure the default password is not set, run the following command: $ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private' There should be no output. Is it the case that the default SNMP passwords public and private have not been changed or removed? Run the following command to determine if the net-snmp package is installed: $ rpm -q net-snmp Is it the case that the package is installed? To check that the snmpd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled snmpd Output should indicate the snmpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled snmpddisabled Run the following command to verify snmpd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active snmpd If the service is not running the command will return the following output: inactive Is it the case that ? To check the group ownership of /etc/cron.allow, run the command: $ ls -lL /etc/cron.allow If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/cron.allow has group owner root? To check the ownership of /etc/cron.allow, run the command: $ ls -lL /etc/cron.allow If properly configured, the output should indicate the following owner: root Is it the case that /etc/cron.allow has owner root? Run the following command to determine if the cronie-anacron package is installed: $ rpm -q cronie-anacron Is it the case that the package is installed? Run the following command to determine the current status of the crond service: $ systemctl is-active crond If the service is running, it should return the following: active Is it the case that ? To check that the atd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled atd Output should indicate the atd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled atddisabled Run the following command to verify atd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active atd If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine the current status of the cron service: $ systemctl is-active cron If the service is running, it should return the following: active Is it the case that ? To verify the default target is multi-user, run the following command: $ systemctl get-default The output should show the following: multi-user.target Is it the case that the X windows display server is running and/or has not been disabled? To ensure the X Windows package group is removed, run the following command: $ rpm -qi xorg-x11-server-common The output should be: package xorg-x11-server-common is not installed Is it the case that the X Windows package group or xorg-x11-server-common has not be removed? Run the following command to determine if the quagga package is installed: $ rpm -q quagga Is it the case that the package is installed? To check that the zebra service is disabled in system boot configuration, run the following command: $ systemctl is-enabled zebra Output should indicate the zebra service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled zebradisabled Run the following command to verify zebra is not active (i.e. not running) through current runtime configuration: $ systemctl is-active zebra If the service is not running the command will return the following output: inactive Is it the case that ? To check that the named service is disabled in system boot configuration, run the following command: $ systemctl is-enabled named Output should indicate the named service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled nameddisabled Run the following command to verify named is not active (i.e. not running) through current runtime configuration: $ systemctl is-active named If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the bind package is installed: $ rpm -q bind Is it the case that the package is installed? To verify the openldap-servers package is not installed, run the following command: $ rpm -q openldap-servers The output should show the following: package openldap-servers is not installed Is it the case that it does not? To determine if LDAP is being used for authentication, use the following command: $ sudo grep -i useldapauth /etc/sysconfig/authconfig The output should return: USELDAPAUTH=yes Is it the case that USELDAPAUTH=yes is not configured correctly in /etc/sysconfig/authconfig? To ensure TLS is configured with trust certificates, run the following command: $ grep cert /etc/nslcd.conf Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? To ensure LDAP is configured to use TLS for all transactions, run the following command: $ grep start_tls /etc/pam_ldap.conf The result should contain: ssl start_tls Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? To verify that DHCP is not being used, examine the following file for each interface: # /etc/sysconfig/network-scripts/ifcfg-interface Look for the following: BOOTPROTO=none and the following, substituting the appropriate values based on your site's addressing scheme: NETMASK=255.255.255.0 IPADDR=192.168.1.2 GATEWAY=192.168.1.1 Is it the case that it does not? Run the following command to determine if the dhcp package is installed: $ rpm -q dhcp Is it the case that the package is installed? To check that the dhcpd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled dhcpd Output should indicate the dhcpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled dhcpddisabled Run the following command to verify dhcpd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active dhcpd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the smb service is disabled in system boot configuration, run the following command: $ systemctl is-enabled smb Output should indicate the smb service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled smbdisabled Run the following command to verify smb is not active (i.e. not running) through current runtime configuration: $ systemctl is-active smb If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the samba package is installed: $ rpm -q samba Is it the case that the package is installed? Run the following command to determine if the samba-common package is installed: $ rpm -q samba-common Is it the case that the package is not installed? To verify that Samba clients running smbclient must use packet signing, run the following command: $ grep signing /etc/samba/smb.conf The output should show: client signing = mandatory Is it the case that it is not? To verify that Samba clients using mount.cifs must use packet signing, run the following command: $ grep sec /etc/fstab The output should show either krb5i or ntlmv2i in use. Is it the case that it does not? To check that the httpd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled httpd Output should indicate the httpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled httpddisabled Run the following command to verify httpd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active httpd If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the httpd package is installed: $ rpm -q httpd Is it the case that the package is installed? To properly set the owner of /var/log/httpd, run the command: $ sudo chown root /var/log/httpd To properly set the owner of /var/log/httpd/*, run the command: $ sudo chown root /var/log/httpd/* Is it the case that ? Run the following command to check the mode of the httpd log directory: $ ls -l /var/log/ | grep httpd Log directory must be mode 0700 or less permissive. Is it the case that it is more permissive? To check the permissions of /etc/http/conf.modules.d/*, run the command: $ ls -l /etc/http/conf.modules.d/* If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/http/conf.modules.d/* has unix mode -rw-r-----? To check the permissions of /etc/http/conf, run the command: $ ls -l /etc/http/conf If properly configured, the output should indicate the following permissions: -rwxr-x--- Is it the case that ? To check the permissions of /etc/http/conf.d/*, run the command: $ ls -l /etc/http/conf.d/* If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/http/conf.d/* has unix mode -rw-r-----? To check the permissions of /etc/http/conf/*, run the command: $ ls -l /etc/http/conf/* If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/http/conf/* has unix mode -rw-r-----? Run the following command to determine the current status of the sshd service: $ systemctl is-active sshd If the service is running, it should return the following: active Is it the case that ? Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mobile code. Is it the case that it is not? Review the web site to determine if HTTP and HTTPs are used in accordance with well known ports (e.g., 80 and 443) or those ports and services as registered and approved for use by the DoD PPSM. To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=http To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=https Is it the case that it is not? To verify that TLS is configured properly in /etc/httpd/conf.modules.d/ssl.conf, run the following command: $ grep -i "sslengine\|sslprotocol" /etc/httpd/conf.d/ssl.conf The output should return the following: SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 Is it the case that it is not? To verify if SSLVerifyClient is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i sslverifyclient /etc/httpd/conf/httpd.conf The command should return the following: SSLVerifyClient require Is it the case that it is not? Open browser window and browse to the appropriate site. Before entry to the site, you should be presented with the server's PKI credentials. Review these credentials for authenticity. For DoD, find an entry which cites: Issuer: CN = DOD CLASS 3 CA-3 OU = PKI OU = DoD O = U.S. Government C = US Is it the case that it is not? To preclude access to the servers root directory, ensure the following directive is in the httpd.conf file. This entry will also stop users from setting up .htaccess files which can override security features configured in /etc/httpd/conf/httpd.conf. AllowOverride none Is it the case that it is not? Locate the directories containing the CGI scripts. These directories should be language-specific (e.g., PERL, ASP, JS, JSP, etc.). Examine the file permissions on the directories using the following command: ls -l directories Anonymous FTP users must not have access to these directories. Is it the case that it is not? Verify that the files and directories of each instance of Alias, ScriptAlias, and ScriptAliasMatch that exist have the correct file and directory permissions applied. Is it the case that it is not? To verify that web content directories should not be shared anonymously over remote filesystems such as nfs and smb, inspect each instance of DocumentRoot and serverRoot and verify that no entry in /etc/fstab exists or no remote filesystem process is running for any instance. $ ps -ef | grep "nfs\|smb" Is it the case that it is not? To verify that the log_config_module exists in /etc/httpd/conf/httpd.conf, run the following command: $ grep log_config_module /etc/httpd/conf/httpd.conf The output should return: <IfModule log_config_module> Is it the case that it is not? To verify if the mod_perl is installed, run the following command: $ rpm -qa | grep mod_perl If the mod_perl module is installed, verify that PerlSwitches -T is enabled in /etc/httpd/conf.d/perl.conf by running the following command: $ grep -i "PerlSwitches -T" /etc/httpd/conf.d/perl.conf The output should return uncommented: PerlSwitches -T Is it the case that it is not? To verify that each web content directory exists on separate partitions, run the following command: $ grep `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` /etc/fstab Each of the corresponding DocumentRoot entries should have a corresponding entry in /etc/fstab. Is it the case that it is not? Inspect each <Directory> instance and verify that either FollowSymLinks does not exist, or Options SymLinksIfOwnerMatchDisable is configured properly. Is it the case that it is not? To verify that no .java and .jpp files exist, run the following command: find / -name *.java -o -name *.jpp The output should not return any .java or .jpp files Is it the case that it is not? To verify that each web content directory has an index.html file, run the following command: $ sudo find `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` -name index.html The output should return an index.html file for every DocumentRoot that is set. Is it the case that it is not? Inspect all instances of DocumentRoot and Alias. No robots.txt file should exist. Is it the case that it is not? The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The banner should be set to the following: Is it the case that it is not display the required banner? Determine if there is a process for the uploading of files to the web site. This process should include the requirement for the use of a secure encrypted logon and secure encrypted connection. If the remote users are uploading files without utilizing approved encryption methods, this is a finding. Is it the case that it is not? To verify if ErrorLog is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i errorlog /etc/httpd/conf/httpd.conf The output should return the following: ErrorLog "logs/error_log" Is it the case that it is not? Interview the SA or web administrator to see where the public web server is logically located in the data center. Review the site network diagram to see how the web server is connected to the LAN. Visually check the web server hardware connections to see if it conforms to the site network diagram. Is it the case that the web server is not isolated in an accredited DoD DMZ Extension? Verify the site's network diagram and visually check the web server, to ensure that the private web server is located on a separate controlled access subnet and is not part of the public DMZ that houses the public web servers. In addition, the private web server needs to be isolated via a controlled access mechanism from the local general population lan. Is it the case that the private web server is not on a separate controlled access subnet? To verify if MaxKeepAliveRequests is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i maxkeepaliverequests /etc/httpd/conf/httpd.conf The command should return the following: MaxKeepAliveRequests 100 Is it the case that it is not? Configure the public web server to not have a trusted relationship with any system resources that is also not accessible to the public. Web content is not to be shared via Microsoft shares or NFS mounts. Determine whether the public web server has a two-way trust relationship with any private asset located within the network. Private web server resources (e.g. drives, folders, printers, etc.) will not be directly mapped to or shared with public web servers. Is it the case that sharing is selected for any web folder, this is a finding. If private resources (e.g. drives, partitions, folders/directories, printers, etc.) are sharedw ith the public web server? The reviewed should make a note of the name of the account being used for the web service. This information may be needed later in the SRR. There may also be other server services running related to the web server in support of a particular web application, these passwords must be entrusted to the SA or Web Manager as well. Query the SA or Web Manager to determine if they have the web service password(s). NOTE: For installations that run as a service, or without a password, the SA or Web Manager having an Admin account on the system would meet the intent of this check. Is it the case that the web server password(s) are not entrusted to the SA or Web Manager? To verify if LogFormat is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i logformat /etc/httpd/conf/httpd.conf The output should contain the following: LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined Is it the case that it is not? Ensure that CGI backup scripts are not left on the production web server. This check is limited to CGI/interactive content and not static HTML. Search for backup copies of CGI scripts on the web server or ask the Web Administrator if they keep backup copies of CGI scripts on the web server. Common backup file extensions are: *.bak, *.old, *.temp, *.tmp, *.backup, *.??0. This would also apply to .jsp files. On Red Hat Enterprise Linux, run the following commands to find backup scripts: find / name "*.bak" -printfind / name "*.*" -printfind / name "*.old" -print Is it the case that If fileos with these extensions have no relationship with web activity, such as backup batch file for operating system utility, and they are not accessible by the web application, this is not a finding. If files with these extensions are found in either the document directory or the home directory of the web server, this is a finding. If files with these extensions are stored in a repository (not in the document root) as backups for the web server? Enter the following commands: grep Action /etc/httpd/conf/httpd.confgrep AddHandler /etc/httpd/conf/httpd.conf Is it the case that either of these exist and they configure csh, or any other shell as a viewer for documents? To verify if CustomLog is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i customlog /etc/httpd/conf/httpd.conf The output should return the following: CustomLog "logs/access_log" combined Is it the case that it is not? To verify if LogLevel is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i loglevel /etc/httpd/conf/httpd.conf The command should return the following: LogLevel warn Is it the case that it is not? Query the SA and the Web Manager to determine if a compiler is present on the server. Is it the case that the web server is part of an application suite and a comiler is needed for installation, patching, and upgrading of the suite or if the compiler is embedded and can't be removed without breaking the suite, document the installation of the compiler with the ISSO/ISSM and verify that the compiler is restricted to administrative users only. If documented and restricted to administrative users, this is not a finding. If an undocumented compiler is present, and available to non-administrative users? To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: $ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf The output should return the following with a correctly configured CA cert path: ldap_tls_cacertdir /path/to/tls/cacert Is it the case that the TLS CA cert is not configured? If the system is not using TLS, set the ldap_id_use_start_tls option in /etc/sssd/sssd.conf to True. Is it the case that the 'ldap_id_use_start_tls' option is not set to 'True'? To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: $ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf The output should return the following with a correctly configured CA cert path: ldap_tls_cacert /path/to/tls/ca.cert Is it the case that the TLS CA cert is not configured? To verify that SSSD's in-memory cache expires after a day, run the following command: $ sudo grep memcache_timeout /etc/sssd/sssd.conf If configured properly, output should be memcache_timeout = . Is it the case that it does not exist or is not configured properly? To verify that SSSD is configured for PAM services, run the following command: $ sudo grep services /etc/sssd/sssd.conf If configured properly, output should be similar to services = pam Is it the case that it does not exist or 'pam' is not added to the 'services' option under the 'sssd' section? To verify that smart cards are enabled in SSSD, run the following command: $ sudo grep pam_cert_auth /etc/sssd/sssd.conf If configured properly, output should be pam_cert_auth = true Is it the case that smart cards are not enabled in SSSD? To verify that SSSD expires offline credentials, run the following command: $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf If configured properly, output should be offline_credentials_expiration = 1 Is it the case that it does not exist or is not configured properly? Run the following command to determine if the sssd package is installed: $ rpm -q sssd Is it the case that the package is not installed? To verify that SSSD expires known SSH host keys, run the following command: $ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf If configured properly, output should be ssh_known_hosts_timeout = Is it the case that it does not exist or is not configured properly? Run the following command to determine the current status of the sssd service: $ systemctl is-active sssd If the service is running, it should return the following: active Is it the case that the service is not enabled? Run the following command to determine the current status of the systemd_timesyncd service: $ systemctl is-active systemd_timesyncd If the service is running, it should return the following: active Is it the case that ? To verify that maxpoll has been set properly, perform the following: $ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf The output should return maxpoll . Is it the case that it does not exist or maxpoll has not been set to the expected value? Run the following command to determine the current status of the chronyd service: $ systemctl is-active chronyd If the service is running, it should return the following: active Run the following command to determine the current status of the ntpd service: $ systemctl is-active ntpd If the service is running, it should return the following: active Is it the case that ? Run the following command to determine the current status of the ntpd service: $ systemctl is-active ntpd If the service is running, it should return the following: active Is it the case that ? To verify that a remote NTP service is configured for time synchronization, open the following file: /etc/chrony.conf in the case the system in question is configured to use the chronyd as the NTP daemon (default setting)/etc/ntp.conf in the case the system in question is configured to use the ntpd as the NTP daemon In the file, there should be a section similar to the following: server ntpserver Is it the case that this is not the case? To verify that a remote NTP service is configured for time synchronization, open the following file: /etc/ntp.conf In the file, there should be a section similar to the following: server ntpserver Is it the case that this is not the case? Run the following command to determine the current status of the ntp service: $ systemctl is-active ntp If the service is running, it should return the following: active Is it the case that ? Run the following command to determine if the abrt package is installed: $ rpm -q abrt Is it the case that the package is installed? To check that the cgred service is disabled in system boot configuration, run the following command: $ systemctl is-enabled cgred Output should indicate the cgred service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled cgreddisabled Run the following command to verify cgred is not active (i.e. not running) through current runtime configuration: $ systemctl is-active cgred If the service is not running the command will return the following output: inactive Is it the case that ? To check that the messagebus service is disabled in system boot configuration, run the following command: $ systemctl is-enabled messagebus Output should indicate the messagebus service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled messagebusdisabled Run the following command to verify messagebus is not active (i.e. not running) through current runtime configuration: $ systemctl is-active messagebus If the service is not running the command will return the following output: inactive Is it the case that ? To check that the acpid service is disabled in system boot configuration, run the following command: $ systemctl is-enabled acpid Output should indicate the acpid service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled acpiddisabled Run the following command to verify acpid is not active (i.e. not running) through current runtime configuration: $ systemctl is-active acpid If the service is not running the command will return the following output: inactive Is it the case that ? To check that the rdisc service is disabled in system boot configuration, run the following command: $ systemctl is-enabled rdisc Output should indicate the rdisc service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rdiscdisabled Run the following command to verify rdisc is not active (i.e. not running) through current runtime configuration: $ systemctl is-active rdisc If the service is not running the command will return the following output: inactive Is it the case that ? To check that the netconsole service is disabled in system boot configuration, run the following command: $ systemctl is-enabled netconsole Output should indicate the netconsole service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled netconsoledisabled Run the following command to verify netconsole is not active (i.e. not running) through current runtime configuration: $ systemctl is-active netconsole If the service is not running the command will return the following output: inactive Is it the case that ? To check that the certmonger service is disabled in system boot configuration, run the following command: $ systemctl is-enabled certmonger Output should indicate the certmonger service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled certmongerdisabled Run the following command to verify certmonger is not active (i.e. not running) through current runtime configuration: $ systemctl is-active certmonger If the service is not running the command will return the following output: inactive Is it the case that ? To check that the quota_nld service is disabled in system boot configuration, run the following command: $ systemctl is-enabled quota_nld Output should indicate the quota_nld service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled quota_nlddisabled Run the following command to verify quota_nld is not active (i.e. not running) through current runtime configuration: $ systemctl is-active quota_nld If the service is not running the command will return the following output: inactive Is it the case that ? To check that the psacct service is disabled in system boot configuration, run the following command: $ systemctl is-enabled psacct Output should indicate the psacct service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled psacctdisabled Run the following command to verify psacct is not active (i.e. not running) through current runtime configuration: $ systemctl is-active psacct If the service is not running the command will return the following output: inactive Is it the case that ? To check that the rhnsd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled rhnsd Output should indicate the rhnsd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rhnsddisabled Run the following command to verify rhnsd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active rhnsd If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the psacct package is installed: $ rpm -q psacct Is it the case that the package is not installed? To check that the mdmonitor service is disabled in system boot configuration, run the following command: $ systemctl is-enabled mdmonitor Output should indicate the mdmonitor service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled mdmonitordisabled Run the following command to verify mdmonitor is not active (i.e. not running) through current runtime configuration: $ systemctl is-active mdmonitor If the service is not running the command will return the following output: inactive Is it the case that ? To check that the irqbalance service is disabled in system boot configuration, run the following command: $ systemctl is-enabled irqbalance Output should indicate the irqbalance service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled irqbalancedisabled Run the following command to verify irqbalance is not active (i.e. not running) through current runtime configuration: $ systemctl is-active irqbalance If the service is not running the command will return the following output: inactive Is it the case that ? To check that the oddjobd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled oddjobd Output should indicate the oddjobd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled oddjobddisabled Run the following command to verify oddjobd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active oddjobd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the smartd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled smartd Output should indicate the smartd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled smartddisabled Run the following command to verify smartd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active smartd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the qpidd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled qpidd Output should indicate the qpidd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled qpidddisabled Run the following command to verify qpidd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active qpidd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the abrtd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled abrtd Output should indicate the abrtd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled abrtddisabled Run the following command to verify abrtd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active abrtd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the cpupower service is disabled in system boot configuration, run the following command: $ systemctl is-enabled cpupower Output should indicate the cpupower service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled cpupowerdisabled Run the following command to verify cpupower is not active (i.e. not running) through current runtime configuration: $ systemctl is-active cpupower If the service is not running the command will return the following output: inactive Is it the case that ? To check that the saslauthd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled saslauthd Output should indicate the saslauthd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled saslauthddisabled Run the following command to verify saslauthd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active saslauthd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the cgconfig service is disabled in system boot configuration, run the following command: $ systemctl is-enabled cgconfig Output should indicate the cgconfig service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled cgconfigdisabled Run the following command to verify cgconfig is not active (i.e. not running) through current runtime configuration: $ systemctl is-active cgconfig If the service is not running the command will return the following output: inactive Is it the case that ? To check that the ntpdate service is disabled in system boot configuration, run the following command: $ systemctl is-enabled ntpdate Output should indicate the ntpdate service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled ntpdatedisabled Run the following command to verify ntpdate is not active (i.e. not running) through current runtime configuration: $ systemctl is-active ntpdate If the service is not running the command will return the following output: inactive Is it the case that ? To check that the kdump service is disabled in system boot configuration, run the following command: $ systemctl is-enabled kdump Output should indicate the kdump service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled kdumpdisabled Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: $ systemctl is-active kdump If the service is not running the command will return the following output: inactive Is it the case that ? To check that the rhsmcertd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled rhsmcertd Output should indicate the rhsmcertd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rhsmcertddisabled Run the following command to verify rhsmcertd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active rhsmcertd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the portreserve service is disabled in system boot configuration, run the following command: $ systemctl is-enabled portreserve Output should indicate the portreserve service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled portreservedisabled Run the following command to verify portreserve is not active (i.e. not running) through current runtime configuration: $ systemctl is-active portreserve If the service is not running the command will return the following output: inactive Is it the case that ? To check that the sysstat service is disabled in system boot configuration, run the following command: $ systemctl is-enabled sysstat Output should indicate the sysstat service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled sysstatdisabled Run the following command to verify sysstat is not active (i.e. not running) through current runtime configuration: $ systemctl is-active sysstat If the service is not running the command will return the following output: inactive Is it the case that ? To check if StrictModes is enabled or set correctly, run the following command: $ sudo grep StrictModes /etc/ssh/sshd_config If configured properly, output should be yes Is it the case that it is commented out or is not enabled? To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: $ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: $ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? To ensure the SSH idle timeout will occur when the ClientAliveInterval is set, run the following command: $ sudo grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, output should be: ClientAliveCountMax Is it the case that it is commented out or not configured properly? Run the following command to see what the timeout interval is: $ sudo grep ClientAliveInterval /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveInterval Is it the case that it is commented out or not configured properly? To determine how the SSH daemon's Banner option is set, run the following command: $ sudo grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. Is it the case that the required value is not set? Only FIPS-approved MACs should be used. To verify that only FIPS-approved MACs are in use, run the following command: $ sudo grep -i macs /etc/ssh/sshd_config The output should contain only those MACs which are FIPS-approved. Any use of other ciphers or algorithms will result in the module entering the non-FIPS mode of operation. Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms? To ensure users are not able to present environment daemons, run the following command: $ sudo grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no Is it the case that PermitUserEnvironment is not disabled? To check if KerberosAuthentication is disabled or set correctly, run the following command: $ sudo grep KerberosAuthentication /etc/ssh/sshd_config If configured properly, output should be no Is it the case that it is commented out or is not disabled? To check which SSH protocol version is allowed, check version of openssh-server with following command: $ rpm -qi openssh-server | grep Version Versions equal to or higher than 7.4 only allow Protocol 2. If version is lower than 7.4, run the following command to check configuration: $ sudo grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 Is it the case that it is commented out or is not set correctly to Protocol 2? To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: $ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value yes is returned, then the required value is set. Is it the case that the required value is not set? To check which SSH protocol version is allowed, check version of openssh-server with following command: $ rpm -qi openssh-server | grep Version Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. If version is lower than 7.4, run the following command to check configuration: To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command: $ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? To check if LogLevel is enabled or set correctly, run the following command: $ sudo grep "^LogLevel" /etc/ssh/sshd_config If configured properly, output should be LogLevel INFO Is it the case that it is commented out or is not enabled? To determine how the SSH daemon's X11Forwarding option is set, run the following command: $ sudo grep -i X11Forwarding /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? Only FIPS ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are FIPS-approved. Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command: $ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? To determine if firewalld is configured to allow access to ssh on port 22/tcp, run the following command(s): firewall-cmd --list-ports firewall-cmd --list-services If firewalld is configured to allow access through the firewall, something similar to the following will be output: If it is a service: ssh If it is a port: 22/tcp Is it the case that ? To ensure the MaxAuthTries parameter is set, run the following command: $ sudo grep MaxAuthTries /etc/ssh/sshd_config If properly configured, output should be: MaxAuthTries tries Is it the case that it is commented out or not configured properly? Only strong MACs should be used. To verify that only strong MACs are in use, run the following command: $ sudo grep -i macs /etc/ssh/sshd_config The output should contain only those MACs which are strong, namely, hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 hash functions. Is it the case that MACs option is commented out or not using strong hash algorithms? To check if UsePrivilegeSeparation is enabled or set correctly, run the following command: $ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config If configured properly, output should be sandbox Is it the case that it is commented out or is not enabled? To check if PrintLastLog is enabled or set correctly, run the following command: $ sudo grep PrintLastLog /etc/ssh/sshd_config If configured properly, output should be yes Is it the case that it is commented out or is not enabled? Only strong ciphers should be used. To verify that only strong ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are considered strong, namely, chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr Is it the case that ciphers are not configured or not using strong ciphers? To check if GSSAPIAuthentication is disabled or set correctly, run the following command: $ sudo grep GSSAPIAuthentication /etc/ssh/sshd_config If configured properly, output should be no Is it the case that it is commented out or is not disabled? To check if compression is enabled or set correctly, run the following command: $ sudo grep Compression /etc/ssh/sshd_config If configured properly, output should be no or delayed. Is it the case that it is commented out, or is not set to no or delayed? To determine how the SSH daemon's PermitRootLogin option is set, run the following command: $ sudo grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server Is it the case that the package is not installed? Run the following command to determine the current status of the sshd service: $ systemctl is-active sshd If the service is running, it should return the following: active Is it the case that ? To check the permissions of /etc/ssh/*.pub, run the command: $ ls -l /etc/ssh/*.pub If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/ssh/*.pub has unix mode -rw-r--r--? To check the permissions of /etc/ssh/*_key, run the command: $ ls -l /etc/ssh/*_key If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/ssh/*_key has unix mode -rw-r-----? Find the list of alias maps used by the Postfix mail server: $ sudo postconf alias_maps Query the Postfix alias maps for an alias for the root user: $ sudo postmap -q root hash:/etc/aliases The output should return an alias. Is it the case that it is not? Run the following command to ensure postfix accepts mail messages from only the local system: $ grep inet_interfaces /etc/postfix/main.cf If properly configured, the output should show only localhost. Is it the case that it does not? To verify the system is configured to prevent unrestricted mail relaying, run the following command: $ sudo postconf -n smtpd_client_restrictions The output should return: smtpd_client_restrictions = permit_mynetworks,reject Is it the case that it is not? Run the following command to determine if the sendmail package is installed: $ rpm -q sendmail Is it the case that the package is installed? Run the following command to determine the current status of the postfix service: $ systemctl is-active postfix If the service is running, it should return the following: active Is it the case that the system is not a cross domain solution and the service is not enabled? To check that the dovecot service is disabled in system boot configuration, run the following command: $ systemctl is-enabled dovecot Output should indicate the dovecot service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled dovecotdisabled Run the following command to verify dovecot is not active (i.e. not running) through current runtime configuration: $ systemctl is-active dovecot If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the dovecot package is installed: $ rpm -q dovecot Is it the case that the package is installed? To verify all squashing has been disabled, run the following command: $ grep all_squash /etc/exports Is it the case that there is output? To verify the sec option is configured for all NFS mounts, run the following command: $ grep "sec=" /etc/exports All configured NFS exports should show the sec=krb5:krb5i:krb5p setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? To verify insecure file locking has been disabled, run the following command: $ grep insecure_locks /etc/exports Is it the case that there is output? To verify the noexec option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? To verify the sec option is configured for all NFS mounts, run the following command: $ mount | grep "sec=" All NFS mounts should show the sec=krb5:krb5i:krb5p setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? To verify the nosuid option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the nosuid setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? To verify the nodev option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the nodev setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? Inspect the mounts configured in /etc/exports. Each mount should specify a value greater than UID_MAX and GID_MAX as defined in /etc/login.defs. Is it the case that anonuid or anongid are not set to a value greater than UID_MAX (for anonuid) and GID_MAX (for anongid)? To check that the nfs service is disabled in system boot configuration, run the following command: $ systemctl is-enabled nfs Output should indicate the nfs service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled nfsdisabled Run the following command to verify nfs is not active (i.e. not running) through current runtime configuration: $ systemctl is-active nfs If the service is not running the command will return the following output: inactive Is it the case that it does not? To check that the rpcsvcgssd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled rpcsvcgssd Output should indicate the rpcsvcgssd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rpcsvcgssddisabled Run the following command to verify rpcsvcgssd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active rpcsvcgssd If the service is not running the command will return the following output: inactive Is it the case that ? To verify that CUPS printer browsing is disabled, run the following command: $ sudo grep "Browsing\|BrowseAllow" /etc/cups/cupsd.conf The output should return the following: Browsing Off BrowseAllow none Is it the case that printer browsing is not disabled? To check that the cups service is disabled in system boot configuration, run the following command: $ systemctl is-enabled cups Output should indicate the cups service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled cupsdisabled Run the following command to verify cups is not active (i.e. not running) through current runtime configuration: $ systemctl is-active cups If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the docker package is installed: $ rpm -q docker Is it the case that the package is not installed? Run the following command to determine the current status of the docker service: $ systemctl is-active docker If the service is running, it should return the following: active Is it the case that ? To check that the avahi-daemon service is disabled in system boot configuration, run the following command: $ systemctl is-enabled avahi-daemon Output should indicate the avahi-daemon service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled avahi-daemondisabled Run the following command to verify avahi-daemon is not active (i.e. not running) through current runtime configuration: $ systemctl is-active avahi-daemon If the service is not running the command will return the following output: inactive Is it the case that ? To check that the squid service is disabled in system boot configuration, run the following command: $ systemctl is-enabled squid Output should indicate the squid service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled squiddisabled Run the following command to verify squid is not active (i.e. not running) through current runtime configuration: $ systemctl is-active squid If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the squid package is installed: $ rpm -q squid Is it the case that the package is installed? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to synchronize audit event data with the log files on the disk: $ sudo grep flush /etc/audit/auditd.conf flush = DATA Acceptable values are DATA, and SYNC. The setting is case-insensitive. Is it the case that auditd is not configured to synchronously write audit event data to disk? To verify the audispd plugin encrypts audit records off-loaded onto a different system or media from the system being audited, run the following command: $ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf The output should return the following: enable_krb5 = yes Is it the case that audispd is not encrypting audit records when sent over the network? To verify the audispd plugin off-loads audit records onto a different system or media from the system being audited, run the following command: $ sudo grep -i remote_server /etc/audisp/audisp-remote.conf The output should return something similar to where REMOTE_SYSTEM is an IP address or hostname: remote_server = REMOTE_SYSTEM Is it the case that audispd is not sending logs to a remote system? Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when there is a network failure with audispd: grep -i network_failure_action /etc/audisp/audisp-remote.conf The output should return something similar to: network_failure_action = single Acceptable values also include syslog and halt. Is it the case that the system is not configured to switch to single user mode for corrective action? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either log to syslog, switch to single-user mode, execute a script, or halt when the disk is out of space: disk_full_action single Is it the case that the system is not configured to switch to single-user mode for corrective action? Inspect /etc/audit/auditd.conf and locate the following line to determine how much data the system will retain in each audit log file: $ sudo grep max_log_file /etc/audit/auditd.conf max_log_file = 6 Is it the case that the system audit data threshold has not been properly configured? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured correctly: space_left SIZE_in_MB Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: action_mail_acct = root Is it the case that auditd is not configured to send emails per identified actions? To verify the audispd's syslog plugin is active, run the following command: $ sudo grep active /etc/audisp/plugins.d/syslog.conf If the plugin is active, the output will show yes. Is it the case that it is not activated? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either suspend, switch to single user mode, or halt when disk space has run low: admin_space_left_action single Is it the case that the system is not configured to switch to single user mode for corrective action? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: $ sudo grep max_log_file_action /etc/audit/auditd.conf max_log_file_action rotate Is it the case that the system has not been properly configured to rotate audit logs? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: $ sudo grep space_left_action /etc/audit/auditd.conf space_left_action Acceptable values are email, suspend, single, and halt. Is it the case that the system is not configured to send an email to the system administrator when disk space is starting to run low? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either log to syslog, switch to single-user mode, execute a script, or halt when the disk errors: disk_error_action single Is it the case that the system is not configured to switch to single-user mode for corrective action? Inspect /etc/audit/auditd.conf and locate the following line to determine how many logs the system is configured to retain after rotation: $ sudo grep num_logs /etc/audit/auditd.conf num_logs = 5 Is it the case that the system log file retention has not been properly configured? Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when the disk is full: grep -i disk_full_action /etc/audisp/audisp-remote.conf The output should return something similar to: disk_full_action = single Acceptable values also include syslog and halt. Is it the case that the system is not configured to switch to single user mode for corrective action? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/usr/sbin/rmmod\|-w /usr/sbin/rmmod" Is it the case that there is not output? To determine if the system is configured to audit calls to the init_module system call, run the following command: preserve$ sudo grep "init_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the delete_module system call, run the following command: preserve$ sudo grep "delete_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the delete_module system call, run the following command: preserve$ sudo grep "delete_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/usr/sbin/insmod\|-w /usr/sbin/insmod" Is it the case that there is not output? To determine if the system is configured to audit calls to the finit_module system call, run the following command: preserve$ sudo grep "finit_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/usr/sbin/modprobe\|-w /usr/sbin/modprobe" Is it the case that there is not output? To determine if the system is configured to audit calls to the create_module system call, run the following command: preserve$ sudo grep "create_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the init_module system call, run the following command: preserve$ sudo grep "init_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/log/lastlog\|-w /var/log/lastlog" Is it the case that there is not output? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/run/faillock\|-w /var/run/faillock" Is it the case that there is not output? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/log/tallylog\|-w /var/log/tallylog" Is it the case that there is not output? If the system is not configured to audit time changes, this is a finding. If the system is 64-bit only, this is not applicable ocil: | To determine if the system is configured to audit calls to the stime system call, run the following command: preserve$ sudo grep "stime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the settimeofday system call, run the following command: preserve$ sudo grep "settimeofday" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: $ sudo auditctl -l | grep "watch=/etc/localtime" If the system is configured to audit this activity, it will return a line. Is it the case that the system is not configured to audit time changes? To determine if the system is configured to audit calls to the clock_settime system call, run the following command: preserve$ sudo grep "clock_settime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the adjtimex system call, run the following command: preserve$ sudo grep "adjtimex" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchown system call, run the following command: preserve$ sudo grep "fchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the setxattr system call, run the following command: preserve$ sudo grep "setxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the chown system call, run the following command: preserve$ sudo grep "chown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchownat system call, run the following command: preserve$ sudo grep "fchownat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lchown system call, run the following command: preserve$ sudo grep "lchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the chmod system call, run the following command: preserve$ sudo grep "chmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the removexattr system call, run the following command: preserve$ sudo grep "removexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchmod system call, run the following command: preserve$ sudo grep "fchmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lsetxattr system call, run the following command: preserve$ sudo grep "lsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fremovexattr system call, run the following command: preserve$ sudo grep "fremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lremovexattr system call, run the following command: preserve$ sudo grep "lremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fsetxattr system call, run the following command: preserve$ sudo grep "fsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchmodat system call, run the following command: preserve$ sudo grep "fchmodat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/seunshare" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/setfiles" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/restorecon" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To determine if the system is configured to audit calls to the rmdir system call, run the following command: preserve$ sudo grep "rmdir" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the unlinkat system call, run the following command: preserve$ sudo grep "unlinkat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the rmdir system call, run the following command: preserve$ sudo grep "rmdir" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the unlink system call, run the following command: preserve$ sudo grep "unlink" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the unlinkat system call, run the following command: preserve$ sudo grep "unlinkat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the rename system call, run the following command: preserve$ sudo grep "rename" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the renameat system call, run the following command: preserve$ sudo grep "renameat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the rename system call, run the following command: preserve$ sudo grep "rename" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the renameat system call, run the following command: preserve$ sudo grep "renameat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the unlink system call, run the following command: preserve$ sudo grep "unlink" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep usernetctl /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep newgidmap /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep '\bat\b' /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep mount /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep newuidmap /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command for each local partition PART to find relevant setuid / setgid programs: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: $ sudo grep path /etc/audit/audit.rules It should be the case that all relevant setuid / setgid programs have a line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To determine if the system is configured to audit calls to the renameat system call, run the following command: preserve$ sudo grep "renameat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchownat system call, run the following command: preserve$ sudo grep "fchownat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lchown system call, run the following command: preserve$ sudo grep "lchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchmodat system call, run the following command: preserve$ sudo grep "fchmodat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the removexattr system call, run the following command: preserve$ sudo grep "removexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the chown system call, run the following command: preserve$ sudo grep "chown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchown system call, run the following command: preserve$ sudo grep "fchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the truncate system call, run the following command: preserve$ sudo grep "truncate" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the setxattr system call, run the following command: preserve$ sudo grep "setxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lremovexattr system call, run the following command: preserve$ sudo grep "lremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the creat system call, run the following command: preserve$ sudo grep "creat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fremovexattr system call, run the following command: preserve$ sudo grep "fremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the unlink system call, run the following command: preserve$ sudo grep "unlink" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fsetxattr system call, run the following command: preserve$ sudo grep "fsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lsetxattr system call, run the following command: preserve$ sudo grep "lsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the chmod system call, run the following command: preserve$ sudo grep "chmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the ftruncate system call, run the following command: preserve$ sudo grep "ftruncate" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the unlinkat system call, run the following command: preserve$ sudo grep "unlinkat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that the audit system collects unauthorized file accesses, run the following commands: $ sudo grep EACCES /etc/audit/audit.rules $ sudo grep EPERM /etc/audit/audit.rules Is it the case that 32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM? To determine if the system is configured to audit calls to the fchmod system call, run the following command: preserve$ sudo grep "fchmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the rename system call, run the following command: preserve$ sudo grep "rename" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" Is it the case that there is not output? To determine if the system is configured to audit changes to its network configuration, run the following command: auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and perm=wa should be indicated for each). Is it the case that the system is not configured to audit changes of the network configuration? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Run the following command to check the mode of the system audit logs: $ sudo ls -ld /var/log/audit Audit log directories must be mode 0700 or less permissive. Is it the case that any are more permissive? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/shadow)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit accesses to /var/log/audit directory, run the following command: preserve$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing is configured for all media exportation events, run the following command: $ sudo auditctl -l | grep syscall | grep mount Is it the case that there is not output? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To properly set the owner of /var/log/audit, run the command: $ sudo chown root /var/log/audit To properly set the owner of /var/log/audit/*, run the command: $ sudo chown root /var/log/audit/* Is it the case that ? To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: $ sudo auditctl -l | grep "dir=/etc/selinux" If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including perm=wa indicating permissions that are watched). Is it the case that the system is not configured to audit attempts to change the MAC policy? To verify that the system will shutdown when auditd fails, run the following command: $ sudo grep "\-f 2" /etc/audit/audit.rules The output should contain: -f 2 Is it the case that the system is not configured to shutdown on auditd failures? Run the following command to check the mode of the system audit logs: $ sudo ls -l /var/log/audit Audit logs must be mode 0640 or less permissive. Is it the case that any are more permissive? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/gshadow)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/group)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If they include audit_backlog_limit=1, then auditing is enabled at boot time. To ensure audit_backlog_limit=1 is configured on all installed kernels, the following command may be used: $ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=1" Is it the case that audit backlog limit is not configured? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If they include audit=1, then auditing is enabled at boot time. To ensure audit=1 is configured on all installed kernels, the following command may be used: $ sudo /sbin/grubby --update-kernel=ALL --args="audit=1" Is it the case that auditing is not enabled at boot time? Run the following command to determine the current status of the auditd service: $ systemctl is-active auditd If the service is running, it should return the following: active Is it the case that ? To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: *.* @loghost.example.com If using TCP, a line similar to the following should be present: *.* @@loghost.example.com If using RELP, a line similar to the following should be present: *.* :omrelp:loghost.example.com Is it the case that none of these are present? The owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the owner of a given log file, run the following command: $ ls -l LOGFILE Is it the case that the owner is not correct? The group-owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the group-owner of a given log file, run the following command: $ ls -l LOGFILE Is it the case that the group-owner is not correct? To verify that cron is logging to rsyslog, run the following command: grep -rni "cron\.\*" /etc/rsyslog.* The output should return some similar to: cron.* /var/log/cron Is it the case that cron is not logging to rsyslog? The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the permissions of a given log file, run the following command: $ ls -l LOGFILE The permissions should be 600, or more restrictive. Is it the case that the permissions are not correct? Run the following command to determine the current status of the syslog-ng service: $ systemctl is-active syslog-ng If the service is running, it should return the following: active Is it the case that ? Run the following command to determine if the syslog-ng-core package is installed: $ rpm -q syslog-ng-core Is it the case that the package is not installed? To determine the status and frequency of logrotate, run the following command: $ sudo grep logrotate /var/log/cron* If logrotate is configured properly, output should include references to /etc/cron.daily. Is it the case that logrotate is not configured to run daily? Run the following command to determine the current status of the rsyslog service: $ systemctl is-active rsyslog If the service is running, it should return the following: active Is it the case that ? Run the following command to determine if the rsyslog package is installed: $ rpm -q rsyslog Is it the case that the package is not installed? The status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_source_route The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_source_route The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv6.conf.all.forwarding kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.forwarding The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.all.forwarding /etc/sysctl.conf /etc/sysctl.d The ability to forward packets is only appropriate for routers. Is it the case that ? The status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_ra The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.default.accept_ra /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_ra The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.all.accept_ra /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? If the system uses IPv6, this is not applicable. If the system is configured to prevent the usage of the ipv6 on network interfaces, it will contain a line of the form: net.ipv6.conf.all.disable_ipv6 = 1 Such lines may be inside any file in the /etc/sysctl.d directory. This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps all network interfaces from using IPv6. Run the following command to search for such lines in all files in /etc/sysctl.d: $ grep -r ipv6 /etc/sysctl.d Is it the case that the ipv6 support is disabled on network interfaces? If the system uses IPv6, this is not applicable. If the system is configured to disable the ipv6 kernel module, it will contain a line of the form: options ipv6 disable=1 Such lines may be inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps it inactive. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: preserve$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d Is it the case that the ipv6 kernel module is not disabled? To check for configured IPsec connections (conn), perform the following: grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ Verify any returned results for organizational approval. Is it the case that the IPSec tunnels are not approved? Run the following command to determine if the libreswan package is installed: $ rpm -q libreswan Is it the case that the package is not installed? If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the ip6tables service: $ systemctl is-active ip6tables If the service is running, it should return the following: active Is it the case that ? Run the following command to determine the current status of the iptables service: $ systemctl is-active iptables If the service is running, it should return the following: active Is it the case that ? If IPv6 is disabled, this is not applicable. Inspect the file /etc/sysconfig/ip6tables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/ip6tables Is it the case that the default policy for the INPUT chain is not set to DROP? Run the following command to ensure the default FORWARD policy is DROP: grep ":FORWARD" /etc/sysconfig/iptables The output should be similar to the following: $ sudo grep ":FORWARD" /etc/sysconfig/iptables :FORWARD DROP [0:0 Is it the case that the default policy for the FORWARD chain is not set to DROP? Inspect the file /etc/sysconfig/iptables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/iptables Is it the case that the default policy for the INPUT chain is not set to DROP? Inspect the file /etc/firewalld/firewalld.conf to determine the default zone for the firewalld. It should be set to DefaultZone=drop: $ sudo grep DefaultZone /etc/firewalld/firewalld.conf Is it the case that the default zone is not set to DROP? Inspect the list of enabled firewall ports and verify they are configured correctly by running the following command: $ sudo firewall-cmd --list-all Is it the case that the default rules are not configured? To verify the operating system protects against or limits the effects of DoS attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces, run the following command: $ sudo firewall-cmd --permanent --direct --get-rules ipv4 filter INPUT_direct The output should return: 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT Is it the case that firewalld is not rate limiting connections? Run the following command to determine the current status of the firewalld service: $ systemctl is-active firewalld If the service is running, it should return the following: active Is it the case that ? Run the following command to determine if the firewalld package is installed: $ rpm -q firewalld Is it the case that the package is not installed? The status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.log_martians kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.log_martians The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.log_martians /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.secure_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.secure_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.secure_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.tcp_syncookies kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.log_martians kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.log_martians The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.log_martians /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.rp_filter kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_ignore_bogus_error_responses The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.secure_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.secure_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.secure_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.ip_forward kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d The ability to forward packets is only appropriate for routers. Is it the case that ? The status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.send_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.send_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? If the system is configured to prevent the loading of the dccp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r dccp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the rds kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r rds /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the tipc kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the sctp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r sctp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the bluetooth kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? To check that the bluetooth service is disabled in system boot configuration, run the following command: $ systemctl is-enabled bluetooth Output should indicate the bluetooth service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled bluetoothdisabled Run the following command to verify bluetooth is not active (i.e. not running) through current runtime configuration: $ systemctl is-active bluetooth If the service is not running the command will return the following output: inactive Is it the case that ? Verify that there are no wireless interfaces configured on the system with the following command: $ sudo nmcli device The output should contain the following: wifi disconnected Is it the case that it is not? Promiscuous mode of an interface can be disabled with the following command: $ sudo ip link set dev device_name promisc off Is it the case that any network device is in promiscuous mode? To verify that DNS servers have been configured properly, perform the following: $ sudo grep nameserver /etc/resolv.conf The output should return more than one nameserver entry. Is it the case that it does not exist or is not properly configured or less than 2 'nameserver' entries exist? To verify that clients cannot automatically update DNS records, perform the following: $ grep -i dhcp_hostname /etc/sysconfig/network-scripts/ifcfg-* $ grep -rni "send host-name" /etc/dhclient.conf /etc/dhcp The output should return no results. Is it the case that client Dynamic DNS updates are not disabled? To verify the boot loader superuser account has been set, run the following command: sudo grep -A1 "superusers\|password" /etc/grub2.cfg The output should show the following: set superusers="superusers-account" export superusers password_pbkdf2 superusers-account ${GRUB2_PASSWORD} To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: sudo cat /boot/grub2/user.cfg The output should be similar to: GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 Is it the case that it does not? To check the permissions of /boot/grub2/grub.cfg, run the command: $ sudo ls -lL /boot/grub2/grub.cfg If properly configured, the output should indicate the following permissions: -rw------- Is it the case that it does not? To check the ownership of /boot/grub2/grub.cfg, run the command: $ ls -lL /boot/grub2/grub.cfg If properly configured, the output should indicate the following owner: root Is it the case that /boot/grub2/grub.cfg has owner root? To verify the boot loader superuser account has been set, run the following command: sudo grep -A1 "superusers\|password" /etc/grub2-efi.cfg The output should show the following: set superusers="superusers-account" export superusers password_pbkdf2 superusers-account ${GRUB2_PASSWORD} To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: sudo cat /boot/efi/EFI/redhat/user.cfg The output should be similar to: GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 Is it the case that it does not? To verify the system is not configured to use a boot loader on removable media, run the following command: $ sudo grep "set root='hd0" /boot/grub2/grub.cfg The output should return something similar to: set root='hd0,msdos1' usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1' Is it the case that it is not? To check the group ownership of /boot/efi/EFI/redhat/grub.cfg, run the command: $ ls -lL /boot/efi/EFI/redhat/grub.cfg If properly configured, the output should indicate the following group-owner. root Is it the case that /boot/efi/EFI/redhat/grub.cfg has group owner root? To check the group ownership of /boot/grub2/grub.cfg, run the command: $ ls -lL /boot/grub2/grub.cfg If properly configured, the output should indicate the following group-owner. root Is it the case that /boot/grub2/grub.cfg has group owner root? To verify the system is not configured to use a boot loader on removable media, run the following command: $ sudo grep "set root='hd0" /boot/efi/EFI/redhat/grub.cfg The output should return something similar to: set root='hd0,msdos1' usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1' Is it the case that it is not? To check the ownership of /boot/efi/EFI/redhat/grub.cfg, run the command: $ ls -lL /boot/efi/EFI/redhat/grub.cfg If properly configured, the output should indicate the following owner: root Is it the case that /boot/efi/EFI/redhat/grub.cfg has owner root? To check the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: $ sudo ls -lL /boot/efi/EFI/redhat/grub.cfg If properly configured, the output should indicate the following permissions: -rwx------ Is it the case that it does not? Run the following command to determine if the openvpn_can_network_connect SELinux boolean is disabled: $ getsebool openvpn_can_network_connect If properly configured, the output should show the following: openvpn_can_network_connect --> off Is it the case that openvpn_can_network_connect is not disabled? Run the following command to determine if the httpd_use_gpg SELinux boolean is disabled: $ getsebool httpd_use_gpg If properly configured, the output should show the following: httpd_use_gpg --> off Is it the case that httpd_use_gpg is not disabled? Run the following command to determine if the ssh_sysadm_login SELinux boolean is disabled: $ getsebool ssh_sysadm_login If properly configured, the output should show the following: ssh_sysadm_login --> off Is it the case that ssh_sysadm_login is not disabled? Run the following command to determine if the httpd_run_stickshift SELinux boolean is disabled: $ getsebool httpd_run_stickshift If properly configured, the output should show the following: httpd_run_stickshift --> off Is it the case that httpd_run_stickshift is not disabled? Run the following command to determine if the polipo_connect_all_unreserved SELinux boolean is disabled: $ getsebool polipo_connect_all_unreserved If properly configured, the output should show the following: polipo_connect_all_unreserved --> off Is it the case that polipo_connect_all_unreserved is not disabled? Run the following command to determine if the httpd_sys_script_anon_write SELinux boolean is disabled: $ getsebool httpd_sys_script_anon_write If properly configured, the output should show the following: httpd_sys_script_anon_write --> off Is it the case that httpd_sys_script_anon_write is not disabled? Run the following command to determine if the pcp_bind_all_unreserved_ports SELinux boolean is disabled: $ getsebool pcp_bind_all_unreserved_ports If properly configured, the output should show the following: pcp_bind_all_unreserved_ports --> off Is it the case that pcp_bind_all_unreserved_ports is not disabled? Run the following command to determine if the minidlna_read_generic_user_content SELinux boolean is disabled: $ getsebool minidlna_read_generic_user_content If properly configured, the output should show the following: minidlna_read_generic_user_content --> off Is it the case that minidlna_read_generic_user_content is not disabled? Run the following command to determine if the auditadm_exec_content SELinux boolean is enabled: $ getsebool auditadm_exec_content If properly configured, the output should show the following: auditadm_exec_content --> on Is it the case that auditadm_exec_content is not enabled? Run the following command to determine if the authlogin_radius SELinux boolean is disabled: $ getsebool authlogin_radius If properly configured, the output should show the following: authlogin_radius --> off Is it the case that authlogin_radius is not disabled? Run the following command to determine if the logwatch_can_network_connect_mail SELinux boolean is disabled: $ getsebool logwatch_can_network_connect_mail If properly configured, the output should show the following: logwatch_can_network_connect_mail --> off Is it the case that logwatch_can_network_connect_mail is not disabled? Run the following command to determine if the logrotate_use_nfs SELinux boolean is disabled: $ getsebool logrotate_use_nfs If properly configured, the output should show the following: logrotate_use_nfs --> off Is it the case that logrotate_use_nfs is not disabled? Run the following command to determine if the git_cgi_use_cifs SELinux boolean is disabled: $ getsebool git_cgi_use_cifs If properly configured, the output should show the following: git_cgi_use_cifs --> off Is it the case that git_cgi_use_cifs is not disabled? Run the following command to determine if the postgresql_can_rsync SELinux boolean is disabled: $ getsebool postgresql_can_rsync If properly configured, the output should show the following: postgresql_can_rsync --> off Is it the case that postgresql_can_rsync is not disabled? Run the following command to determine if the selinuxuser_execstack SELinux boolean is disabled: $ getsebool selinuxuser_execstack If properly configured, the output should show the following: selinuxuser_execstack --> off Is it the case that selinuxuser_execstack is not disabled? Run the following command to determine if the entropyd_use_audio SELinux boolean is disabled: $ getsebool entropyd_use_audio If properly configured, the output should show the following: entropyd_use_audio --> off Is it the case that entropyd_use_audio is not disabled? Run the following command to determine if the httpd_execmem SELinux boolean is disabled: $ getsebool httpd_execmem If properly configured, the output should show the following: httpd_execmem --> off Is it the case that httpd_execmem is not disabled? Run the following command to determine if the mount_anyfile SELinux boolean is enabled: $ getsebool mount_anyfile If properly configured, the output should show the following: mount_anyfile --> on Is it the case that mount_anyfile is not enabled? Run the following command to determine if the smartmon_3ware SELinux boolean is disabled: $ getsebool smartmon_3ware If properly configured, the output should show the following: smartmon_3ware --> off Is it the case that smartmon_3ware is not disabled? Run the following command to determine if the git_cgi_enable_homedirs SELinux boolean is disabled: $ getsebool git_cgi_enable_homedirs If properly configured, the output should show the following: git_cgi_enable_homedirs --> off Is it the case that git_cgi_enable_homedirs is not disabled? Run the following command to determine if the mailman_use_fusefs SELinux boolean is disabled: $ getsebool mailman_use_fusefs If properly configured, the output should show the following: mailman_use_fusefs --> off Is it the case that mailman_use_fusefs is not disabled? Run the following command to determine if the httpd_can_check_spam SELinux boolean is disabled: $ getsebool httpd_can_check_spam If properly configured, the output should show the following: httpd_can_check_spam --> off Is it the case that httpd_can_check_spam is not disabled? Run the following command to determine if the fenced_can_ssh SELinux boolean is disabled: $ getsebool fenced_can_ssh If properly configured, the output should show the following: fenced_can_ssh --> off Is it the case that fenced_can_ssh is not disabled? Run the following command to determine if the nagios_run_pnp4nagios SELinux boolean is disabled: $ getsebool nagios_run_pnp4nagios If properly configured, the output should show the following: nagios_run_pnp4nagios --> off Is it the case that nagios_run_pnp4nagios is not disabled? Run the following command to determine if the httpd_can_network_connect SELinux boolean is disabled: $ getsebool httpd_can_network_connect If properly configured, the output should show the following: httpd_can_network_connect --> off Is it the case that httpd_can_network_connect is not disabled? Run the following command to determine if the mozilla_plugin_can_network_connect SELinux boolean is disabled: $ getsebool mozilla_plugin_can_network_connect If properly configured, the output should show the following: mozilla_plugin_can_network_connect --> off Is it the case that mozilla_plugin_can_network_connect is not disabled? Run the following command to determine if the git_session_bind_all_unreserved_ports SELinux boolean is disabled: $ getsebool git_session_bind_all_unreserved_ports If properly configured, the output should show the following: git_session_bind_all_unreserved_ports --> off Is it the case that git_session_bind_all_unreserved_ports is not disabled? Run the following command to determine if the tmpreaper_use_samba SELinux boolean is disabled: $ getsebool tmpreaper_use_samba If properly configured, the output should show the following: tmpreaper_use_samba --> off Is it the case that tmpreaper_use_samba is not disabled? Run the following command to determine if the selinuxuser_tcp_server SELinux boolean is disabled: $ getsebool selinuxuser_tcp_server If properly configured, the output should show the following: selinuxuser_tcp_server --> off Is it the case that selinuxuser_tcp_server is not disabled? Run the following command to determine if the httpd_anon_write SELinux boolean is disabled: $ getsebool httpd_anon_write If properly configured, the output should show the following: httpd_anon_write --> off Is it the case that httpd_anon_write is not disabled? Run the following command to determine if the httpd_can_connect_ldap SELinux boolean is disabled: $ getsebool httpd_can_connect_ldap If properly configured, the output should show the following: httpd_can_connect_ldap --> off Is it the case that httpd_can_connect_ldap is not disabled? Run the following command to determine if the xen_use_nfs SELinux boolean is disabled: $ getsebool xen_use_nfs If properly configured, the output should show the following: xen_use_nfs --> off Is it the case that xen_use_nfs is not disabled? Run the following command to determine if the daemons_use_tcp_wrapper SELinux boolean is disabled: $ getsebool daemons_use_tcp_wrapper If properly configured, the output should show the following: daemons_use_tcp_wrapper --> off Is it the case that daemons_use_tcp_wrapper is not disabled? Run the following command to determine if the ftpd_connect_db SELinux boolean is disabled: $ getsebool ftpd_connect_db If properly configured, the output should show the following: ftpd_connect_db --> off Is it the case that ftpd_connect_db is not disabled? Run the following command to determine if the ftpd_use_nfs SELinux boolean is disabled: $ getsebool ftpd_use_nfs If properly configured, the output should show the following: ftpd_use_nfs --> off Is it the case that ftpd_use_nfs is not disabled? Run the following command to determine if the cron_can_relabel SELinux boolean is disabled: $ getsebool cron_can_relabel If properly configured, the output should show the following: cron_can_relabel --> off Is it the case that cron_can_relabel is not disabled? Run the following command to determine if the openvpn_run_unconfined SELinux boolean is disabled: $ getsebool openvpn_run_unconfined If properly configured, the output should show the following: openvpn_run_unconfined --> off Is it the case that openvpn_run_unconfined is not disabled? Run the following command to determine if the zebra_write_config SELinux boolean is disabled: $ getsebool zebra_write_config If properly configured, the output should show the following: zebra_write_config --> off Is it the case that zebra_write_config is not disabled? Run the following command to determine if the virt_rw_qemu_ga_data SELinux boolean is disabled: $ getsebool virt_rw_qemu_ga_data If properly configured, the output should show the following: virt_rw_qemu_ga_data --> off Is it the case that virt_rw_qemu_ga_data is not disabled? Run the following command to determine if the condor_tcp_network_connect SELinux boolean is disabled: $ getsebool condor_tcp_network_connect If properly configured, the output should show the following: condor_tcp_network_connect --> off Is it the case that condor_tcp_network_connect is not disabled? Run the following command to determine if the fcron_crond SELinux boolean is disabled: $ getsebool fcron_crond If properly configured, the output should show the following: fcron_crond --> off Is it the case that fcron_crond is not disabled? Run the following command to determine if the nfsd_anon_write SELinux boolean is disabled: $ getsebool nfsd_anon_write If properly configured, the output should show the following: nfsd_anon_write --> off Is it the case that nfsd_anon_write is not disabled? Run the following command to determine if the logadm_exec_content SELinux boolean is enabled: $ getsebool logadm_exec_content If properly configured, the output should show the following: logadm_exec_content --> on Is it the case that logadm_exec_content is not enabled? Run the following command to determine if the httpd_dbus_sssd SELinux boolean is disabled: $ getsebool httpd_dbus_sssd If properly configured, the output should show the following: httpd_dbus_sssd --> off Is it the case that httpd_dbus_sssd is not disabled? Run the following command to determine if the httpd_manage_ipa SELinux boolean is disabled: $ getsebool httpd_manage_ipa If properly configured, the output should show the following: httpd_manage_ipa --> off Is it the case that httpd_manage_ipa is not disabled? Run the following command to determine if the haproxy_connect_any SELinux boolean is disabled: $ getsebool haproxy_connect_any If properly configured, the output should show the following: haproxy_connect_any --> off Is it the case that haproxy_connect_any is not disabled? Run the following command to determine if the httpd_setrlimit SELinux boolean is disabled: $ getsebool httpd_setrlimit If properly configured, the output should show the following: httpd_setrlimit --> off Is it the case that httpd_setrlimit is not disabled? Run the following command to determine if the antivirus_use_jit SELinux boolean is disabled: $ getsebool antivirus_use_jit If properly configured, the output should show the following: antivirus_use_jit --> off Is it the case that antivirus_use_jit is not disabled? Run the following command to determine if the rsync_full_access SELinux boolean is disabled: $ getsebool rsync_full_access If properly configured, the output should show the following: rsync_full_access --> off Is it the case that rsync_full_access is not disabled? Run the following command to determine if the httpd_run_ipa SELinux boolean is disabled: $ getsebool httpd_run_ipa If properly configured, the output should show the following: httpd_run_ipa --> off Is it the case that httpd_run_ipa is not disabled? Run the following command to determine if the httpd_builtin_scripting SELinux boolean is disabled: $ getsebool httpd_builtin_scripting If properly configured, the output should show the following: httpd_builtin_scripting --> off Is it the case that httpd_builtin_scripting is not disabled? Run the following command to determine if the staff_use_svirt SELinux boolean is disabled: $ getsebool staff_use_svirt If properly configured, the output should show the following: staff_use_svirt --> off Is it the case that staff_use_svirt is not disabled? Run the following command to determine if the user_exec_content SELinux boolean is enabled: $ getsebool user_exec_content If properly configured, the output should show the following: user_exec_content --> on Is it the case that user_exec_content is not enabled? Run the following command to determine if the samba_run_unconfined SELinux boolean is disabled: $ getsebool samba_run_unconfined If properly configured, the output should show the following: samba_run_unconfined --> off Is it the case that samba_run_unconfined is not disabled? Run the following command to determine if the mozilla_plugin_use_spice SELinux boolean is disabled: $ getsebool mozilla_plugin_use_spice If properly configured, the output should show the following: mozilla_plugin_use_spice --> off Is it the case that mozilla_plugin_use_spice is not disabled? Run the following command to determine if the mpd_use_nfs SELinux boolean is disabled: $ getsebool mpd_use_nfs If properly configured, the output should show the following: mpd_use_nfs --> off Is it the case that mpd_use_nfs is not disabled? Run the following command to determine if the httpd_read_user_content SELinux boolean is disabled: $ getsebool httpd_read_user_content If properly configured, the output should show the following: httpd_read_user_content --> off Is it the case that httpd_read_user_content is not disabled? Run the following command to determine if the rsync_client SELinux boolean is disabled: $ getsebool rsync_client If properly configured, the output should show the following: rsync_client --> off Is it the case that rsync_client is not disabled? Run the following command to determine if the dbadm_read_user_files SELinux boolean is disabled: $ getsebool dbadm_read_user_files If properly configured, the output should show the following: dbadm_read_user_files --> off Is it the case that dbadm_read_user_files is not disabled? Run the following command to determine if the deny_ptrace SELinux boolean is disabled: $ getsebool deny_ptrace If properly configured, the output should show the following: deny_ptrace --> off Is it the case that deny_ptrace is not disabled? Run the following command to determine if the nfs_export_all_rw SELinux boolean is enabled: $ getsebool nfs_export_all_rw If properly configured, the output should show the following: nfs_export_all_rw --> on Is it the case that nfs_export_all_rw is not enabled? Run the following command to determine if the rsync_anon_write SELinux boolean is disabled: $ getsebool rsync_anon_write If properly configured, the output should show the following: rsync_anon_write --> off Is it the case that rsync_anon_write is not disabled? Run the following command to determine if the httpd_can_network_memcache SELinux boolean is disabled: $ getsebool httpd_can_network_memcache If properly configured, the output should show the following: httpd_can_network_memcache --> off Is it the case that httpd_can_network_memcache is not disabled? Run the following command to determine if the virt_sandbox_use_audit SELinux boolean is enabled: $ getsebool virt_sandbox_use_audit If properly configured, the output should show the following: virt_sandbox_use_audit --> on Is it the case that virt_sandbox_use_audit is not enabled? Run the following command to determine if the mozilla_read_content SELinux boolean is disabled: $ getsebool mozilla_read_content If properly configured, the output should show the following: mozilla_read_content --> off Is it the case that mozilla_read_content is not disabled? Run the following command to determine if the xserver_object_manager SELinux boolean is disabled: $ getsebool xserver_object_manager If properly configured, the output should show the following: xserver_object_manager --> off Is it the case that xserver_object_manager is not disabled? Run the following command to determine if the httpd_tty_comm SELinux boolean is disabled: $ getsebool httpd_tty_comm If properly configured, the output should show the following: httpd_tty_comm --> off Is it the case that httpd_tty_comm is not disabled? Run the following command to determine if the collectd_tcp_network_connect SELinux boolean is disabled: $ getsebool collectd_tcp_network_connect If properly configured, the output should show the following: collectd_tcp_network_connect --> off Is it the case that collectd_tcp_network_connect is not disabled? Run the following command to determine if the xdm_sysadm_login SELinux boolean is disabled: $ getsebool xdm_sysadm_login If properly configured, the output should show the following: xdm_sysadm_login --> off Is it the case that xdm_sysadm_login is not disabled? Run the following command to determine if the pcp_read_generic_logs SELinux boolean is disabled: $ getsebool pcp_read_generic_logs If properly configured, the output should show the following: pcp_read_generic_logs --> off Is it the case that pcp_read_generic_logs is not disabled? Run the following command to determine if the spamd_enable_home_dirs SELinux boolean is enabled: $ getsebool spamd_enable_home_dirs If properly configured, the output should show the following: spamd_enable_home_dirs --> on Is it the case that spamd_enable_home_dirs is not enabled? Run the following command to determine if the xguest_mount_media SELinux boolean is disabled: $ getsebool xguest_mount_media If properly configured, the output should show the following: xguest_mount_media --> off Is it the case that xguest_mount_media is not disabled? Run the following command to determine if the polipo_session_bind_all_unreserved_ports SELinux boolean is disabled: $ getsebool polipo_session_bind_all_unreserved_ports If properly configured, the output should show the following: polipo_session_bind_all_unreserved_ports --> off Is it the case that polipo_session_bind_all_unreserved_ports is not disabled? Run the following command to determine if the container_connect_any SELinux boolean is disabled: $ getsebool container_connect_any If properly configured, the output should show the following: container_connect_any --> off Is it the case that container_connect_any is not disabled? Run the following command to determine if the tftp_anon_write SELinux boolean is disabled: $ getsebool tftp_anon_write If properly configured, the output should show the following: tftp_anon_write --> off Is it the case that tftp_anon_write is not disabled? Run the following command to determine if the git_system_use_nfs SELinux boolean is disabled: $ getsebool git_system_use_nfs If properly configured, the output should show the following: git_system_use_nfs --> off Is it the case that git_system_use_nfs is not disabled? Run the following command to determine if the virt_use_usb SELinux boolean is disabled: $ getsebool virt_use_usb If properly configured, the output should show the following: virt_use_usb --> off Is it the case that virt_use_usb is not disabled? Run the following command to determine if the nis_enabled SELinux boolean is disabled: $ getsebool nis_enabled If properly configured, the output should show the following: nis_enabled --> off Is it the case that nis_enabled is not disabled? Run the following command to determine if the selinuxuser_mysql_connect_enabled SELinux boolean is disabled: $ getsebool selinuxuser_mysql_connect_enabled If properly configured, the output should show the following: selinuxuser_mysql_connect_enabled --> off Is it the case that selinuxuser_mysql_connect_enabled is not disabled? Run the following command to determine if the samba_share_fusefs SELinux boolean is disabled: $ getsebool samba_share_fusefs If properly configured, the output should show the following: samba_share_fusefs --> off Is it the case that samba_share_fusefs is not disabled? Run the following command to determine if the httpd_enable_ftp_server SELinux boolean is disabled: $ getsebool httpd_enable_ftp_server If properly configured, the output should show the following: httpd_enable_ftp_server --> off Is it the case that httpd_enable_ftp_server is not disabled? Run the following command to determine if the pppd_for_user SELinux boolean is disabled: $ getsebool pppd_for_user If properly configured, the output should show the following: pppd_for_user --> off Is it the case that pppd_for_user is not disabled? Run the following command to determine if the virt_sandbox_use_all_caps SELinux boolean is disabled: $ getsebool virt_sandbox_use_all_caps If properly configured, the output should show the following: virt_sandbox_use_all_caps --> off Is it the case that virt_sandbox_use_all_caps is not disabled? Run the following command to determine if the mozilla_plugin_use_gps SELinux boolean is disabled: $ getsebool mozilla_plugin_use_gps If properly configured, the output should show the following: mozilla_plugin_use_gps --> off Is it the case that mozilla_plugin_use_gps is not disabled? Run the following command to determine if the samba_domain_controller SELinux boolean is disabled: $ getsebool samba_domain_controller If properly configured, the output should show the following: samba_domain_controller --> off Is it the case that samba_domain_controller is not disabled? Run the following command to determine if the boinc_execmem SELinux boolean is disabled: $ getsebool boinc_execmem If properly configured, the output should show the following: boinc_execmem --> off Is it the case that boinc_execmem is not disabled? Run the following command to determine if the use_fusefs_home_dirs SELinux boolean is disabled: $ getsebool use_fusefs_home_dirs If properly configured, the output should show the following: use_fusefs_home_dirs --> off Is it the case that use_fusefs_home_dirs is not disabled? Run the following command to determine if the tmpreaper_use_nfs SELinux boolean is disabled: $ getsebool tmpreaper_use_nfs If properly configured, the output should show the following: tmpreaper_use_nfs --> off Is it the case that tmpreaper_use_nfs is not disabled? Run the following command to determine if the sanlock_use_fusefs SELinux boolean is disabled: $ getsebool sanlock_use_fusefs If properly configured, the output should show the following: sanlock_use_fusefs --> off Is it the case that sanlock_use_fusefs is not disabled? Run the following command to determine if the ssh_keysign SELinux boolean is disabled: $ getsebool ssh_keysign If properly configured, the output should show the following: ssh_keysign --> off Is it the case that ssh_keysign is not disabled? Run the following command to determine if the httpd_tmp_exec SELinux boolean is disabled: $ getsebool httpd_tmp_exec If properly configured, the output should show the following: httpd_tmp_exec --> off Is it the case that httpd_tmp_exec is not disabled? Run the following command to determine if the httpd_use_fusefs SELinux boolean is disabled: $ getsebool httpd_use_fusefs If properly configured, the output should show the following: httpd_use_fusefs --> off Is it the case that httpd_use_fusefs is not disabled? Run the following command to determine if the staff_exec_content SELinux boolean is enabled: $ getsebool staff_exec_content If properly configured, the output should show the following: staff_exec_content --> on Is it the case that staff_exec_content is not enabled? Run the following command to determine if the nscd_use_shm SELinux boolean is enabled: $ getsebool nscd_use_shm If properly configured, the output should show the following: nscd_use_shm --> on Is it the case that nscd_use_shm is not enabled? Run the following command to determine if the global_ssp SELinux boolean is disabled: $ getsebool global_ssp If properly configured, the output should show the following: global_ssp --> off Is it the case that global_ssp is not disabled? Run the following command to determine if the virt_use_fusefs SELinux boolean is disabled: $ getsebool virt_use_fusefs If properly configured, the output should show the following: virt_use_fusefs --> off Is it the case that virt_use_fusefs is not disabled? Run the following command to determine if the gluster_anon_write SELinux boolean is disabled: $ getsebool gluster_anon_write If properly configured, the output should show the following: gluster_anon_write --> off Is it the case that gluster_anon_write is not disabled? Run the following command to determine if the wine_mmap_zero_ignore SELinux boolean is disabled: $ getsebool wine_mmap_zero_ignore If properly configured, the output should show the following: wine_mmap_zero_ignore --> off Is it the case that wine_mmap_zero_ignore is not disabled? Run the following command to determine if the fenced_can_network_connect SELinux boolean is disabled: $ getsebool fenced_can_network_connect If properly configured, the output should show the following: fenced_can_network_connect --> off Is it the case that fenced_can_network_connect is not disabled? Run the following command to determine if the zabbix_can_network SELinux boolean is disabled: $ getsebool zabbix_can_network If properly configured, the output should show the following: zabbix_can_network --> off Is it the case that zabbix_can_network is not disabled? Run the following command to determine if the virt_use_nfs SELinux boolean is disabled: $ getsebool virt_use_nfs If properly configured, the output should show the following: virt_use_nfs --> off Is it the case that virt_use_nfs is not disabled? Run the following command to determine if the prosody_bind_http_port SELinux boolean is disabled: $ getsebool prosody_bind_http_port If properly configured, the output should show the following: prosody_bind_http_port --> off Is it the case that prosody_bind_http_port is not disabled? Run the following command to determine if the use_samba_home_dirs SELinux boolean is disabled: $ getsebool use_samba_home_dirs If properly configured, the output should show the following: use_samba_home_dirs --> off Is it the case that use_samba_home_dirs is not disabled? Run the following command to determine if the cron_userdomain_transition SELinux boolean is enabled: $ getsebool cron_userdomain_transition If properly configured, the output should show the following: cron_userdomain_transition --> on Is it the case that cron_userdomain_transition is not enabled? Run the following command to determine if the spamassassin_can_network SELinux boolean is disabled: $ getsebool spamassassin_can_network If properly configured, the output should show the following: spamassassin_can_network --> off Is it the case that spamassassin_can_network is not disabled? Run the following command to determine if the git_cgi_use_nfs SELinux boolean is disabled: $ getsebool git_cgi_use_nfs If properly configured, the output should show the following: git_cgi_use_nfs --> off Is it the case that git_cgi_use_nfs is not disabled? Run the following command to determine if the secure_mode_insmod SELinux boolean is disabled: $ getsebool secure_mode_insmod If properly configured, the output should show the following: secure_mode_insmod --> off Is it the case that secure_mode_insmod is not disabled? Run the following command to determine if the mysql_connect_any SELinux boolean is disabled: $ getsebool mysql_connect_any If properly configured, the output should show the following: mysql_connect_any --> off Is it the case that mysql_connect_any is not disabled? Run the following command to determine if the samba_load_libgfapi SELinux boolean is disabled: $ getsebool samba_load_libgfapi If properly configured, the output should show the following: samba_load_libgfapi --> off Is it the case that samba_load_libgfapi is not disabled? Run the following command to determine if the samba_portmapper SELinux boolean is disabled: $ getsebool samba_portmapper If properly configured, the output should show the following: samba_portmapper --> off Is it the case that samba_portmapper is not disabled? Run the following command to determine if the httpd_run_preupgrade SELinux boolean is disabled: $ getsebool httpd_run_preupgrade If properly configured, the output should show the following: httpd_run_preupgrade --> off Is it the case that httpd_run_preupgrade is not disabled? Run the following command to determine if the virt_use_xserver SELinux boolean is disabled: $ getsebool virt_use_xserver If properly configured, the output should show the following: virt_use_xserver --> off Is it the case that virt_use_xserver is not disabled? Run the following command to determine if the mplayer_execstack SELinux boolean is disabled: $ getsebool mplayer_execstack If properly configured, the output should show the following: mplayer_execstack --> off Is it the case that mplayer_execstack is not disabled? Run the following command to determine if the selinuxuser_rw_noexattrfile SELinux boolean is disabled: $ getsebool selinuxuser_rw_noexattrfile If properly configured, the output should show the following: selinuxuser_rw_noexattrfile --> off Is it the case that selinuxuser_rw_noexattrfile is not disabled? Run the following command to determine if the neutron_can_network SELinux boolean is disabled: $ getsebool neutron_can_network If properly configured, the output should show the following: neutron_can_network --> off Is it the case that neutron_can_network is not disabled? Run the following command to determine if the ftpd_full_access SELinux boolean is disabled: $ getsebool ftpd_full_access If properly configured, the output should show the following: ftpd_full_access --> off Is it the case that ftpd_full_access is not disabled? Run the following command to determine if the ftpd_use_fusefs SELinux boolean is disabled: $ getsebool ftpd_use_fusefs If properly configured, the output should show the following: ftpd_use_fusefs --> off Is it the case that ftpd_use_fusefs is not disabled? Run the following command to determine if the deny_execmem SELinux boolean is disabled: $ getsebool deny_execmem If properly configured, the output should show the following: deny_execmem --> off Is it the case that deny_execmem is not disabled? Run the following command to determine if the ssh_chroot_rw_homedirs SELinux boolean is disabled: $ getsebool ssh_chroot_rw_homedirs If properly configured, the output should show the following: ssh_chroot_rw_homedirs --> off Is it the case that ssh_chroot_rw_homedirs is not disabled? Run the following command to determine if the httpd_mod_auth_pam SELinux boolean is disabled: $ getsebool httpd_mod_auth_pam If properly configured, the output should show the following: httpd_mod_auth_pam --> off Is it the case that httpd_mod_auth_pam is not disabled? Run the following command to determine if the authlogin_yubikey SELinux boolean is disabled: $ getsebool authlogin_yubikey If properly configured, the output should show the following: authlogin_yubikey --> off Is it the case that authlogin_yubikey is not disabled? Run the following command to determine if the virt_use_samba SELinux boolean is disabled: $ getsebool virt_use_samba If properly configured, the output should show the following: virt_use_samba --> off Is it the case that virt_use_samba is not disabled? Run the following command to determine if the httpd_can_connect_ftp SELinux boolean is disabled: $ getsebool httpd_can_connect_ftp If properly configured, the output should show the following: httpd_can_connect_ftp --> off Is it the case that httpd_can_connect_ftp is not disabled? Run the following command to determine if the abrt_anon_write SELinux boolean is disabled: $ getsebool abrt_anon_write If properly configured, the output should show the following: abrt_anon_write --> off Is it the case that abrt_anon_write is not disabled? Run the following command to determine if the named_tcp_bind_http_port SELinux boolean is disabled: $ getsebool named_tcp_bind_http_port If properly configured, the output should show the following: named_tcp_bind_http_port --> off Is it the case that named_tcp_bind_http_port is not disabled? Run the following command to determine if the squid_use_tproxy SELinux boolean is disabled: $ getsebool squid_use_tproxy If properly configured, the output should show the following: squid_use_tproxy --> off Is it the case that squid_use_tproxy is not disabled? Run the following command to determine if the dhcpd_use_ldap SELinux boolean is disabled: $ getsebool dhcpd_use_ldap If properly configured, the output should show the following: dhcpd_use_ldap --> off Is it the case that dhcpd_use_ldap is not disabled? Run the following command to determine if the tftp_home_dir SELinux boolean is disabled: $ getsebool tftp_home_dir If properly configured, the output should show the following: tftp_home_dir --> off Is it the case that tftp_home_dir is not disabled? Run the following command to determine if the awstats_purge_apache_log_files SELinux boolean is disabled: $ getsebool awstats_purge_apache_log_files If properly configured, the output should show the following: awstats_purge_apache_log_files --> off Is it the case that awstats_purge_apache_log_files is not disabled? Run the following command to determine if the samba_share_nfs SELinux boolean is disabled: $ getsebool samba_share_nfs If properly configured, the output should show the following: samba_share_nfs --> off Is it the case that samba_share_nfs is not disabled? Run the following command to determine if the glance_use_fusefs SELinux boolean is disabled: $ getsebool glance_use_fusefs If properly configured, the output should show the following: glance_use_fusefs --> off Is it the case that glance_use_fusefs is not disabled? Run the following command to determine if the sanlock_use_nfs SELinux boolean is disabled: $ getsebool sanlock_use_nfs If properly configured, the output should show the following: sanlock_use_nfs --> off Is it the case that sanlock_use_nfs is not disabled? Run the following command to determine if the gluster_export_all_rw SELinux boolean is disabled: $ getsebool gluster_export_all_rw If properly configured, the output should show the following: gluster_export_all_rw --> off Is it the case that gluster_export_all_rw is not disabled? Run the following command to determine if the mozilla_plugin_bind_unreserved_ports SELinux boolean is disabled: $ getsebool mozilla_plugin_bind_unreserved_ports If properly configured, the output should show the following: mozilla_plugin_bind_unreserved_ports --> off Is it the case that mozilla_plugin_bind_unreserved_ports is not disabled? Run the following command to determine if the logging_syslogd_use_tty SELinux boolean is enabled: $ getsebool logging_syslogd_use_tty If properly configured, the output should show the following: logging_syslogd_use_tty --> on Is it the case that logging_syslogd_use_tty is not enabled? Run the following command to determine if the login_console_enabled SELinux boolean is enabled: $ getsebool login_console_enabled If properly configured, the output should show the following: login_console_enabled --> on Is it the case that login_console_enabled is not enabled? Run the following command to determine if the glance_api_can_network SELinux boolean is disabled: $ getsebool glance_api_can_network If properly configured, the output should show the following: glance_api_can_network --> off Is it the case that glance_api_can_network is not disabled? Run the following command to determine if the abrt_handle_event SELinux boolean is disabled: $ getsebool abrt_handle_event If properly configured, the output should show the following: abrt_handle_event --> off Is it the case that abrt_handle_event is not disabled? Run the following command to determine if the gluster_export_all_ro SELinux boolean is disabled: $ getsebool gluster_export_all_ro If properly configured, the output should show the following: gluster_export_all_ro --> off Is it the case that gluster_export_all_ro is not disabled? Run the following command to determine if the ksmtuned_use_nfs SELinux boolean is disabled: $ getsebool ksmtuned_use_nfs If properly configured, the output should show the following: ksmtuned_use_nfs --> off Is it the case that ksmtuned_use_nfs is not disabled? Run the following command to determine if the puppetagent_manage_all_files SELinux boolean is disabled: $ getsebool puppetagent_manage_all_files If properly configured, the output should show the following: puppetagent_manage_all_files --> off Is it the case that puppetagent_manage_all_files is not disabled? Run the following command to determine if the httpd_dontaudit_search_dirs SELinux boolean is disabled: $ getsebool httpd_dontaudit_search_dirs If properly configured, the output should show the following: httpd_dontaudit_search_dirs --> off Is it the case that httpd_dontaudit_search_dirs is not disabled? Run the following command to determine if the smbd_anon_write SELinux boolean is disabled: $ getsebool smbd_anon_write If properly configured, the output should show the following: smbd_anon_write --> off Is it the case that smbd_anon_write is not disabled? Run the following command to determine if the cron_system_cronjob_use_shares SELinux boolean is disabled: $ getsebool cron_system_cronjob_use_shares If properly configured, the output should show the following: cron_system_cronjob_use_shares --> off Is it the case that cron_system_cronjob_use_shares is not disabled? Run the following command to determine if the mozilla_plugin_use_bluejeans SELinux boolean is disabled: $ getsebool mozilla_plugin_use_bluejeans If properly configured, the output should show the following: mozilla_plugin_use_bluejeans --> off Is it the case that mozilla_plugin_use_bluejeans is not disabled? Run the following command to determine if the openvpn_enable_homedirs SELinux boolean is disabled: $ getsebool openvpn_enable_homedirs If properly configured, the output should show the following: openvpn_enable_homedirs --> off Is it the case that openvpn_enable_homedirs is not disabled? Run the following command to determine if the mcelog_server SELinux boolean is disabled: $ getsebool mcelog_server If properly configured, the output should show the following: mcelog_server --> off Is it the case that mcelog_server is not disabled? Run the following command to determine if the mcelog_exec_scripts SELinux boolean is enabled: $ getsebool mcelog_exec_scripts If properly configured, the output should show the following: mcelog_exec_scripts --> on Is it the case that mcelog_exec_scripts is not enabled? Run the following command to determine if the sge_use_nfs SELinux boolean is disabled: $ getsebool sge_use_nfs If properly configured, the output should show the following: sge_use_nfs --> off Is it the case that sge_use_nfs is not disabled? Run the following command to determine if the webadm_read_user_files SELinux boolean is disabled: $ getsebool webadm_read_user_files If properly configured, the output should show the following: webadm_read_user_files --> off Is it the case that webadm_read_user_files is not disabled? Run the following command to determine if the piranha_lvs_can_network_connect SELinux boolean is disabled: $ getsebool piranha_lvs_can_network_connect If properly configured, the output should show the following: piranha_lvs_can_network_connect --> off Is it the case that piranha_lvs_can_network_connect is not disabled? Run the following command to determine if the domain_kernel_load_modules SELinux boolean is disabled: $ getsebool domain_kernel_load_modules If properly configured, the output should show the following: domain_kernel_load_modules --> off Is it the case that domain_kernel_load_modules is not disabled? Run the following command to determine if the exim_manage_user_files SELinux boolean is disabled: $ getsebool exim_manage_user_files If properly configured, the output should show the following: exim_manage_user_files --> off Is it the case that exim_manage_user_files is not disabled? Run the following command to determine if the virt_sandbox_use_netlink SELinux boolean is disabled: $ getsebool virt_sandbox_use_netlink If properly configured, the output should show the following: virt_sandbox_use_netlink --> off Is it the case that virt_sandbox_use_netlink is not disabled? Run the following command to determine if the unconfined_chrome_sandbox_transition SELinux boolean is enabled: $ getsebool unconfined_chrome_sandbox_transition If properly configured, the output should show the following: unconfined_chrome_sandbox_transition --> on Is it the case that unconfined_chrome_sandbox_transition is not enabled? Run the following command to determine if the httpd_verify_dns SELinux boolean is disabled: $ getsebool httpd_verify_dns If properly configured, the output should show the following: httpd_verify_dns --> off Is it the case that httpd_verify_dns is not disabled? Run the following command to determine if the virt_read_qemu_ga_data SELinux boolean is disabled: $ getsebool virt_read_qemu_ga_data If properly configured, the output should show the following: virt_read_qemu_ga_data --> off Is it the case that virt_read_qemu_ga_data is not disabled? Run the following command to determine if the glance_use_execmem SELinux boolean is disabled: $ getsebool glance_use_execmem If properly configured, the output should show the following: glance_use_execmem --> off Is it the case that glance_use_execmem is not disabled? Run the following command to determine if the httpd_can_sendmail SELinux boolean is disabled: $ getsebool httpd_can_sendmail If properly configured, the output should show the following: httpd_can_sendmail --> off Is it the case that httpd_can_sendmail is not disabled? Run the following command to determine if the httpd_enable_homedirs SELinux boolean is disabled: $ getsebool httpd_enable_homedirs If properly configured, the output should show the following: httpd_enable_homedirs --> off Is it the case that httpd_enable_homedirs is not disabled? Run the following command to determine if the cdrecord_read_content SELinux boolean is disabled: $ getsebool cdrecord_read_content If properly configured, the output should show the following: cdrecord_read_content --> off Is it the case that cdrecord_read_content is not disabled? Run the following command to determine if the unconfined_login SELinux boolean is enabled: $ getsebool unconfined_login If properly configured, the output should show the following: unconfined_login --> on Is it the case that unconfined_login is not enabled? Run the following command to determine if the logging_syslogd_can_sendmail SELinux boolean is disabled: $ getsebool logging_syslogd_can_sendmail If properly configured, the output should show the following: logging_syslogd_can_sendmail --> off Is it the case that logging_syslogd_can_sendmail is not disabled? Run the following command to determine if the gitosis_can_sendmail SELinux boolean is disabled: $ getsebool gitosis_can_sendmail If properly configured, the output should show the following: gitosis_can_sendmail --> off Is it the case that gitosis_can_sendmail is not disabled? Run the following command to determine if the httpd_use_sasl SELinux boolean is disabled: $ getsebool httpd_use_sasl If properly configured, the output should show the following: httpd_use_sasl --> off Is it the case that httpd_use_sasl is not disabled? Run the following command to determine if the git_system_use_cifs SELinux boolean is disabled: $ getsebool git_system_use_cifs If properly configured, the output should show the following: git_system_use_cifs --> off Is it the case that git_system_use_cifs is not disabled? Run the following command to determine if the virt_use_comm SELinux boolean is disabled: $ getsebool virt_use_comm If properly configured, the output should show the following: virt_use_comm --> off Is it the case that virt_use_comm is not disabled? Run the following command to determine if the selinuxuser_postgresql_connect_enabled SELinux boolean is disabled: $ getsebool selinuxuser_postgresql_connect_enabled If properly configured, the output should show the following: selinuxuser_postgresql_connect_enabled --> off Is it the case that selinuxuser_postgresql_connect_enabled is not disabled? Run the following command to determine if the dbadm_manage_user_files SELinux boolean is disabled: $ getsebool dbadm_manage_user_files If properly configured, the output should show the following: dbadm_manage_user_files --> off Is it the case that dbadm_manage_user_files is not disabled? Run the following command to determine if the httpd_can_network_connect_db SELinux boolean is disabled: $ getsebool httpd_can_network_connect_db If properly configured, the output should show the following: httpd_can_network_connect_db --> off Is it the case that httpd_can_network_connect_db is not disabled? Run the following command to determine if the httpd_enable_cgi SELinux boolean is disabled: $ getsebool httpd_enable_cgi If properly configured, the output should show the following: httpd_enable_cgi --> off Is it the case that httpd_enable_cgi is not disabled? Run the following command to determine if the antivirus_can_scan_system SELinux boolean is enabled: $ getsebool antivirus_can_scan_system If properly configured, the output should show the following: antivirus_can_scan_system --> on Is it the case that antivirus_can_scan_system is not enabled? Run the following command to determine if the zarafa_setrlimit SELinux boolean is disabled: $ getsebool zarafa_setrlimit If properly configured, the output should show the following: zarafa_setrlimit --> off Is it the case that zarafa_setrlimit is not disabled? Run the following command to determine if the samba_export_all_ro SELinux boolean is disabled: $ getsebool samba_export_all_ro If properly configured, the output should show the following: samba_export_all_ro --> off Is it the case that samba_export_all_ro is not disabled? Run the following command to determine if the zoneminder_anon_write SELinux boolean is disabled: $ getsebool zoneminder_anon_write If properly configured, the output should show the following: zoneminder_anon_write --> off Is it the case that zoneminder_anon_write is not disabled? Run the following command to determine if the daemons_enable_cluster_mode SELinux boolean is disabled: $ getsebool daemons_enable_cluster_mode If properly configured, the output should show the following: daemons_enable_cluster_mode --> off Is it the case that daemons_enable_cluster_mode is not disabled? Run the following command to determine if the httpd_can_connect_mythtv SELinux boolean is disabled: $ getsebool httpd_can_connect_mythtv If properly configured, the output should show the following: httpd_can_connect_mythtv --> off Is it the case that httpd_can_connect_mythtv is not disabled? Run the following command to determine if the squid_connect_any SELinux boolean is disabled: $ getsebool squid_connect_any If properly configured, the output should show the following: squid_connect_any --> off Is it the case that squid_connect_any is not disabled? Run the following command to determine if the varnishd_connect_any SELinux boolean is disabled: $ getsebool varnishd_connect_any If properly configured, the output should show the following: varnishd_connect_any --> off Is it the case that varnishd_connect_any is not disabled? Run the following command to determine if the privoxy_connect_any SELinux boolean is disabled: $ getsebool privoxy_connect_any If properly configured, the output should show the following: privoxy_connect_any --> off Is it the case that privoxy_connect_any is not disabled? Run the following command to determine if the xend_run_qemu SELinux boolean is enabled: $ getsebool xend_run_qemu If properly configured, the output should show the following: xend_run_qemu --> on Is it the case that xend_run_qemu is not enabled? Run the following command to determine if the abrt_upload_watch_anon_write SELinux boolean is disabled: $ getsebool abrt_upload_watch_anon_write If properly configured, the output should show the following: abrt_upload_watch_anon_write --> off Is it the case that abrt_upload_watch_anon_write is not disabled? Run the following command to determine if the openshift_use_nfs SELinux boolean is disabled: $ getsebool openshift_use_nfs If properly configured, the output should show the following: openshift_use_nfs --> off Is it the case that openshift_use_nfs is not disabled? Run the following command to determine if the unconfined_mozilla_plugin_transition SELinux boolean is enabled: $ getsebool unconfined_mozilla_plugin_transition If properly configured, the output should show the following: unconfined_mozilla_plugin_transition --> on Is it the case that unconfined_mozilla_plugin_transition is not enabled? Run the following command to determine if the conman_can_network SELinux boolean is disabled: $ getsebool conman_can_network If properly configured, the output should show the following: conman_can_network --> off Is it the case that conman_can_network is not disabled? Run the following command to determine if the cobbler_can_network_connect SELinux boolean is disabled: $ getsebool cobbler_can_network_connect If properly configured, the output should show the following: cobbler_can_network_connect --> off Is it the case that cobbler_can_network_connect is not disabled? Run the following command to determine if the daemons_use_tty SELinux boolean is disabled: $ getsebool daemons_use_tty If properly configured, the output should show the following: daemons_use_tty --> off Is it the case that daemons_use_tty is not disabled? Run the following command to determine if the zoneminder_run_sudo SELinux boolean is disabled: $ getsebool zoneminder_run_sudo If properly configured, the output should show the following: zoneminder_run_sudo --> off Is it the case that zoneminder_run_sudo is not disabled? Run the following command to determine if the postgresql_selinux_unconfined_dbadm SELinux boolean is enabled: $ getsebool postgresql_selinux_unconfined_dbadm If properly configured, the output should show the following: postgresql_selinux_unconfined_dbadm --> on Is it the case that postgresql_selinux_unconfined_dbadm is not enabled? Run the following command to determine if the samba_export_all_rw SELinux boolean is disabled: $ getsebool samba_export_all_rw If properly configured, the output should show the following: samba_export_all_rw --> off Is it the case that samba_export_all_rw is not disabled? Run the following command to determine if the httpd_graceful_shutdown SELinux boolean is enabled: $ getsebool httpd_graceful_shutdown If properly configured, the output should show the following: httpd_graceful_shutdown --> on Is it the case that httpd_graceful_shutdown is not enabled? Run the following command to determine if the pppd_can_insmod SELinux boolean is disabled: $ getsebool pppd_can_insmod If properly configured, the output should show the following: pppd_can_insmod --> off Is it the case that pppd_can_insmod is not disabled? Run the following command to determine if the webadm_manage_user_files SELinux boolean is disabled: $ getsebool webadm_manage_user_files If properly configured, the output should show the following: webadm_manage_user_files --> off Is it the case that webadm_manage_user_files is not disabled? Run the following command to determine if the secure_mode SELinux boolean is disabled: $ getsebool secure_mode If properly configured, the output should show the following: secure_mode --> off Is it the case that secure_mode is not disabled? Run the following command to determine if the cluster_use_execmem SELinux boolean is disabled: $ getsebool cluster_use_execmem If properly configured, the output should show the following: cluster_use_execmem --> off Is it the case that cluster_use_execmem is not disabled? Run the following command to determine if the httpd_serve_cobbler_files SELinux boolean is disabled: $ getsebool httpd_serve_cobbler_files If properly configured, the output should show the following: httpd_serve_cobbler_files --> off Is it the case that httpd_serve_cobbler_files is not disabled? Run the following command to determine if the irssi_use_full_network SELinux boolean is disabled: $ getsebool irssi_use_full_network If properly configured, the output should show the following: irssi_use_full_network --> off Is it the case that irssi_use_full_network is not disabled? Run the following command to determine if the xdm_bind_vnc_tcp_port SELinux boolean is disabled: $ getsebool xdm_bind_vnc_tcp_port If properly configured, the output should show the following: xdm_bind_vnc_tcp_port --> off Is it the case that xdm_bind_vnc_tcp_port is not disabled? Run the following command to determine if the selinuxuser_direct_dri_enabled SELinux boolean is disabled: $ getsebool selinuxuser_direct_dri_enabled If properly configured, the output should show the following: selinuxuser_direct_dri_enabled --> off Is it the case that selinuxuser_direct_dri_enabled is not disabled? Run the following command to determine if the swift_can_network SELinux boolean is disabled: $ getsebool swift_can_network If properly configured, the output should show the following: swift_can_network --> off Is it the case that swift_can_network is not disabled? Run the following command to determine if the httpd_can_connect_zabbix SELinux boolean is disabled: $ getsebool httpd_can_connect_zabbix If properly configured, the output should show the following: httpd_can_connect_zabbix --> off Is it the case that httpd_can_connect_zabbix is not disabled? Run the following command to determine if the mcelog_foreground SELinux boolean is disabled: $ getsebool mcelog_foreground If properly configured, the output should show the following: mcelog_foreground --> off Is it the case that mcelog_foreground is not disabled? Run the following command to determine if the cobbler_use_cifs SELinux boolean is disabled: $ getsebool cobbler_use_cifs If properly configured, the output should show the following: cobbler_use_cifs --> off Is it the case that cobbler_use_cifs is not disabled? Run the following command to determine if the virt_sandbox_use_sys_admin SELinux boolean is disabled: $ getsebool virt_sandbox_use_sys_admin If properly configured, the output should show the following: virt_sandbox_use_sys_admin --> off Is it the case that virt_sandbox_use_sys_admin is not disabled? Run the following command to determine if the virt_use_execmem SELinux boolean is disabled: $ getsebool virt_use_execmem If properly configured, the output should show the following: virt_use_execmem --> off Is it the case that virt_use_execmem is not disabled? Run the following command to determine if the exim_can_connect_db SELinux boolean is disabled: $ getsebool exim_can_connect_db If properly configured, the output should show the following: exim_can_connect_db --> off Is it the case that exim_can_connect_db is not disabled? Run the following command to determine if the cluster_manage_all_files SELinux boolean is disabled: $ getsebool cluster_manage_all_files If properly configured, the output should show the following: cluster_manage_all_files --> off Is it the case that cluster_manage_all_files is not disabled? Run the following command to determine if the xserver_execmem SELinux boolean is disabled: $ getsebool xserver_execmem If properly configured, the output should show the following: xserver_execmem --> off Is it the case that xserver_execmem is not disabled? Run the following command to determine if the cobbler_use_nfs SELinux boolean is disabled: $ getsebool cobbler_use_nfs If properly configured, the output should show the following: cobbler_use_nfs --> off Is it the case that cobbler_use_nfs is not disabled? Run the following command to determine if the cups_execmem SELinux boolean is disabled: $ getsebool cups_execmem If properly configured, the output should show the following: cups_execmem --> off Is it the case that cups_execmem is not disabled? Run the following command to determine if the puppetmaster_use_db SELinux boolean is disabled: $ getsebool puppetmaster_use_db If properly configured, the output should show the following: puppetmaster_use_db --> off Is it the case that puppetmaster_use_db is not disabled? Run the following command to determine if the xserver_clients_write_xshm SELinux boolean is disabled: $ getsebool xserver_clients_write_xshm If properly configured, the output should show the following: xserver_clients_write_xshm --> off Is it the case that xserver_clients_write_xshm is not disabled? Run the following command to determine if the use_ecryptfs_home_dirs SELinux boolean is disabled: $ getsebool use_ecryptfs_home_dirs If properly configured, the output should show the following: use_ecryptfs_home_dirs --> off Is it the case that use_ecryptfs_home_dirs is not disabled? Run the following command to determine if the dbadm_exec_content SELinux boolean is enabled: $ getsebool dbadm_exec_content If properly configured, the output should show the following: dbadm_exec_content --> on Is it the case that dbadm_exec_content is not enabled? Run the following command to determine if the use_nfs_home_dirs SELinux boolean is disabled: $ getsebool use_nfs_home_dirs If properly configured, the output should show the following: use_nfs_home_dirs --> off Is it the case that use_nfs_home_dirs is not disabled? Run the following command to determine if the tor_can_network_relay SELinux boolean is disabled: $ getsebool tor_can_network_relay If properly configured, the output should show the following: tor_can_network_relay --> off Is it the case that tor_can_network_relay is not disabled? Run the following command to determine if the httpd_unified SELinux boolean is disabled: $ getsebool httpd_unified If properly configured, the output should show the following: httpd_unified --> off Is it the case that httpd_unified is not disabled? Run the following command to determine if the mock_enable_homedirs SELinux boolean is disabled: $ getsebool mock_enable_homedirs If properly configured, the output should show the following: mock_enable_homedirs --> off Is it the case that mock_enable_homedirs is not disabled? Run the following command to determine if the httpd_can_network_relay SELinux boolean is disabled: $ getsebool httpd_can_network_relay If properly configured, the output should show the following: httpd_can_network_relay --> off Is it the case that httpd_can_network_relay is not disabled? Run the following command to determine if the xguest_exec_content SELinux boolean is disabled: $ getsebool xguest_exec_content If properly configured, the output should show the following: xguest_exec_content --> off Is it the case that xguest_exec_content is not disabled? Run the following command to determine if the nagios_run_sudo SELinux boolean is disabled: $ getsebool nagios_run_sudo If properly configured, the output should show the following: nagios_run_sudo --> off Is it the case that nagios_run_sudo is not disabled? Run the following command to determine if the virt_transition_userdomain SELinux boolean is disabled: $ getsebool virt_transition_userdomain If properly configured, the output should show the following: virt_transition_userdomain --> off Is it the case that virt_transition_userdomain is not disabled? Run the following command to determine if the httpd_ssi_exec SELinux boolean is disabled: $ getsebool httpd_ssi_exec If properly configured, the output should show the following: httpd_ssi_exec --> off Is it the case that httpd_ssi_exec is not disabled? Run the following command to determine if the ksmtuned_use_cifs SELinux boolean is disabled: $ getsebool ksmtuned_use_cifs If properly configured, the output should show the following: ksmtuned_use_cifs --> off Is it the case that ksmtuned_use_cifs is not disabled? Run the following command to determine if the mpd_use_cifs SELinux boolean is disabled: $ getsebool mpd_use_cifs If properly configured, the output should show the following: mpd_use_cifs --> off Is it the case that mpd_use_cifs is not disabled? Run the following command to determine if the use_lpd_server SELinux boolean is disabled: $ getsebool use_lpd_server If properly configured, the output should show the following: use_lpd_server --> off Is it the case that use_lpd_server is not disabled? Run the following command to determine if the polipo_use_nfs SELinux boolean is disabled: $ getsebool polipo_use_nfs If properly configured, the output should show the following: polipo_use_nfs --> off Is it the case that polipo_use_nfs is not disabled? Run the following command to determine if the lsmd_plugin_connect_any SELinux boolean is disabled: $ getsebool lsmd_plugin_connect_any If properly configured, the output should show the following: lsmd_plugin_connect_any --> off Is it the case that lsmd_plugin_connect_any is not disabled? Run the following command to determine if the ftpd_connect_all_unreserved SELinux boolean is disabled: $ getsebool ftpd_connect_all_unreserved If properly configured, the output should show the following: ftpd_connect_all_unreserved --> off Is it the case that ftpd_connect_all_unreserved is not disabled? Run the following command to determine if the virt_use_rawip SELinux boolean is disabled: $ getsebool virt_use_rawip If properly configured, the output should show the following: virt_use_rawip --> off Is it the case that virt_use_rawip is not disabled? Run the following command to determine if the gpg_web_anon_write SELinux boolean is disabled: $ getsebool gpg_web_anon_write If properly configured, the output should show the following: gpg_web_anon_write --> off Is it the case that gpg_web_anon_write is not disabled? Run the following command to determine if the telepathy_connect_all_ports SELinux boolean is disabled: $ getsebool telepathy_connect_all_ports If properly configured, the output should show the following: telepathy_connect_all_ports --> off Is it the case that telepathy_connect_all_ports is not disabled? Run the following command to determine if the tor_bind_all_unreserved_ports SELinux boolean is disabled: $ getsebool tor_bind_all_unreserved_ports If properly configured, the output should show the following: tor_bind_all_unreserved_ports --> off Is it the case that tor_bind_all_unreserved_ports is not disabled? Run the following command to determine if the dhcpc_exec_iptables SELinux boolean is disabled: $ getsebool dhcpc_exec_iptables If properly configured, the output should show the following: dhcpc_exec_iptables --> off Is it the case that dhcpc_exec_iptables is not disabled? Run the following command to determine if the domain_fd_use SELinux boolean is enabled: $ getsebool domain_fd_use If properly configured, the output should show the following: domain_fd_use --> on Is it the case that domain_fd_use is not enabled? Run the following command to determine if the polipo_use_cifs SELinux boolean is disabled: $ getsebool polipo_use_cifs If properly configured, the output should show the following: polipo_use_cifs --> off Is it the case that polipo_use_cifs is not disabled? Run the following command to determine if the samba_create_home_dirs SELinux boolean is disabled: $ getsebool samba_create_home_dirs If properly configured, the output should show the following: samba_create_home_dirs --> off Is it the case that samba_create_home_dirs is not disabled? Run the following command to determine if the mmap_low_allowed SELinux boolean is disabled: $ getsebool mmap_low_allowed If properly configured, the output should show the following: mmap_low_allowed --> off Is it the case that mmap_low_allowed is not disabled? Run the following command to determine if the selinuxuser_share_music SELinux boolean is disabled: $ getsebool selinuxuser_share_music If properly configured, the output should show the following: selinuxuser_share_music --> off Is it the case that selinuxuser_share_music is not disabled? Run the following command to determine if the ftpd_use_cifs SELinux boolean is disabled: $ getsebool ftpd_use_cifs If properly configured, the output should show the following: ftpd_use_cifs --> off Is it the case that ftpd_use_cifs is not disabled? Run the following command to determine if the xend_run_blktap SELinux boolean is enabled: $ getsebool xend_run_blktap If properly configured, the output should show the following: xend_run_blktap --> on Is it the case that xend_run_blktap is not enabled? Run the following command to determine if the mcelog_client SELinux boolean is disabled: $ getsebool mcelog_client If properly configured, the output should show the following: mcelog_client --> off Is it the case that mcelog_client is not disabled? Run the following command to determine if the cluster_can_network_connect SELinux boolean is disabled: $ getsebool cluster_can_network_connect If properly configured, the output should show the following: cluster_can_network_connect --> off Is it the case that cluster_can_network_connect is not disabled? Run the following command to determine if the selinuxuser_execmod SELinux boolean is enabled: $ getsebool selinuxuser_execmod If properly configured, the output should show the following: selinuxuser_execmod --> on Is it the case that selinuxuser_execmod is not enabled? Run the following command to determine if the httpd_use_nfs SELinux boolean is disabled: $ getsebool httpd_use_nfs If properly configured, the output should show the following: httpd_use_nfs --> off Is it the case that httpd_use_nfs is not disabled? Run the following command to determine if the cobbler_anon_write SELinux boolean is disabled: $ getsebool cobbler_anon_write If properly configured, the output should show the following: cobbler_anon_write --> off Is it the case that cobbler_anon_write is not disabled? Run the following command to determine if the selinuxuser_udp_server SELinux boolean is disabled: $ getsebool selinuxuser_udp_server If properly configured, the output should show the following: selinuxuser_udp_server --> off Is it the case that selinuxuser_udp_server is not disabled? Run the following command to determine if the gssd_read_tmp SELinux boolean is enabled: $ getsebool gssd_read_tmp If properly configured, the output should show the following: gssd_read_tmp --> on Is it the case that gssd_read_tmp is not enabled? Run the following command to determine if the kdumpgui_run_bootloader SELinux boolean is disabled: $ getsebool kdumpgui_run_bootloader If properly configured, the output should show the following: kdumpgui_run_bootloader --> off Is it the case that kdumpgui_run_bootloader is not disabled? Run the following command to determine if the telepathy_tcp_connect_generic_network_ports SELinux boolean is disabled: $ getsebool telepathy_tcp_connect_generic_network_ports If properly configured, the output should show the following: telepathy_tcp_connect_generic_network_ports --> off Is it the case that telepathy_tcp_connect_generic_network_ports is not disabled? Run the following command to determine if the rsync_export_all_ro SELinux boolean is disabled: $ getsebool rsync_export_all_ro If properly configured, the output should show the following: rsync_export_all_ro --> off Is it the case that rsync_export_all_ro is not disabled? Run the following command to determine if the xguest_connect_network SELinux boolean is disabled: $ getsebool xguest_connect_network If properly configured, the output should show the following: xguest_connect_network --> off Is it the case that xguest_connect_network is not disabled? Run the following command to determine if the samba_enable_home_dirs SELinux boolean is disabled: $ getsebool samba_enable_home_dirs If properly configured, the output should show the following: samba_enable_home_dirs --> off Is it the case that samba_enable_home_dirs is not disabled? Run the following command to determine if the virt_use_sanlock SELinux boolean is disabled: $ getsebool virt_use_sanlock If properly configured, the output should show the following: virt_use_sanlock --> off Is it the case that virt_use_sanlock is not disabled? Run the following command to determine if the saslauthd_read_shadow SELinux boolean is disabled: $ getsebool saslauthd_read_shadow If properly configured, the output should show the following: saslauthd_read_shadow --> off Is it the case that saslauthd_read_shadow is not disabled? Run the following command to determine if the xdm_write_home SELinux boolean is disabled: $ getsebool xdm_write_home If properly configured, the output should show the following: xdm_write_home --> off Is it the case that xdm_write_home is not disabled? Run the following command to determine if the named_write_master_zones SELinux boolean is disabled: $ getsebool named_write_master_zones If properly configured, the output should show the following: named_write_master_zones --> off Is it the case that named_write_master_zones is not disabled? Run the following command to determine if the polipo_session_users SELinux boolean is disabled: $ getsebool polipo_session_users If properly configured, the output should show the following: polipo_session_users --> off Is it the case that polipo_session_users is not disabled? Run the following command to determine if the sysadm_exec_content SELinux boolean is enabled: $ getsebool sysadm_exec_content If properly configured, the output should show the following: sysadm_exec_content --> on Is it the case that sysadm_exec_content is not enabled? Run the following command to determine if the xguest_use_bluetooth SELinux boolean is disabled: $ getsebool xguest_use_bluetooth If properly configured, the output should show the following: xguest_use_bluetooth --> off Is it the case that xguest_use_bluetooth is not disabled? Run the following command to determine if the unprivuser_use_svirt SELinux boolean is disabled: $ getsebool unprivuser_use_svirt If properly configured, the output should show the following: unprivuser_use_svirt --> off Is it the case that unprivuser_use_svirt is not disabled? Run the following command to determine if the kerberos_enabled SELinux boolean is enabled: $ getsebool kerberos_enabled If properly configured, the output should show the following: kerberos_enabled --> on Is it the case that kerberos_enabled is not enabled? Run the following command to determine if the sge_domain_can_network_connect SELinux boolean is disabled: $ getsebool sge_domain_can_network_connect If properly configured, the output should show the following: sge_domain_can_network_connect --> off Is it the case that sge_domain_can_network_connect is not disabled? Run the following command to determine if the sanlock_use_samba SELinux boolean is disabled: $ getsebool sanlock_use_samba If properly configured, the output should show the following: sanlock_use_samba --> off Is it the case that sanlock_use_samba is not disabled? Run the following command to determine if the irc_use_any_tcp_ports SELinux boolean is disabled: $ getsebool irc_use_any_tcp_ports If properly configured, the output should show the following: irc_use_any_tcp_ports --> off Is it the case that irc_use_any_tcp_ports is not disabled? Run the following command to determine if the ftpd_anon_write SELinux boolean is disabled: $ getsebool ftpd_anon_write If properly configured, the output should show the following: ftpd_anon_write --> off Is it the case that ftpd_anon_write is not disabled? Run the following command to determine if the guest_exec_content SELinux boolean is disabled: $ getsebool guest_exec_content If properly configured, the output should show the following: guest_exec_content --> off Is it the case that guest_exec_content is not disabled? Run the following command to determine if the selinuxuser_execheap SELinux boolean is disabled: $ getsebool selinuxuser_execheap If properly configured, the output should show the following: selinuxuser_execheap --> off Is it the case that selinuxuser_execheap is not disabled? Run the following command to determine if the secure_mode_policyload SELinux boolean is disabled: $ getsebool secure_mode_policyload If properly configured, the output should show the following: secure_mode_policyload --> off Is it the case that secure_mode_policyload is not disabled? Run the following command to determine if the httpd_mod_auth_ntlm_winbind SELinux boolean is disabled: $ getsebool httpd_mod_auth_ntlm_winbind If properly configured, the output should show the following: httpd_mod_auth_ntlm_winbind --> off Is it the case that httpd_mod_auth_ntlm_winbind is not disabled? Run the following command to determine if the httpd_use_openstack SELinux boolean is disabled: $ getsebool httpd_use_openstack If properly configured, the output should show the following: httpd_use_openstack --> off Is it the case that httpd_use_openstack is not disabled? Run the following command to determine if the httpd_use_cifs SELinux boolean is disabled: $ getsebool httpd_use_cifs If properly configured, the output should show the following: httpd_use_cifs --> off Is it the case that httpd_use_cifs is not disabled? Run the following command to determine if the postgresql_selinux_users_ddl SELinux boolean is enabled: $ getsebool postgresql_selinux_users_ddl If properly configured, the output should show the following: postgresql_selinux_users_ddl --> on Is it the case that postgresql_selinux_users_ddl is not enabled? Run the following command to determine if the nfs_export_all_ro SELinux boolean is enabled: $ getsebool nfs_export_all_ro If properly configured, the output should show the following: nfs_export_all_ro --> on Is it the case that nfs_export_all_ro is not enabled? Run the following command to determine if the daemons_dump_core SELinux boolean is disabled: $ getsebool daemons_dump_core If properly configured, the output should show the following: daemons_dump_core --> off Is it the case that daemons_dump_core is not disabled? Run the following command to determine if the postfix_local_write_mail_spool SELinux boolean is enabled: $ getsebool postfix_local_write_mail_spool If properly configured, the output should show the following: postfix_local_write_mail_spool --> on Is it the case that postfix_local_write_mail_spool is not enabled? Run the following command to determine if the xdm_exec_bootloader SELinux boolean is disabled: $ getsebool xdm_exec_bootloader If properly configured, the output should show the following: xdm_exec_bootloader --> off Is it the case that xdm_exec_bootloader is not disabled? Run the following command to determine if the httpd_dbus_avahi SELinux boolean is disabled: $ getsebool httpd_dbus_avahi If properly configured, the output should show the following: httpd_dbus_avahi --> off Is it the case that httpd_dbus_avahi is not disabled? Run the following command to determine if the exim_read_user_files SELinux boolean is disabled: $ getsebool exim_read_user_files If properly configured, the output should show the following: exim_read_user_files --> off Is it the case that exim_read_user_files is not disabled? Run the following command to determine if the cvs_read_shadow SELinux boolean is disabled: $ getsebool cvs_read_shadow If properly configured, the output should show the following: cvs_read_shadow --> off Is it the case that cvs_read_shadow is not disabled? Run the following command to determine if the racoon_read_shadow SELinux boolean is disabled: $ getsebool racoon_read_shadow If properly configured, the output should show the following: racoon_read_shadow --> off Is it the case that racoon_read_shadow is not disabled? Run the following command to determine if the git_system_enable_homedirs SELinux boolean is disabled: $ getsebool git_system_enable_homedirs If properly configured, the output should show the following: git_system_enable_homedirs --> off Is it the case that git_system_enable_homedirs is not disabled? Run the following command to determine if the fips_mode SELinux boolean is enabled: $ getsebool fips_mode If properly configured, the output should show the following: fips_mode --> on Is it the case that fips_mode is not enabled? Run the following command to determine if the httpd_can_network_connect_cobbler SELinux boolean is disabled: $ getsebool httpd_can_network_connect_cobbler If properly configured, the output should show the following: httpd_can_network_connect_cobbler --> off Is it the case that httpd_can_network_connect_cobbler is not disabled? Run the following command to determine if the polyinstantiation_enabled SELinux boolean is disabled: $ getsebool polyinstantiation_enabled If properly configured, the output should show the following: polyinstantiation_enabled --> off Is it the case that polyinstantiation_enabled is not disabled? Run the following command to determine if the icecast_use_any_tcp_ports SELinux boolean is disabled: $ getsebool icecast_use_any_tcp_ports If properly configured, the output should show the following: icecast_use_any_tcp_ports --> off Is it the case that icecast_use_any_tcp_ports is not disabled? Run the following command to determine if the selinuxuser_use_ssh_chroot SELinux boolean is disabled: $ getsebool selinuxuser_use_ssh_chroot If properly configured, the output should show the following: selinuxuser_use_ssh_chroot --> off Is it the case that selinuxuser_use_ssh_chroot is not disabled? Run the following command to determine if the authlogin_nsswitch_use_ldap SELinux boolean is disabled: $ getsebool authlogin_nsswitch_use_ldap If properly configured, the output should show the following: authlogin_nsswitch_use_ldap --> off Is it the case that authlogin_nsswitch_use_ldap is not disabled? Run the following command to determine if the virt_sandbox_use_mknod SELinux boolean is disabled: $ getsebool virt_sandbox_use_mknod If properly configured, the output should show the following: virt_sandbox_use_mknod --> off Is it the case that virt_sandbox_use_mknod is not disabled? Run the following command to determine if the selinuxuser_ping SELinux boolean is enabled: $ getsebool selinuxuser_ping If properly configured, the output should show the following: selinuxuser_ping --> on Is it the case that selinuxuser_ping is not enabled? Run the following command to determine if the logging_syslogd_run_nagios_plugins SELinux boolean is disabled: $ getsebool logging_syslogd_run_nagios_plugins If properly configured, the output should show the following: logging_syslogd_run_nagios_plugins --> off Is it the case that logging_syslogd_run_nagios_plugins is not disabled? Run the following command to determine if the mpd_enable_homedirs SELinux boolean is disabled: $ getsebool mpd_enable_homedirs If properly configured, the output should show the following: mpd_enable_homedirs --> off Is it the case that mpd_enable_homedirs is not disabled? Run the following command to determine if the ftpd_use_passive_mode SELinux boolean is disabled: $ getsebool ftpd_use_passive_mode If properly configured, the output should show the following: ftpd_use_passive_mode --> off Is it the case that ftpd_use_passive_mode is not disabled? Run the following command to determine if the secadm_exec_content SELinux boolean is enabled: $ getsebool secadm_exec_content If properly configured, the output should show the following: secadm_exec_content --> on Is it the case that secadm_exec_content is not enabled? Run the following command to determine if the postgresql_selinux_transmit_client_label SELinux boolean is disabled: $ getsebool postgresql_selinux_transmit_client_label If properly configured, the output should show the following: postgresql_selinux_transmit_client_label --> off Is it the case that postgresql_selinux_transmit_client_label is not disabled? Run the following command to determine if the git_session_users SELinux boolean is disabled: $ getsebool git_session_users If properly configured, the output should show the following: git_session_users --> off Is it the case that git_session_users is not disabled? Inspect /etc/default/grub for any instances of selinux=0 in the kernel boot arguments. Presence of selinux=0 indicates that SELinux is disabled at boot time. Is it the case that SELinux is disabled at boot time? Check the file /etc/selinux/config and ensure the following line appears: SELINUXTYPE= Is it the case that it does not? To check for unlabeled device files, run the following command: $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" It should produce no output in a well-configured system. Is it the case that there is output? To verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures, run the following command: $ sudo semanage login -l All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t). All authorized non-administrative users must be mapped to the user_u role or the appropriate domain (user_t). Is it the case that non-admin users are not confined correctly? Check the file /etc/selinux/config and ensure the following line appears: SELINUX= Is it the case that SELINUX is not set to enforcing? To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs The DoD requirement is 15. Is it the case that it is not set to the required value? To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The DoD requirement is 7. Is it the case that it is not set to the required value? To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs Is it the case that it is not equal to or greater than the required value? To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD and FISMA requirement is 60. A value of 180 days is sufficient for many environments. Is it the case that PASS_MAX_DAYS is not set equal to or greater than the required value? Check whether the minimum time period between password changes for each user account is one day or greater by running the following command for each user: $ sudo chage -l USER | grep Minimum The output for each user should return something similary to the following: Minimum number of days between password change\t\t: 1 Is it the case that existing passwords are not configured correctly? Check whether the maximum time period for existing passwords is restricted to 60 days by running the following command for each user: $ sudo chage -l USER | grep Maximum The output for each user should return something similary to the following: Maximum number of days between password change\t\t: 60 Is it the case that existing passwords are not configured correctly? To check for serial port entries which permit root login, run the following command: $ sudo grep ^ttyS/[0-9] /etc/securetty If any output is returned, then root login over serial ports is permitted. Is it the case that root login over serial ports is permitted? To view the root user's PATH, run the following command: $ sudo env | grep PATH If correctly configured, the PATH must: use vendor default settings, have no empty entries, and have no entries beginning with a character other than a slash (/). Is it the case that any of these conditions are not met? To ensure root may not directly login to the system over physical consoles, run the following command: cat /etc/securetty If any output is returned, this is a finding. Is it the case that the /etc/securetty file is not empty? Check the root home directory for a .mozilla directory. If one exists, ensure browsing is limited to local service administration. Is it the case that this is not the case? To obtain a listing of all users and the contents of their shadow password field, run the command: $ sudo awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than UID_MIN, other than root. Value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration, UID_MIN is set to 500. Is it the case that it is not? To check for virtual console entries which permit root login, run the following command: $ sudo grep ^vc/[0-9] /etc/securetty If any output is returned, then root logins over virtual console devices is permitted. Is it the case that root login over virtual console devices is permitted? To obtain a listing of all users, their UIDs, and their shells, run the command: $ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than UID_MIN, other than root. Value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000. Is it the case that any system account (other than root) has a login shell? To list all password file entries for accounts with UID 0, run the following command: $ awk -F: '($3 == \"0\") {print}' /etc/passwd This should print only one line, for the user root. If there is a finding, change the UID of the failing (non-root) user. If the account is associated with the system commands or applications the UID should be changed to one greater than 0 but less than 1000. Otherwise assign a UID of greater than 1000 that has not already been assigned. Is it the case that any account other than root has a UID of 0? Verify that the system is integrated with a centralized authentication mechanism such as as Active Directory, Kerberos, Directory Server, etc. that has automated account mechanisms in place. Is it the case that the system is not using a centralized authentication mechanism, or it is not automated? Run the following command to check for duplicate account names: $ sudo pwck -qr If there are no duplicate names, no line will be returned. Is it the case that a line is returned? To verify the INACTIVE setting, run the following command: $ grep "INACTIVE" /etc/default/useradd The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: $ grep "INACTIVE" /etc/default/useradd INACTIVE= Is it the case that the value of INACTIVE is greater than the expected value? For every temporary and emergency account, run the following command to obtain its account aging and expiration information: $ sudo chage -l USER Verify each of these accounts has an expiration date set as documented. Is it the case that any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame? To check the system for the existence of any .netrc files, run the following command: $ sudo find /home -xdev -name .netrc Is it the case that any .netrc files exist? To verify that null passwords cannot be used, run the following command: $ grep nullok /etc/pam.d/system-auth If this produces any output, it may be possible to log into accounts with empty passwords. Remove any instances of the nullok option to prevent logins with empty passwords. Is it the case that NULL passwords can be used? To check that no password hashes are stored in /etc/passwd, run the following command: awk '!/\S:x|\*/ {print}' /etc/passwd If it produces any output, then a password hash is stored in /etc/passwd. Is it the case that any stored hashes are found in /etc/passwd? To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: $ sudo pwck -qr There should be no output. Is it the case that GIFs referenced in /etc/passwd are returned as not defined in /etc/group? Run the following command to determine if the screen package is installed: $ rpm -q screen Is it the case that the package is not installed? To verify the operating system has the packages required for multifactor authentication installed, run the following command: $ sudo yum list installed esc pam_pkcs11 authconfig-gtk Is it the case that smartcard software is not installed? To verify that is configured as the smart card driver, run the following command changing ARCH for the architecture of your operating system: $ grep card_drivers /etc/opensc-ARCH The output should return something similar to: card_drivers = ; Is it the case that the smart card driver is not configured correctly? To verify that opensc is configured in the NSS database, run the following command: $ pkcs11-switch The output should return opensc Is it the case that opensc is not in use by the nss database? To verify the operating system implements certificate status checking for PKI authentication, run the following command: $ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf The output should return multiple lines similiar to the following: cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; Is it the case that ocsp_on is not configured? To verify that is configured as the smart card driver, run the following command changing ARCH for the architecture of your operating system: $ grep card_drivers /etc/opensc-ARCH The output should return something similar to: card_drivers = ; Is it the case that the smart card driver is not configured correctly? Run the following command to determine if the pcsc-lite package is installed: $ rpm -q pcsc-lite Is it the case that the package is not installed? Run the following command to determine the current status of the pcscd service: $ systemctl is-active pcscd If the service is running, it should return the following: active Is it the case that the pcscd service is not enabled? Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication: SIPRNET systemsStandalone systemsApplication accountsTemporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIVOperational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALTTest systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT. Is it the case that non-exempt accounts are not using CAC authentication? Run the following command to determine if the opensc package is installed: $ rpm -q opensc Is it the case that the package is not installed? To check if authentication is required for single-user mode, run the following command: $ grep sulogin /usr/lib/systemd/system/rescue.service The output should be similar to the following, and the line must begin with ExecStart and /sbin/sulogin. ExecStart=-/sbin/sulogin Is it the case that the output is different? To ensure the system is configured to ignore the Ctrl-Alt-Del setting, enter the following command: $ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf The output should return: CtrlAltDelBurstAction=none Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.? Inspect /etc/default/grub for any instances of systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments. Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates that interactive boot is enabled at boot time. Is it the case that Interactive boot is enabled at boot time? To ensure the system is configured to mask the Ctrl-Alt-Del sequence, enter the following command: $ sudo ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target or $ sudo systemctl mask ctrl-alt-del.target Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? To check that the debug-shell service is disabled in system boot configuration, run the following command: $ systemctl is-enabled debug-shell Output should indicate the debug-shell service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled debug-shelldisabled Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration: $ systemctl is-active debug-shell If the service is not running the command will return the following output: inactive Is it the case that ? To ensure write permissions are disabled for group and other for each element in root's path, run the following command: # ls -ld DIR Is it the case that group or other write permissions exist? Verify the UMASK setting is not configured for interactive users, run the following command: $ sudo grep -ri "UMASK" /home There should be no output. Is it the case that the above command returns no output, or if the umask is configured incorrectly? Verify the UMASK setting is configured correctly in the /etc/login.defs file by running the following command: # grep -i "UMASK" /etc/login.defs All output must show the value of umask set as shown in the below: # grep -i "UMASK" /etc/login.defs umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? Verify the umask setting is configured correctly in the /etc/bashrc file by running the following command: # grep "umask" /etc/bashrc All output must show the value of umask set as shown below: # grep "umask" /etc/bashrc umask umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? Verify the umask setting is configured correctly in the /etc/csh.cshrc file by running the following command: # grep "umask" /etc/csh.cshrc All output must show the value of umask set as shown in the below: # grep "umask" /etc/csh.cshrc umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? Verify the umask setting is configured correctly in the /etc/profile file by running the following command: # grep "umask" /etc/profile All output must show the value of umask set as shown in the below: # grep "umask" /etc/profile umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? Run the following command to ensure the TMOUT value is configured for all users on the system: $ sudo grep TMOUT /etc/profile The output should return the following: TMOUT= Is it the case that value of TMOUT is not less than or equal to expected setting? To ensure the user home directory is not group-writable or world-readable, run the following: # ls -ld /home/USER Is it the case that the user home directory is group-writable or world-readable? To verify all local initialization files for interactive users are owned by the primary user, run the following command: $ sudo ls -al /home/USER/.* The user initialization files should be owned by USER. Is it the case that they are not? To verify the assigned home directory of all interactive users on the system exist, run the following command: $ sudo pwck -r The output should not return any interactive users. Is it the case that users home directory does not exist? To verify that local initialization files do not execute world-writable programs, execute the following command: $ sudo find /home -perm -002 -type f -exec ls -ld {} -name ".[^.]*"\; There should be no output. Is it the case that files are executing world-writable programs? Check if the system is configured to create home directories for local interactive users with the following command: $ sudo grep create_home /etc/login.defs Is it the case that the value of CREATE_HOME is not set to yes, is missing, or the line is commented out? Verify the FAIL_DELAY setting is configured correctly in the /etc/login.defs file by running the following command: $ sudo grep -i "FAIL_DELAY" /etc/login.defs All output must show the value of FAIL_DELAY set as shown in the below: $ sudo grep -i "FAIL_DELAY" /etc/login.defs fail_delay Is it the case that the above command returns no output, or FAIL_DELAY is configured less than the expected value? To verify all files and directories in interactive user home directory are group-owned by a group the user is a member of, run the following command: $ sudo ls -lLR /home/USER Is it the case that the group ownership is incorrect? To verify that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory, run the following command: $ sudo grep -r PATH /home/ Inspect the output for any PATH is references directories outside the home directory. Is it the case that paths contain more than local home directories? To verify all files and directories contained in interactive user home directory, excluding local initialization files, have a mode of 0750, run the following command: $ sudo ls -lLR /home/USER Is it the case that home directory files or folders have incorrect permissions? Run the following command to ensure the maxlogins value is configured for all users on the system: # grep "maxlogins" /etc/security/limits.conf You should receive output similar to the following: *\t\thard\tmaxlogins\t Is it the case that maxlogins is not equal to or less than the expected value? To verify the assigned home directory of all interactive users is group- owned by that users primary GID, run the following command: $ sudo ls -ld $ (egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) Is it the case that the group ownership is incorrect? To verify interactive users on the system have a home directory assigned, run the following command: $ sudo awk -F":" '{print $1 ":" $6}' /etc/passwd Inspect the output and verify that all interactive users have a home directory defined. Is it the case that users home directory is not defined? To verify that all user initialization files have a mode of 0740 or less permissive, run the following command: $ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \) There should be no output. Is it the case that they are not 0740 or more permissive? To verify the home directory ownership, run the following command: $ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) Is it the case that the user ownership is incorrect? To verify all files and directories in interactive users home directory are owned by the user, run the following command: $ sudo ls -lLR /home/USER Is it the case that the user ownership is incorrect? To verify the local initialization files of all local interactive users are group- owned by the appropriate user, inspect the primary group of the respective users in /etc/passwd and verify all initialization files under the respective users home directory. Check the group owner of all local interactive users initialization files. Is it the case that they are not? To verify the assigned home directory of all interactive user home directories have a mode of 0750 or less permissive, run the following command: $ sudo ls -l /home Inspect the output for any directories with incorrect permissions. Is it the case that they are more permissive? To ensure a login warning banner is enabled, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/* If properly configured, the output should be true. To ensure a login warning banner is locked and cannot be changed by a user, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. Is it the case that it is not? To ensure the login warning banner text is properly set, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/* If properly configured, the proper banner text will appear. To ensure the login warning banner text is locked and cannot be changed by a user, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-text. Is it the case that it does not? To ensure a login warning banner is enabled, run the following: $ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_enable Search for the banner_message_enable schema. If properly configured, the default value should be true. Is it the case that it is not? To ensure the login warning banner text is properly set, run the following: $ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_text If properly configured, the proper banner text will appear within this schema. Is it the case that it does not? To check if the system login banner is compliant, run the following command: $ cat /etc/issue Is it the case that it does not display the required banner? Inspect /etc/login.defs and ensure the following line appears: ENCRYPT_METHOD SHA512 Is it the case that it does not? Inspect /etc/libuser.conf and ensure the following line appears in the [default] section: crypt_style = sha512 Is it the case that it does not? Inspect the password section of /etc/pam.d/system-auth and ensure that the pam_unix.so module includes the argument sha512: $ grep sha512 /etc/pam.d/system-auth Is it the case that it does not? To ensure that even the root account is locked after a defined number of failed password attempts, run the following command: $ grep even_deny_root /etc/pam.d/system-auth The output should show even_deny_root. Is it the case that that is not the case? To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth The output should show unlock_time=<some-large-number> or never. Is it the case that unlock_time is less than the expected value? To verify the password reuse setting is compliant, run the following command: $ grep remember /etc/pam.d/system-auth The output should show the following at the end of the line: remember= Is it the case that the value of remember is not set equal to or greater than the expected setting? To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is or greater. If the fail_interval parameter is not set, the default setting of 900 seconds is acceptable. Is it the case that fail_interval is less than the required value? To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth The output should show deny=. Is it the case that that is not the case? To check how many characters are required in a password, run the following command: $ grep minlen /etc/security/pwquality.conf Your output should contain minlen = Is it the case that minlen is not found, or not equal to or greater than the required value? To check the value for maximum consecutive repeating characters, run the following command: $ grep maxclassrepeat /etc/security/pwquality.conf For DoD systems, the output should show maxclassrepeat=4. Is it the case that that is not the case? To check the maximum value for consecutive repeating characters, run the following command: $ grep maxrepeat /etc/security/pwquality.conf Look for the value of the maxrepeat parameter. The DoD requirement is 3, which would appear as maxrepeat=3. Is it the case that maxrepeat is not found or not greater than or equal to the required value? To check how many digits are required in a password, run the following command: $ grep dcredit /etc/security/pwquality.conf The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit = -1. Is it the case that dcredit is not found or not equal to or less than the required value? To check how many categories of characters must be used in password during a password change, run the following command: $ grep minclass /etc/security/pwquality.conf The minclass parameter will indicate how many character classes must be used. If the requirement was for the password to contain characters from three different categories, then this would appear as minclass = 3. Is it the case that minclass is not found or not set equal to or greater than the required value? To check how many characters must differ during a password change, run the following command: $ grep difok /etc/security/pwquality.conf The difok parameter will indicate how many characters must differ. Is it the case that difok is not found or not equal to or greater than the required value? To check how many special characters are required in a password, run the following command: $ grep ocredit /etc/security/pwquality.conf The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit = -1. Is it the case that ocredit is not found or not equal to or less than the required value? To check how many lowercase characters are required in a password, run the following command: $ grep lcredit /etc/security/pwquality.conf The lcredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit = -1. Is it the case that lcredit is not found or not less than or equal to the required value? To check how many uppercase characters are required in a password, run the following command: $ grep ucredit /etc/security/pwquality.conf The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit = -1. Is it the case that ucredit is not found or not set less than or equal to the required value? To check how many retry attempts are permitted on a per-session basis, run the following command: $ grep pam_pwquality /etc/pam.d/system-auth The retry parameter will indicate how many attempts are permitted. The DoD required value is less than or equal to 3. This would appear as retry=3, or a lower value. Is it the case that it is not the required value? To check how many retry attempts are permitted on a per-session basis, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The retry parameter will indicate how many attempts are permitted. The DoD required value is less than or equal to 3. This would appear as retry=3, or a lower value. Is it the case that it is not the required value? To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit=-1. Is it the case that ocredit is not found or not set to the required value? To check how many digits are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit=-1. Is it the case that dcredit is not found or not set to the required value? To check how many categories of characters must be used in password during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The minclass parameter will indicate how many character classes must be used. If the requirement was for the password to contain characters from three different categories, then this would appear as minclass=3. Is it the case that minclass is not found or not set to the required value? To check how many uppercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit=-1. Is it the case that ucredit is not found or not set to the required value? To check how many lowercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The lcredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit=-1. Is it the case that lcredit is not found or not set to the required value? To check how many characters are required in a password, run the following command: $ grep cracklib /etc/pam.d/system-auth Your output should contain minlen= Is it the case that minlen is not found or not set to the required value (or higher)? To check the maximum value for consecutive repeating characters, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth Look for the value of the maxrepeat parameter. The DoD requirement is 3. Is it the case that maxrepeat is not found or not set to the required value? To check how many characters must differ during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The difok parameter will indicate how many characters must differ. The DoD requires four characters differ during a password change. This would appear as difok=4. Is it the case that difok is not found or not set to the required value? To ensure that last logon/access notification is configured correctly, run the following command: $ grep pam_lastlog.so /etc/pam.d/postlogin The output should show output showfailed. Is it the case that that is not the case? Check the system partitions to determine if they are encrypted with the following command: blkid Output will be similar to: /dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2 " TYPE="crypto_LUKS" /dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2 " TYPE="crypto_LUKS" Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. Is it the case that partitions do not have a type of crypto_LUKS? Run the following command to determine if /home is on its own partition or logical volume: $ mount | grep "on /home" If /home has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /srv is on its own partition or logical volume: $ mount | grep "on /srv" If /srv has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /var/tmp is on its own partition or logical volume: $ mount | grep "on /var/tmp" If /var/tmp has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /tmp is on its own partition or logical volume: $ mount | grep "on /tmp" If /tmp has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /var is on its own partition or logical volume: $ mount | grep "on /var" If /var has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /var/log/audit is on its own partition or logical volume: $ mount | grep "on /var/log/audit" If /var/log/audit has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /var/log is on its own partition or logical volume: $ mount | grep "on /var/log" If /var/log has its own partition or volume group, a line will be returned. Is it the case that no line is returned? To determine if NOPASSWD or !authenticate have been configured for sudo, run the following command: $ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that nopasswd and/or !authenticate is enabled in sudo? To determine if NOPASSWD has been configured for the vdsm user for sudo, run the following command: $ sudo grep -ri nopasswd /etc/sudoers.d/ The command should return output only for the vdsm user. Is it the case that nopasswd is set for any users beyond vdsm? To determine if !authenticate has not been configured for sudo, run the following command: $ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that !authenticate is enabled in sudo? To determine if NOPASSWD has been configured for sudo, run the following command: $ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that nopasswd is enabled in sudo? To verify that the installed operating system is supported, run the following command: $ grep -i "red hat" /etc/redhat-release The output should contain something similar to: Red Hat Enterprise Linux 7 Is it the case that the installed operating system is not supported? To verify that the installed operating system is supported or certified, run the following command: $ grep -i "red hat" /etc/redhat-release The output should contain something similar to: Red Hat Enterprise Linux 7 Is it the case that the installed operating system is not FIPS 140-2 certified? Run the following command to determine if the dracut-fips package is installed: $ rpm -q dracut-fips Is it the case that the package is not installed? To verify that FIPS is enabled properly in grub, run the following command: $ grep fips /etc/default/grub The output should contain fips=1 Is it the case that FIPS is not configured or enabled in grub? To verify that HBSS PA is installed, run the following command(s): $ sudo ls /opt/McAfee/auditengine/bin/auditmanager Is it the case that the HBSS PA module is not installed? To verify that HBSS ACCM is installed, run the following command(s): $ sudo ls /opt/McAfee/accm/bin/accm Is it the case that the HBSS ACCM module is not installed? To verify that McAfee HIPS is installed, run the following command(s): $ rpm -q MFEhiplsm Is it the case that the HBSS HIPS module is not installed? Run the following command to determine the current status of the nails service: $ systemctl is-active nails If the service is running, it should return the following: active Is it the case that ? To verify that McAfee VirusScan Enterprise for Linux is installed and running, run the following command(s): $ sudo systemctl status nails $ rpm -q McAfeeVSEForLinux Is it the case that virus scanning software is not installed or running? To check on the age of McAfee virus definition files, run the following command: $ sudo cd /opt/NAI/LinuxShield/engine/dat $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat Is it the case that signatures are out of date? To verify that McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) are installed, run the following command(s): $ rpm -q MFEcma $ rpm -q MFErt Is it the case that the HBSS HIPS module is not installed? Verify that the system backups user data. Is it the case that it is not? Inspect the system for a cron job or system service which executes a virus scanning tool regularly. To verify the McAfee VSEL system service is operational, run the following command: $ sudo /sbin/service nails status To check on the age of uvscan virus definition files, run the following command: $ sudo cd /opt/NAI/LinuxShield/engine/dat $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat Is it the case that virus scanning software does not run continuously, or at least daily, or has signatures that are out of date? Inspect the system to determine if intrusion detection software has been installed. Verify this intrusion detection software is active. Is it the case that no host-based intrusion detection tools are installed? The following command will list which files on the system have permissions different from what is expected by the RPM database: $ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' Is it the case that there is output? The following command will list which files on the system have ownership different from what is expected by the RPM database: $ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }' Is it the case that there is output? The following command will list which files on the system have file hashes different from what is expected by the RPM database. $ rpm -Va | awk '$1 ~ /..5/ && $2 != "c"' Is it the case that there is output? Run the following command to determine if the aide package is installed: $ rpm -q aide Is it the case that the package is not installed? To determine that AIDE is verifying extended file attributes, run the following command: $ grep xattrs /etc/aide.conf Verify that the xattrs option is added to the correct ruleset. Is it the case that the xattrs option is missing or not added to the correct ruleset? To determine that AIDE is verifying ACLs, run the following command: $ grep acl /etc/aide.conf Verify that the acl option is added to the correct ruleset. Is it the case that the acl option is missing or not added to the correct ruleset? To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command: $ grep sha512 /etc/aide.conf Verify that the sha512 option is added to the correct ruleset. Is it the case that the sha512 option is missing or not added to the correct ruleset? To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details? To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return some similiar to the following: 05 4 * * * root /usr/sbin/aide --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that there is no output? To find the location of the AIDE databse file, run the following command: $ sudo ls -l DBDIR/database_file_name Is it the case that there is no database file? To determine whether yum has been configured to disable gpgcheck for any repos, inspect all files in /etc/yum.repos.d and ensure the following does not appear in any sections: gpgcheck=0 A value of 0 indicates that gpgcheck has been disabled for that repo. Is it the case that GPG checking is disabled? If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available: $ sudo yum check-update If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: $ rpm -qa -last Compare this to Red Hat Security Advisories (RHSA) listed at https://access.redhat.com/security/updates/active/ to determine if the system is missing applicable updates. Is it the case that updates are not installed? To verify that localpkg_gpgcheck is configured properly, run the following command: $ grep localpkg_gpgcheck /etc/yum.conf The output should return something similar to: localpkg_gpgcheck=1 Is it the case that gpgcheck is not enabled or configured correctly to verify local packages? To ensure that the GPG key is installed, run: $ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey The command should return the string below: gpg(Red Hat, Inc. (release key 2) <security@redhat.com> Is it the case that the Red Hat GPG Key is not installed? To verify that repo_gpgcheck is configured properly, run the following command: $ grep repo_gpgcheck /etc/yum.conf The output should return something similar to: repo_gpgcheck=1 Is it the case that gpgcheck is not enabled or configured correctly to verify repository metadata? To verify that clean_requirements_on_remove is configured properly, run the following command: $ grep clean_requirements_on_remove /etc/yum.conf The output should return something similar to: clean_requirements_on_remove=1 Is it the case that clean_requirements_on_remove is not enabled or configured correctly? To determine whether yum is configured to use gpgcheck, inspect /etc/yum.conf and ensure the following appears in the [main] section: gpgcheck=1 A value of 1 indicates that gpgcheck is enabled. Absence of a gpgcheck line or a setting of 0 indicates that it is disabled. Is it the case that GPG checking is not enabled? To ensure the screensaver is configured to be blank, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/mode If properly configured, the output should be blank-only Is it the case that it is not? To check the status of the idle screen lock activation, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/lock_enabled If properly configured, the output should be true. Is it the case that it is not? To check the screensaver locking keybindings, run the following command: $ gconftool-2 -g /apps/gnome_settings_daemon/keybindings/screensaver If properly configured, the output should be <Control><Alt>l. Is it the case that GNOME screensaver locking keybindings are configured and cannot be changed? To ensure that users cannot change session idle and lock settings, run the following: $ grep 'idle-delay' /etc/dconf/db/local.d/locks/* If properly configured, the output should return: /org/gnome/desktop/session/idle-delay Is it the case that GNOME3 session settings are not locked or configured properly? To check that the screen locks immediately when activated, run the following command: $ gsettings get org.gnome.desktop.screensaver lock-delay If properly configured, the output should be 'uint32 '. To ensure that users cannot change how long until the the screensaver locks, run the following: $ grep lock-delay /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-delay should be /org/gnome/desktop/screensaver/lock-delay Is it the case that the screensaver lock delay is missing, or is set to a value greater than 5? To ensure the splash screen is configured not to show user name, run the following command: $ gsettings get org.gnome.desktop.screensaver show-full-name-in-top-bar If properly configured, the output should be false. To ensure that users cannot enable user name on the lock screen, run the following: $ grep show-full-name-in-top-bar /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/show-full-name-in-top-bar Is it the case that it is not set or configured properly? To ensure that users cannot change session idle and lock settings, run the following: $ grep 'lock-delay' /etc/dconf/db/local.d/locks/* If properly configured, the output should return: /org/gnome/desktop/screensaver/lock-delay Is it the case that GNOME3 session settings are not locked or configured properly? To check the screensaver mandatory use status, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/idle_activation_enabled If properly configured, the output should be true. Is it the case that it is not? To check the screensaver mandatory use status, run the following command: $ gsettings get org.gnome.desktop.screensaver idle-activation-enabled If properly configured, the output should be true. To ensure that users cannot disable the screensaver idle inactivity setting, run the following: $ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled Is it the case that idle_activation_enabled is not enabled or configured? To check the current idle time-out value, run the following command: $ gconftool-2 -g /desktop/gnome/session/max_idle_action If properly configured, the output should be forced-logout. Is it the case that it is not? To check the current idle time-out value, run the following command: $ gsettings get org.gnome.desktop.session idle-delay If properly configured, the output should be 'uint32 '. To ensure that users cannot change the screensaver inactivity timeout setting, run the following: $ grep idle-delay /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/session/idle-delay Is it the case that idle-delay is not equal to or less than the expected value? To ensure that users cannot change how long until the the screensaver locks, run the following: $ grep lock-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled Is it the case that screensaver locking is not locked? To check the current idle time-out value, run the following command: $ gconftool-2 -g /desktop/gnome/session/max_idle_time If properly configured, the output should be . Is it the case that it is not? To ensure the screensaver is configured to be blank, run the following command: $ gsettings get org.gnome.desktop.screensaver picture-uri If properly configured, the output should be ''. To ensure that users cannot set the screensaver background, run the following: $ grep picture-uri /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri Is it the case that it is not set or configured properly? To check the current idle time-out value, run the following command: $ gconftool-2 -g /desktop/gnome/session/idle_delay If properly configured, the output should be . Is it the case that it is not? To check the status of the idle screen lock activation, run the following command: $ gsettings get org.gnome.desktop.screensaver lock-enabled If properly configured, the output should be true. To ensure that users cannot change how long until the the screensaver locks, run the following: $ grep lock-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly? To ensure that users cannot disable the screensaver idle inactivity setting, run the following: $ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled Is it the case that idle_activation_enabled is not locked? These settings can be verified by running the following: $ gconftool-2 -g /apps/nautilus/preferences/media_automount The output should return false. $ gconftool-2 -g /apps/nautilus/preferences/media_autorun_never The output should return true. Is it the case that GNOME automounting is not disabled? These settings can be verified by running the following: $ gconftool-2 -g /desktop/gnome/thumbnailers/disable_all The output should return true. Is it the case that GNOME thumbnailers are not disabled? These settings can be verified by running the following: $ gsettings get org.gnome.desktop.thumbnailers disable-all If properly configured, the output should be true. To ensure that users cannot how long until the the screensaver locks, run the following: $ grep disable-all /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/thumbnailers/disable-all Is it the case that GNOME thumbnailers are not disabled? These settings can be verified by running the following: $ gsettings get org.gnome.desktop.media-handling automount $ gsettings get org.gnome.desktop.media-handling automount-open $ gsettings get org.gnome.desktop.media-handling autorun-never If properly configured, the output for automount should be false. If properly configured, the output for automount-openshould be false. If properly configured, the output for autorun-never should be true. To ensure that users cannot enable automount and autorun in GNOME3, run the following: $ grep 'automount\|autorun' /etc/dconf/db/local.d/locks/* If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/auto-open If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never Is it the case that GNOME automounting is not disabled? To ensure that system location tracking is not active, run the following command: $ gsettings get org.gnome.system.location enabled $ gsettings get org.gnome.clocks geolocation If properly configured, the output should be false. To ensure that users cannot enable system location tracking, run the following: $ grep location /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/system/location/enabled and /org/gnome/clocks/geolocation. Is it the case that geolocation is enabled and not disabled? To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, run the following command: $ gconftool-2 -g /apps/gnome_settings_daemon/keybindings/power The output should return nothing. Is it the case that GNOME is configured to reboot when Ctrl-Alt-Del is pressed? To check the status of the idle screen lock activation, run the following command: $ gconftool-2 -g /apps/panel/applets/clock/prefs/show_weather If properly configured, the output should be false. Is it the case that it is not? To check the status of the idle screen lock activation, run the following command: $ gconftool-2 -g /apps/panel/applets/clock/prefs/show_temperature If properly configured, the output should be false. Is it the case that it is not? To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, run the following command: $ gsettings get org.gnome.settings-daemon.plugins.media-keys logout If properly configured, the output should be ''. To ensure that users cannot enable the Ctrl-Alt-Del sequence, run the following: $ grep logout /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/settings-daemon/plugins/media-keys/logout Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? To ensure that the GUI power settings are not active, run the following command: $ gsettings get org.gnome.settings-daemon.plugins.power active If properly configured, the output should be false. To ensure that users cannot enable the power settings, run the following: $ grep power /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/settings-daemon/plugins/power/active Is it the case that power settings are enabled and are not disabled? To ensure the GUI does not allow user administratrion capabilities to all users, run the following command: $ gsettings get org.gnome.desktop.lockdown user-administration-disabled If properly configured, the output should be true. To ensure that users cannot enable user administration, run the following: $ grep user-administration /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/lockdown/user-administration-disabled Is it the case that user administration is not configured or disabled? To ensure smart card authentication on the login screen is enabled, run the following command: $ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/* The output should be true. To ensure that users cannot disable smart card authentication on the login screen, run the following: $ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication Is it the case that enable-smartcard-authentication has not been configured or is disabled? To ensure disable and restart on the login screen are disabled, run the following command: $ grep disable-restart-buttons /etc/dconf/db/gdm.d/* The output should be true. To ensure that users cannot enable disable and restart on the login screen, run the following: $ grep disable-restart-buttons /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons Is it the case that disable-restart-buttons has not been configured or is not disabled? To ensure disable and restart on the login screen are disabled, run the following command: $ gconftool-2 -g /apps/gdm/simple-greeter/disable_restart_buttons The output should be true. Is it the case that disable-restart-buttons has not been configured or is not disabled? To verify that automatic logins are disabled, run the following command: $ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf The output should show the following: [daemon] AutomaticLoginEnable=false Is it the case that GDM allows users to automatically login? To ensure the login screen resets after a specified number of failures, run the following command: $ grep allowed-failures /etc/dconf/db/gdm.d/* The output should be 3 or less. To ensure that users cannot change or configure the resets after a specified number of failures on the login screen, run the following: $ grep allowed-failures /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/allowed-failures Is it the case that allowed-failures is not equal to or less than the expected value? To ensure the user list is disabled, run the following command: $ grep disable-user-list /etc/dconf/db/gdm.d/* The output should be true. To ensure that users cannot enable displaying the user list, run the following: $ grep disable-user-list /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/disable-user-list Is it the case that disable-user-list has not been configured or is not disabled? To ensure the user list is disabled, run the following command: $ gconftool-2 -g /apps/gdm/simple-greeter/disable_user_list The output should be true. Is it the case that it is not? To verify that timed logins are disabled, run the following command: $ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf The output should show the following: [daemon] TimedLoginEnable=false Is it the case that GDM allows a guest to login without credentials? To ensure that WIFI connections cannot be created, run the following command: $ gconftool-2 -g /apps/nm-applet/disable-wifi-create The output should return true. Is it the case that WIFI connections can be created through GNOME? To ensure that WIFI connections caanot be created, run the following command: $ gsettings get org.gnome.nm-applet disable-wifi-create If properly configured, the output should be true. To ensure that users cannot enable WIFI connection creation, run the following: $ grep wifi-create /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/nm-applet/disable-wifi-create Is it the case that WIFI connections can be created through GNOME? To ensure that wireless network notification is disabled, run the following command: $ gsettings get org.gnome.nm-applet suppress-wireless-networks-available If properly configured, the output should be true. To ensure that users cannot enable wireless notification, run the following: $ grep wireless-networks-available /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/nm-applet/suppress-wireless-networks-available Is it the case that wireless network notification is enabled and not disabled? To ensure that wireless network notification is disabled, run the following command: $ gconftool-2 -g /apps/nm-applet/disable-connected-notifications The output should return true. Is it the case that wireless connecting network notification is enabled and not disabled? To ensure that wireless network notification is disabled, run the following command: $ gconftool-2 -g /apps/nm-applet/disable-disconnected-notifications The output should return true. Is it the case that wireless disconnecting network notification is enabled and not disabled? To ensure that remote access connections are encrypted, run the following command: $ gsettings get org.gnome.Vino require-encrpytion If properly configured, the output should be true. To ensure that users cannot disable encrypted remote connections, run the following: $ grep require-encryption /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/Vino/require-encryption Is it the case that remote access connections are not encrypted? To ensure that remote access requires credentials, run the following command: $ gsettings get org.gnome.Vino authentication-methods If properly configured, the output should be false. To ensure that users cannot disable credentials for remote access, run the following: $ grep authentication-methods /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/Vino/authentication-methods Is it the case that wireless network notification is enabled and not disabled? To ensure the gdm package group is removed, run the following command: $ rpm -qi gdm The output should be: package gdm is not installed Is it the case that gdm has not been removed? To verify that the DConf uses text files as data backend, put the line service-db:keyfile/user at the top of the file /etc/dconf/profile/user Is it the case that DConf uses the binary database as data backend? In order to be sure that the databases are up-to-date, run the dconf update command as the administrator. Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles? To verify that the DConf User profile is configured correctly, run the following command: $ cat /etc/dconf/profile/user The output should show the following: user-db:user system-db:local system-db:site system-db:distro Is it the case that DConf User profile does not exist or is not configured correctly? To check the permissions of /etc/shadow, run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/shadow has unix mode ----------? To check the ownership of /etc/shadow, run the command: $ ls -lL /etc/shadow If properly configured, the output should indicate the following owner: root Is it the case that /etc/shadow has owner root? To check the ownership of /etc/gshadow, run the command: $ ls -lL /etc/gshadow If properly configured, the output should indicate the following owner: root Is it the case that /etc/gshadow has owner root? To check the permissions of /etc/passwd, run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/group has unix mode -rw-r--r--? To check the group ownership of /etc/gshadow, run the command: $ ls -lL /etc/gshadow If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/gshadow has group owner root? To check the ownership of /etc/passwd, run the command: $ ls -lL /etc/passwd If properly configured, the output should indicate the following owner: root Is it the case that /etc/passwd has owner root? To check the group ownership of /etc/shadow, run the command: $ ls -lL /etc/shadow If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/shadow has group owner root? To check the ownership of /etc/group, run the command: $ ls -lL /etc/group If properly configured, the output should indicate the following owner: root Is it the case that /etc/group has owner root? To check the group ownership of /etc/group, run the command: $ ls -lL /etc/group If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/group has group owner root? To check the permissions of /etc/gshadow, run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: ---------- Is it the case that /etc/gshadow has unix mode ----------? To check the group ownership of /etc/passwd, run the command: $ ls -lL /etc/passwd If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/passwd has group owner root? To check the permissions of /etc/passwd, run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/passwd has unix mode -rw-r--r--? System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin To find system executables that are group-writable or world-writable, run the following command for each directory DIR which contains system executables: $ sudo find -L DIR -perm /022 -type f Is it the case that any system executables are found to be group or world writable? Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 For each of these directories, run the following command to find files not owned by root: $ sudo find -L $DIR ! -user root -exec chown root {} \; Is it the case that any of these files are not owned by root? System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin To find system executables that are not owned by root, run the following command for each directory DIR which contains system executables: $ sudo find DIR/ \! -user root Is it the case that any system executables are found to not be owned by root? Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 To find shared libraries that are group-writable or world-writable, run the following command for each directory DIR which contains shared libraries: $ sudo find -L DIR -perm /022 -type f Is it the case that any of these files are group-writable or world-writable? To find world-writable files, run the following command: $ sudo find / -xdev -type f -perm -002 Is it the case that there is output? The status of the fs.protected_symlinks kernel parameter can be queried by running the following command: $ sysctl fs.protected_symlinks The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r fs.protected_symlinks /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition PART: $ sudo find PART -xdev -type d -perm -0002 -uid +499 -print Is it the case that there is output? The following command will discover and print any files on local partitions which do not belong to a valid group. $ sudo find / -xdev -fstype local -nogroup Either remove all files and directories from the system that do not have a valid group, or assign a valid group with the chgrp command: $ sudo chgrp group file Is it the case that there is output? The following command will discover and print any files on local partitions which do not belong to a valid user. $ sudo find / -xdev -fstype local -nouser Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the chown command: $ sudo chown user file Is it the case that files exist that are not owned by a valid user? The status of the fs.protected_hardlinks kernel parameter can be queried by running the following command: $ sysctl fs.protected_hardlinks The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r fs.protected_hardlinks /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? To find world-writable files, run the following command: $ sudo find / -xdev -type f -perm -002 Is it the case that there is output? To find world-writable directories that lack the sticky bit, run the following command: $ sudo find / -xdev -type d -perm 002 ! -perm 1000 Is it the case that any world-writable directories are missing the sticky bit? To check the permissions of /boot/Sysem.map-*, run the command: $ ls -l /boot/Sysem.map-* If properly configured, the output should indicate the following permissions: -rw------- Is it the case that ? To find world-writable files, run the following command: $ sudo find / -xdev -type f -perm -002 Is it the case that only authorized files appear in the output of the find command? If the system is configured to prevent the loading of the usb-storage kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? To check that the autofs service is disabled in system boot configuration, run the following command: $ systemctl is-enabled autofs Output should indicate the autofs service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled autofsdisabled Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: $ systemctl is-active autofs If the service is not running the command will return the following output: inactive Is it the case that ? To verify that binaries cannot be directly executed from removable media, run the following command: $ grep -v noexec /etc/fstab The resulting output will show partitions which do not have the noexec flag. Verify all partitions in the output are not removable media. Is it the case that removable media partitions are present? To check the value of the umask, run the following command: $ grep umask /etc/init.d/functions The output should show . Is it the case that it does not? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If they include slub_debug=P, then SLUB/SLAB poisoning is enabled at boot time. To ensure slub_debug=P is configured on all installed kernels, the following command may be used: $ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P Is it the case that SLUB/SLAB poisoning is not enabled? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If they include page_poison=1, then page poisoning is enabled at boot time. To ensure page_poison=1 is configured on all installed kernels, the following command may be used: $ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1 Is it the case that page allocator poisoning is not enabled? The status of the fs.suid_dumpable kernel parameter can be queried by running the following command: $ sysctl fs.suid_dumpable The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r fs.suid_dumpable /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? To verify that core dumps are disabled for all users, run the following command: $ grep core /etc/security/limits.conf The output should be: * hard core 0 Is it the case that it is not? The status of the kernel.kptr_restrict kernel parameter can be queried by running the following command: $ sysctl kernel.kptr_restrict The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.kptr_restrict /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? To verify ExecShield is enabled on 64-bit Red Hat Enterprise Linux 7 systems, run the following command: $ dmesg | grep '[NX|DX]*protection' The output should not contain 'disabled by kernel command line option'. To verify that ExecShield has not been disabled in the kernel configuration, run the following command: $ sudo grep noexec /boot/grub2/grub.cfg The output should not return noexec=off. For 32-bit Red Hat Enterprise Linux 7 systems, run the following command: $ sysctl kernel.exec-shield The output should be: To set the runtime status of the kernel.exec-shield kernel parameter, run the following command: $ sudo sysctl -w kernel.exec-shield=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.exec-shield = 1 Is it the case that ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration.? The status of the kernel.randomize_va_space kernel parameter can be queried by running the following command: $ sysctl kernel.randomize_va_space The output of the command should indicate a value of 2. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the kernel.kexec_load_disabled kernel parameter can be queried by running the following command: $ sysctl kernel.kexec_load_disabled The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.kexec_load_disabled /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If they include vsyscall=none, then virtyal syscalls are not enabled at boot time. To ensure vsyscall=none is configured on all installed kernels, the following command may be used: $ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none Is it the case that vsyscalls are enabled? The status of the kernel.yama.ptrace_scope kernel parameter can be queried by running the following command: $ sysctl kernel.yama.ptrace_scope The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.yama.ptrace_scope /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the kernel.dmesg_restrict kernel parameter can be queried by running the following command: $ sysctl kernel.dmesg_restrict The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.dmesg_restrict /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? draft This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide. Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. The SCAP Security Guide Project https://www.open-scap.org/security-policies/scap-security-guide Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. 0.1.43 SCAP Security Guide Project SCAP Security Guide Project Frank J Cameron (CAM1244) <cameron@ctc.com> 0x66656c6978 <0x66656c6978@users.noreply.github.com> Gabe Alford <redhatrises@gmail.com> Firas AlShafei <firas.alshafei@us.abb.com> Christopher Anderson <cba@fedoraproject.org> angystardust <angystardust@users.noreply.github.com> Chuck Atkins <chuck.atkins@kitware.com> Ryan Ballanger <root@rballang-admin-2.fastenal.com> Alex Baranowski <alex@euro-linux.com> Molly Jo Bault <Molly.Jo.Bault@ballardtech.com> Gabriel Becker <ggasparb@redhat.com> Alexander Bergmann <abergmann@suse.com> Jose Luis BG <bgjoseluis@gmail.com> Joseph Bisch <joseph.bisch@gmail.com> Jeffrey Blank <blank@eclipse.ncsc.mil> Olivier Bonhomme <ptitoliv@ptitoliv.net> Ted Brunell <tbrunell@redhat.com> Blake Burkhart <blake.burkhart@us.af.mil> Patrick Callahan <pmc@patrickcallahan.com> Nick Carboni <ncarboni@redhat.com> James Cassell <james.cassell@ll.mit.edu> Frank Caviggia <fcaviggi@ra.iad.redhat.com> Eric Christensen <echriste@redhat.com> Caleb Cooper <coopercd@ornl.gov> Deric Crago <deric.crago@gmail.com> Maura Dailey <maura@eclipse.ncsc.mil> Klaas Demter <demter@atix.de> dhanushkar-wso2 <dhanushkar@wso2.com> Andrew DiPrinzio <andrew.diprinzio@jhuapl.edu> Jean-Baptiste Donnette <jean-baptiste.donnette@epita.fr> drax <applezip@gmail.com> Greg Elin <gregelin@gitmachines.com> Leah Fisher <lfisher047@gmail.com> Alijohn Ghassemlouei <alijohn.ghassemlouei@sapns2.com> Andrew Gilmore <agilmore2@gmail.com> Joshua Glemza <jglemza@nasa.gov> Loren Gordon <lorengordon@users.noreply.github.com> Patrik Greco <sikevux@sikevux.se> Steve Grubb <sgrubb@redhat.com> Marek Haicman <mhaicman@redhat.com> Rebekah Hayes <rhayes@corp.rivierautilities.com> Trey Henefield <thenefield@gmail.com> Henning Henkel <henning.henkel@helvetia.ch> hex2a <hex2a@users.noreply.github.com> John Hooks <jhooks@starscream.pa.jhbcomputers.com> Robin Price II <robin@redhat.com> Jeremiah Jahn <jeremiah@goodinassociates.com> Stephan Joerrens <Stephan.Joerrens@fiduciagad.de> Kai Kang <kai.kang@windriver.com> Charles Kernstock <charles.kernstock@ultra-ats.com> Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> Peter 'Pessoft' Kolínek <github@pessoft.com> Luke Kordell <luke.t.kordell@lmco.com> kspargur <kspargur@kspargur.csb> Amit Kumar <amitkuma@redhat.com> Fen Labalme <fen@civicactions.com> Ian Lee <lee1001@llnl.gov> Jarrett Lee <jarrettl@umd.edu> Jan Lieskovsky <jlieskov@redhat.com> Lee Kinser <lee.kinser@gmail.com> Šimon Lukašík <slukasik@redhat.com> Milan Lysonek <mlysonek@redhat.com> Fredrik Lysén <fredrik@pipemore.se> Matus Marhefka <mmarhefk@redhat.com> Jamie Lorwey Martin <jlmartin@redhat.com> Michael McConachie <michael@redhat.com> Khary Mendez <kharyam@gmail.com> Rodney Mercer <rmercer@harris.com> Matt Micene <nzwulfin@gmail.com> Brian Millett <bmillett@gmail.com> Mixer9 <35545791+Mixer9@users.noreply.github.com> mmosel <mmosel@kde.example.com> Zbynek Moravec <zmoravec@redhat.com> Kazuo Moriwaka <moriwaka@users.noreply.github.com> Michael Moseley <michael@eclipse.ncsc.mil> Joe Nall <joe@nall.com> Neiloy <neiloy@redhat.com> Axel Nennker <axel@nennker.de> Michele Newman <mnewman@redhat.com> Sean O'Keeffe <seanokeeffe797@gmail.com> Ilya Okomin <ilya.okomin@oracle.com> Kaustubh Padegaonkar <theTuxRacer@gmail.com> Michael Palmiotto <mpalmiotto@tresys.com> Max R.D. Parmer <maxp@trystero.is> pcactr <paul.c.arnold4.ctr@mail.mil> Kenneth Peeples <kennethwpeeples@gmail.com> Nathan Peters <Nathaniel.Peters@ca.com> Frank Lin PIAT <fpiat@klabs.be> Stefan Pietsch <mail.ipv4v6+gh@gmail.com> Martin Preisler <mpreisle@redhat.com> Wesley Ceraso Prudencio <wcerasop@redhat.com> Raphael Sanchez Prudencio <rsprudencio@redhat.com> T.O. Radzy Radzykewycz <radzy@windriver.com> Kenyon Ralph <kenyon@kenyonralph.com> Rick Renshaw <Richard_Renshaw@xtoenergy.com> Chris Reynolds <c.reynolds82@gmail.com> Pat Riehecky <riehecky@fnal.gov> rlucente-se-jboss <rlucente@redhat.com> Joshua Roys <roysjosh@gmail.com> rrenshaw <bofh69@yahoo.com> Chris Ruffalo <chris.ruffalo@gmail.com> Ray Shaw (Cont ARL/CISD) rvshaw <rvshaw@esme.arl.army.mil> Willy Santos <wsantos@redhat.com> Gautam Satish <gautams@hpe.com> Watson Sato <wsato@redhat.com> Satoru SATOH <satoru.satoh@gmail.com> Alexander Scheel <ascheel@redhat.com> Spencer Shimko <sshimko@tresys.com> Thomas Sjögren <konstruktoid@users.noreply.github.com> Francisco Slavin <fslavin@tresys.com> David Smith <dsmith@eclipse.ncsc.mil> Kevin Spargur <kspargur@redhat.com> Kenneth Stailey <kstailey.lists@gmail.com> Leland Steinke <leland.j.steinke.ctr@mail.mil> Brian Stinson <brian@bstinson.com> Philippe Thierry <phil@reseau-libre.net> Paul Tittle <ptittle@cmf.nrl.navy.mil> tomas.hudik <tomas.hudik@embedit.cz> Jeb Trayer <jeb.d.trayer@uscg.mil> Matěj Týč <matyc@redhat.com> VadimDor <29509093+VadimDor@users.noreply.github.com> Shawn Wells <shawn@redhat.com> Daniel E. White <linuxdan@users.noreply.github.com> Roy Williams <roywilli@roywilli.redhat.com> Rob Wilmoth <rwilmoth@redhat.com> Lucas Yamanishi <lucas.yamanishi@onyxpoint.com> Xirui Yang <xirui.yang@oracle.com> Kevin Zimmerman <kevin.zimmerman@kitware.com> Jan Černý <jcerny@redhat.com> Michal Šrubař <msrubar@redhat.com> https://github.com/OpenSCAP/scap-security-guide/releases/latest This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux V1R4. In addition to being applicable to RHEL7, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based off RHEL7, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Enterprise Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. This baseline implements configuration requirements from the following sources: - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) - DISA Operating System Security Requirements Guide (OS SRG) For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package. This profile reflects U.S. Government consensus content and is developed through the OpenSCAP/SCAP Security Guide initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide content as minor divergences, such as bugfixes, work through the consensus and release processes. Ensures PCI-DSS v3.2.1 related security configuration settings are applied. This profile contains the minimum security relevant configuration settings recommended by Red Hat, Inc for Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified Cloud Providers. This profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline. This baseline was inspired by the Center for Internet Security (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017. For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline. This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2). This Annex is consistent with CNSSI-1253, which requires US National Security Systems to adhere to certain configuration parameters. Accordingly, configuration guidance produced according to the requirements of this Annex is suitable for use in US National Security Systems. This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy can be found at the CJIS Security Policy Resource Center: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload all of these checks should pass. This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Enterprise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. This baseline implements configuration requirements from the following sources: - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0) For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package. This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode project, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes. The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security Rule identified for securing of electronic protected health information. From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in non-federal information systems and organizations have a well-defined structure that consists of: (i) a basic security requirements section; (ii) a derived security requirements section. The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53. This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI). XCCDF form of the various remediation functions as used by remediation scripts from the SCAP Security Guide Project. The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterprise Linux 7 installs on a system and disable software which is not needed. It then enumerates the software packages installed on a default Red Hat Enterprise Linux 7 system and provides guidance about which ones can be safely disabled. Red Hat Enterprise Linux 7 provides a convenient minimal install option that essentially installs the bare necessities for a functional system. When building Red Hat Enterprise Linux 7 systems, it is highly recommended to select the minimal packages and then build up the system from there. This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of this, many of these services are not installed as part of Red Hat Enterprise Linux 7 by default. Organizations which are running these services should switch to more secure equivalents as soon as possible. If it remains absolutely necessary to run one of these services for legacy reasons, care should be taken to restrict the service as much as possible, for instance by configuring host firewall software such as firewalld to restrict access to the vulnerable service to only those remote hosts which have a known need to use it. The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model. The rsh package contains the client commands for the rsh services 2.3.2 3.1.13 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) A.8.2.3 A.13.1.1 A.13.2.1 A.13.2.3 A.14.1.2 A.14.1.3 These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh,rcp, and rlogin. CCE-27274-0 _{package_remove rsh} - name: Ensure rsh is removed package: name: rsh state: absent tags: - package_rsh_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-27274-0 - NIST-800-171-3.1.13 include remove_rsh class remove_rsh { package { 'rsh': ensure => 'purged', } } package --remove=rsh The rlogin service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rlogin. The rlogin socket can be disabled with the following command: $ sudo systemctl disable rlogin.socket 2.2.17 1 11 12 14 15 16 3 5 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 3.1.13 3.4.7 CCI-001436 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-17(8) CM-7 IA-5(1)(c) PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 PR.IP-1 PR.PT-3 PR.PT-4 The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. CCE-27336-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rlogin.service' "$SYSTEMCTL_EXEC" disable 'rlogin.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rlogin.socket\>' && "$SYSTEMCTL_EXEC" disable 'rlogin.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rlogin.service' - name: Disable service rlogin service: name: rlogin enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rlogin_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27336-7 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rlogin if applicable service: name: rlogin.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rlogin_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27336-7 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The rexec service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rexec. The rexec socket can be disabled with the following command: $ sudo systemctl disable rexec.socket 2.2.17 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 3.1.13 3.4.7 CCI-000068 CCI-001436 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. CCE-27408-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rexec.service' "$SYSTEMCTL_EXEC" disable 'rexec.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rexec.socket\>' && "$SYSTEMCTL_EXEC" disable 'rexec.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rexec.service' - name: Disable service rexec service: name: rexec enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rexec_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27408-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rexec if applicable service: name: rexec.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rexec_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27408-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The shosts.equiv file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo rm /[path]/[to]/[file]/shosts.equiv CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-040550 SV-86903r2_rule The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. CCE-80513-5 # Identify local mounts MOUNT_LIST=$(df | grep "^/dev" | awk '{ print $6 }') # Find file on each listed mount point for cur_mount in ${MOUNT_LIST} do find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \; done The rsh service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rsh. The rsh socket can be disabled with the following command: $ sudo systemctl disable rsh.socket 2.2.17 1 11 12 14 15 16 3 5 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 3.1.13 3.4.7 CCI-000068 CCI-001436 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-17(8) CM-7 IA-5(1)(c) PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 PR.IP-1 PR.PT-3 PR.PT-4 The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. CCE-27337-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rsh.service' "$SYSTEMCTL_EXEC" disable 'rsh.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rsh.socket\>' && "$SYSTEMCTL_EXEC" disable 'rsh.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rsh.service' - name: Disable service rsh service: name: rsh enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rsh_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27337-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rsh if applicable service: name: rsh.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rsh_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27337-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo rm ~/.shosts CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-040540 SV-86901r2_rule The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false CCE-80514-3 # Identify local mounts MOUNT_LIST=$(df | grep "^/dev" | awk '{ print $6 }') # Find file on each listed mount point for cur_mount in ${MOUNT_LIST} do find ${cur_mount} -xdev -type f -name ".shosts" -exec rm -f {} \; done The rsh-server package can be removed with the following command: $ sudo yum erase rsh-server RHEL-07-020000 SV-86591r2_rule 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000381 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7(a) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000095-GPOS-00049 The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. CCE-27342-5 _{package_remove rsh-server} - name: Ensure rsh-server is removed package: name: rsh-server state: absent tags: - package_rsh-server_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27342-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7(a) - DISA-STIG-RHEL-07-020000 include remove_rsh-server class remove_rsh-server { package { 'rsh-server': ensure => 'purged', } } package --remove=rsh-server The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: $ sudo rm /etc/hosts.equiv $ rm ~/.rhosts 6.2.14 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-001436 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. CCE-27406-8 find /home -maxdepth 2 -type f -name .rhosts -exec rm -f '{}' \; if [ -f /etc/hosts.equiv ]; then /bin/rm -f /etc/hosts.equiv fi - block: - name: "Detect shosts.equiv Files on the System" find: paths: / recurse: yes patterns: shosts.equiv check_mode: no register: shosts_equiv_locations - name: "Remove Rsh Trust Files" file: path: "{{ item.path }}" state: absent with_items: "{{ shosts_equiv_locations.files }}" when: shosts_equiv_locations and True tags: - no_rsh_trust_files - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-27406-8 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use telnet should be actively working to migrate to a more secure protocol. The telnet client allows users to start connections to other systems via the telnet protocol. 2.3.4 3.1.13 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) A.8.2.3 A.13.1.1 A.13.2.1 A.13.2.3 A.14.1.2 A.14.1.3 The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux 7. CCE-27305-2 _{package_remove telnet} - name: Ensure telnet is removed package: name: telnet state: absent tags: - package_telnet_removed - low_severity - disable_strategy - low_complexity - low_disruption - CCE-27305-2 - NIST-800-171-3.1.13 include remove_telnet class remove_telnet { package { 'telnet': ensure => 'purged', } } package --remove=telnet The telnet service configuration file /etc/xinetd.d/telnet is not created automatically. If it was created manually, check the /etc/xinetd.d/telnet file and ensure that disable = no is changed to read disable = yes as follows below: # description: The telnet server serves telnet sessions; it uses \\ # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = yes } If the /etc/xinetd.d/telnet file does not exist, make sure that the activation of the telnet service on system boot is disabled via the following command: The rexec socket can be disabled with the following command: $ sudo systemctl disable rexec.socket 2.2.18 1 11 12 14 15 16 3 5 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 3.1.13 3.4.7 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-17(8) CM-7 IA-5(1)(c) PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 PR.IP-1 PR.PT-3 PR.PT-4 The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. CCE-27401-9 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'telnet.service' "$SYSTEMCTL_EXEC" disable 'telnet.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^telnet.socket\>' && "$SYSTEMCTL_EXEC" disable 'telnet.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'telnet.service' - name: Disable service telnet service: name: telnet enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_telnet_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27401-9 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service telnet if applicable service: name: telnet.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_telnet_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27401-9 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The telnet-server package can be removed with the following command: $ sudo yum erase telnet-server RHEL-07-021710 SV-86701r2_rule 2.1.1 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000381 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7(a) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000095-GPOS-00049 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors. The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation. CCE-27165-0 _{package_remove telnet-server} - name: Ensure telnet-server is removed package: name: telnet-server state: absent tags: - package_telnet-server_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27165-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7(a) - DISA-STIG-RHEL-07-021710 include remove_telnet-server class remove_telnet-server { package { 'telnet-server': ensure => 'purged', } } package --remove=telnet-server The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS should not be used because it suffers from security problems inherent in its design, such as inadequate protection of important authentication information. The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a system to an NIS server and receive the distributed configuration files. 2.3.1 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed. CCE-27396-1 _{package_remove ypbind} - name: Ensure ypbind is removed package: name: ypbind state: absent tags: - package_ypbind_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-27396-1 include remove_ypbind class remove_ypbind { package { 'ypbind': ensure => 'purged', } } package --remove=ypbind The ypbind service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The ypbind service can be disabled with the following command: $ sudo systemctl disable ypbind.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000305 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Disabling the ypbind service ensures the system is not acting as a client in a NIS or NIS+ domain. This service should be disabled unless in use. CCE-27385-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'ypbind.service' "$SYSTEMCTL_EXEC" disable 'ypbind.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^ypbind.socket\>' && "$SYSTEMCTL_EXEC" disable 'ypbind.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'ypbind.service' - name: Disable service ypbind service: name: ypbind enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_ypbind_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27385-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service ypbind if applicable service: name: ypbind.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_ypbind_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27385-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The ypserv package can be removed with the following command: $ sudo yum erase ypserv RHEL-07-020010 SV-86593r2_rule 2.2.16 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000381 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7(a) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000095-GPOS-00049 The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. CCE-27399-5 _{package_remove ypserv} - name: Ensure ypserv is removed package: name: ypserv state: absent tags: - package_ypserv_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27399-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7(a) - DISA-STIG-RHEL-07-020010 include remove_ypserv class remove_ypserv { package { 'ypserv': ensure => 'purged', } } package --remove=ypserv TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking operating systems frequently support configuration via SSH or other more secure protocols. A TFTP server should be run only if no more secure method of supporting existing equipment can be found. The tftp service should be disabled. The tftp service can be disabled with the following command: $ sudo systemctl disable tftp.service 2.1.6 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-001436 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication. CCE-80212-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'tftp.service' "$SYSTEMCTL_EXEC" disable 'tftp.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^tftp.socket\>' && "$SYSTEMCTL_EXEC" disable 'tftp.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'tftp.service' - name: Disable service tftp service: name: tftp enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_tftp_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80212-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service tftp if applicable service: name: tftp.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_tftp_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80212-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server. It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services. CCE-80443-5 _{package_remove tftp} - name: Ensure tftp is removed package: name: tftp state: absent tags: - package_tftp_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-80443-5 include remove_tftp class remove_tftp { package { 'tftp': ensure => 'purged', } } package --remove=tftp The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server RHEL-07-040700 SV-86925r2_rule 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000318 CCI-000368 CCI-001812 CCI-001813 CCI-001814 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-6(c) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services. If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established. CCE-80213-2 _{package_remove tftp-server} - name: Ensure tftp-server is removed package: name: tftp-server state: absent tags: - package_tftp-server_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-80213-2 - NIST-800-53-AC-17(8) - NIST-800-53-CM-6(c) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040700 include remove_tftp-server class remove_tftp-server { package { 'tftp-server': ensure => 'purged', } } package --remove=tftp-server If running the tftp service is necessary, it should be configured to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot RHEL-07-040720 SV-86929r3_rule 11 12 13 14 15 16 18 3 5 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-17(8) CM-7 PR.AC-3 PR.AC-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. CCE-80214-0 The xinetd service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access controls and perform some logging. It has been largely obsoleted by other features, and it is not installed by default. The older Inetd service is not even available as part of Red Hat Enterprise Linux 7. When network services are using the xinetd service, the tcp_wrappers package should be installed. The tcp_wrappers package can be installed with the following command: $ sudo yum install tcp_wrappers 3.4.1 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00227 Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. CCE-27361-5 _{package_install tcp_wrappers} - name: Ensure tcp_wrappers is installed package: name: tcp_wrappers state: present tags: - package_tcp_wrappers_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-27361-5 - NIST-800-53-CM-6(b) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_tcp_wrappers class install_tcp_wrappers { package { 'tcp_wrappers': ensure => 'installed', } } package --add=tcp_wrappers The xinetd service can be disabled with the following command: $ sudo systemctl disable xinetd.service 2.1.7 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 3.4.7 CCI-000305 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. CCE-27443-1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'xinetd.service' "$SYSTEMCTL_EXEC" disable 'xinetd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^xinetd.socket\>' && "$SYSTEMCTL_EXEC" disable 'xinetd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'xinetd.service' - name: Disable service xinetd service: name: xinetd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_xinetd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27443-1 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service xinetd if applicable service: name: xinetd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_xinetd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27443-1 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The xinetd package can be removed with the following command: $ sudo yum erase xinetd 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000305 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. CCE-27354-0 _{package_remove xinetd} - name: Ensure xinetd is removed package: name: xinetd state: absent tags: - package_xinetd_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27354-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include remove_xinetd class remove_xinetd { package { 'xinetd': ensure => 'purged', } } package --remove=xinetd The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The talk package can be removed with the following command: $ sudo yum erase talk 2.3.3 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program. CCE-27432-4 _{package_remove talk} - name: Ensure talk is removed package: name: talk state: absent tags: - package_talk_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27432-4 include remove_talk class remove_talk { package { 'talk': ensure => 'purged', } } package --remove=talk The talk-server package can be removed with the following command: $ sudo yum erase talk-server 2.2.21 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk-server package decreases the risk of the accidental (or intentional) activation of talk services. CCE-27210-4 _{package_remove talk-server} - name: Ensure talk-server is removed package: name: talk-server state: absent tags: - package_talk-server_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27210-4 include remove_talk-server class remove_talk-server { package { 'talk-server': ensure => 'purged', } } package --remove=talk-server The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient security updates, packages and repository authentication and proper lifecycle management. Unauthenticated repositories should not be used for updates. NT28(R15) Repositories hosts all packages that will be intsalled on the system during update. If a repository is not authenticated, the associated packages can't be trusted, and then should not be installed localy. Check that official Debian repositories, including security repository, are configured in apt. NT28(R15) The Debian distribution deliver DSA (Debian Security Announce), through the official Debian security repository, to correct various vulnerabilities impacting the Debian packages. Using the official repositories is the best way to ensure that the Debian updates are integrated soon enough. FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured and that the session is vulnerable to hijacking. Therefore, running the FTP server software is not recommended. However, there are some FTP server configurations which may be appropriate for some environments, particularly those which allow only read-only anonymous access as a means of downloading data available to the public. The primary vsftpd configuration file is /etc/vsftpd.conf, if that file exists, or /etc/vsftpd/vsftpd.conf if it does not. This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an identified need for this access. Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option: local_enable=NO If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure these logins as much as possible. 11 12 14 15 16 18 3 5 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 CM-7 AC-3 PR.AC-4 PR.AC-6 PR.IP-1 PR.PT-3 The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access. CCE-80249-6 If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options: userlist_enable=YES userlist_file=/etc/vsftp.ftpusers userlist_deny=NO Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name: USERNAME If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers as well. anonymous ftp Historically, the file /etc/ftpusers contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option userlist deny=NO is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified. By default, firewalld blocks access to the ports used by the web server. To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=ftp These settings configure the firewall to allow connections to an FTP server. The first line allows initial connections to the FTP server port. FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client and server negotiate an arbitrary port to be used for data transfer. The ip_conntrack_ftp module is used by iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an FTP server to operate on a system which is running a firewall. Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf by default. Add or correct the following configuration options: banner_file=/etc/issue CCI-000048 This setting will cause the system greeting banner to be used for FTP connections as well. CCE-80248-8 Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following configuration options: write_enable=NO If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions as much as possible. Anonymous FTP can be a convenient way to make files available for universal download. However, it is less common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it is necessary to ensure that files cannot be uploaded and downloaded from the same directory. CCE-80250-4 By default, the anonymous FTP root is the home directory of the FTP user account. The df command can be used to verify that this directory is on its own partition. If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent these users from filling a disk used by other services. CCE-80251-2 Add or correct the following configuration options within the vsftpd configuration file, located at /etc/vsftpd/vsftpd.conf: xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES If verbose logging to vsftpd.log is done, sparse logging of downloads to /var/log/xferlog will not also occur. However, the information about what files were downloaded is included in the information logged to vsftpd.log. To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the FTP server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log. CCE-80247-0 If your use-case requires FTP service, install and set-up vsftpd to provide it. If this system must operate as an FTP server, install the vsftpd package via the standard channels. The vsftpd package can be installed with the following command: $ sudo yum install vsftpd 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with Red Hat Enterprise Linux to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended. CCE-80246-2 _{package_install vsftpd} - name: Ensure vsftpd is installed package: name: vsftpd state: present tags: - package_vsftpd_installed - unknown_severity - enable_strategy - low_complexity - low_disruption - CCE-80246-2 - NIST-800-53-CM-7 include install_vsftpd class install_vsftpd { package { 'vsftpd': ensure => 'installed', } } package --add=vsftpd To minimize attack surface, disable vsftpd if at all possible. The vsftpd service can be disabled with the following command: $ sudo systemctl disable vsftpd.service 2.2.9 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-001436 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information. CCE-80244-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'vsftpd.service' "$SYSTEMCTL_EXEC" disable 'vsftpd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^vsftpd.socket\>' && "$SYSTEMCTL_EXEC" disable 'vsftpd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'vsftpd.service' - name: Disable service vsftpd service: name: vsftpd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_vsftpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80244-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service vsftpd if applicable service: name: vsftpd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_vsftpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80244-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The vsftpd package can be removed with the following command: $ sudo yum erase vsftpd RHEL-07-040690 SV-86923r3_rule 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-6(b) CM-7 PR.IP-1 PR.PT-3 SRG-OS-000480-GPOS-00227 Removing the vsftpd package decreases the risk of its accidental activation. CCE-80245-4 _{package_remove vsftpd} - name: Ensure vsftpd is removed package: name: vsftpd state: absent tags: - package_vsftpd_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-80245-4 - NIST-800-53-CM-6(b) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040690 include remove_vsftpd class remove_vsftpd { package { 'vsftpd': ensure => 'purged', } } package --remove=vsftpd The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintext transmission of the community string (used for authentication) and usage of easily-guessable choices for the community string. If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation. The multiple security models implemented by SNMP cannot be fully covered here so only the following general configuration advice can be offered: use only SNMP version 3 security models and enable the use of authentication and encryptionwrite access to the MIB (Management Information Base) should be allowed only if necessaryall access to the MIB should be restricted following a principle of least privilegenetwork access should be limited to the maximum extent possible including restricting to expected network addresses both in the configuration files and in the system firewall rulesensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management stationsensure that permissions on the snmpd.conf configuration file (by default, in /etc/snmp) are 640 or more restrictiveensure that any MIB files' permissions are also 640 or more restrictive Edit /etc/snmp/snmpd.conf, removing any references to rocommunity, rwcommunity, or com2sec. Upon doing that, restart the SNMP service: $ sudo service snmpd restart Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. CCE-80276-9 Edit /etc/snmp/snmpd.conf, remove or change the default community strings of public and private. Once the default community strings have been changed, restart the SNMP service: $ sudo service snmpd restart RHEL-07-040800 SV-86937r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5.1(ii) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000480-GPOS-00227 Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s). CCE-27386-2 if grep -s "public\|private" /etc/snmp/snmpd.conf | grep -qv "^#"; then sed -i "/^\s*#/b;/public\|private/ s/^/#/" /etc/snmp/snmpd.conf fi The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled and removed. The net-snmp package provides the snmpd service. The net-snmp package can be removed with the following command: $ sudo yum erase net-snmp If there is no need to run SNMP server software, removing the package provides a safeguard against its activation. CCE-80275-1 _{package_remove net-snmp} - name: Ensure net-snmp is removed package: name: net-snmp state: absent tags: - package_net-snmp_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80275-1 include remove_net-snmp class remove_net-snmp { package { 'net-snmp': ensure => 'purged', } } package --remove=net-snmp The snmpd service can be disabled with the following command: $ sudo systemctl disable snmpd.service 2.2.14 SRG-OS-000480-VMM-002000 Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed. CCE-80274-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'snmpd.service' "$SYSTEMCTL_EXEC" disable 'snmpd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^snmpd.socket\>' && "$SYSTEMCTL_EXEC" disable 'snmpd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'snmpd.service' - name: Disable service snmpd service: name: snmpd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_snmpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80274-4 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service snmpd if applicable service: name: snmpd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_snmpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80274-4 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform necessary maintenance tasks, while at may or may not be required on a given system. Both daemons should be configured defensively. The /etc/cron.allow and /etc/at.allow files contain lists of users who are allowed to use cron and at to delay execution of processes. If these files exist and if the corresponding files /etc/cron.deny and /etc/at.deny do not exist, then only users listed in the relevant allow files can run the crontab and at commands to submit jobs to be run at scheduled intervals. On many systems, only the system administrator needs the ability to schedule jobs. Note that even if a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file controls only administrative access to the crontab command for scheduling and modifying cron jobs. To restrict at and cron to only authorized users: Remove the cron.deny file:$ sudo rm /etc/cron.denyEdit /etc/cron.allow, adding one line for each user allowed to use the crontab command to create cron jobs.Remove the at.deny file:$ sudo rm /etc/at.denyEdit /etc/at.allow, adding one line for each user allowed to use the at command to create at jobs. If /etc/cron.allow exists, it must be group-owned by root. To properly set the group owner of /etc/cron.allow, run the command: $ sudo chgrp root /etc/cron.allow RHEL-07-021120 SV-86679r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-80379-1 chgrp 0 /etc/cron.allow - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow register: file_exists tags: - file_groupowner_cron_allow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80379-1 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021120 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure group owner 0 on /etc/cron.allow file: path: /etc/cron.allow group: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_groupowner_cron_allow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80379-1 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021120 If /etc/cron.allow exists, it must be owned by root. To properly set the owner of /etc/cron.allow, run the command: $ sudo chown root /etc/cron.allow RHEL-07-021110 SV-86677r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-80378-3 chown 0 /etc/cron.allow - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow register: file_exists tags: - file_owner_cron_allow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80378-3 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure owner 0 on /etc/cron.allow file: path: /etc/cron.allow owner: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_owner_cron_allow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80378-3 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021110 The cronie-anacron package, which provides anacron functionality, is installed by default. The cronie-anacron package can be removed with the following command: $ sudo yum erase cronie-anacron 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The anacron service provides cron functionality for systems such as laptops and workstations that may be shut down during the normal times that cron jobs are scheduled to run. On systems which do not require this additional functionality, anacron could needlessly increase the possible attack surface for an intruder. CCE-80344-5 The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command: $ sudo systemctl enable crond.service 5.1.1 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. CCE-27323-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'crond.service' "$SYSTEMCTL_EXEC" enable 'crond.service' - name: Enable service crond service: name: crond enabled: "yes" state: "started" tags: - service_crond_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-27323-5 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The at and batch commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon atd keeps track of tasks scheduled via at and batch, and executes them at the specified time. The atd service can be disabled with the following command: $ sudo systemctl disable atd.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000381 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common. CCE-80345-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'atd.service' "$SYSTEMCTL_EXEC" disable 'atd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^atd.socket\>' && "$SYSTEMCTL_EXEC" disable 'atd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'atd.service' - name: Disable service atd service: name: atd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_atd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80345-2 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service atd if applicable service: name: atd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_atd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80345-2 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The Cron service should be installed. NT28(R50) 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only. The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The cron service can be enabled with the following command: $ sudo systemctl enable cron.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. The X Window System implementation included with the system is called X.org. Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and remove the X Windows software packages. There is usually no reason to run X Windows on a dedicated server system, as it increases the system's attack surface and consumes system resources. Administrators of server systems should instead login via SSH or on the text console. Systems that do not require a graphical user interface should only boot by default into multi-user.target mode. This prevents accidental booting of the system into a graphical.target mode. Setting the system's default target to multi-user.target will prevent automatic startup of the X server. To do so, run: $ systemctl set-default multi-user.target You should see the following output: rm '/etc/systemd/system/default.target' ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target' 12 15 8 APO13.01 DSS01.04 DSS05.02 DSS05.03 CCI-000366 4.3.3.6.6 SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.6.2.1 A.6.2.2 AC-17(8).1(ii) PR.AC-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Services that are not required for system and application processes must not be active to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be used unless approved and documented. CCE-27285-6 By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command: $ sudo yum groupremove "X Window System" $ sudo yum remove xorg-x11-server-common RHEL-07-040730 SV-86931r4_rule 2.2.2 12 15 8 APO13.01 DSS01.04 DSS05.02 DSS05.03 CCI-000366 4.3.3.6.6 SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.6.2.1 A.6.2.2 AC-17(8).1(ii) PR.AC-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. CCE-27218-7 _{package_remove xorg-x11-server-common} - name: Ensure xorg-x11-server-common is removed package: name: xorg-x11-server-common state: absent tags: - package_xorg-x11-server-common_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27218-7 - NIST-800-53-AC-17(8).1(ii) - DISA-STIG-RHEL-07-040730 include remove_xorg-x11-server-common class remove_xorg-x11-server-common { package { 'xorg-x11-server-common': ensure => 'purged', } } package --remove=xorg-x11-server-common A router is a very desirable target for a potential adversary because they fulfill a variety of infrastructure networking roles such as access to network segments, gateways to other networks, filtering, etc. Therefore, if one is required, the system acting as a router should be dedicated to that purpose alone and be stored in a physically secure location. The system's default routing software is Quagga, and provided in an RPM package of the same name. If Quagga was installed and activated, but the system does not need to act as a router, then it should be disabled and removed. The quagga package can be removed with the following command: $ sudo yum erase quagga 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32 PR.PT-4 SRG-OS-000480-GPOS-00227 Routing software is typically used on routers to exchange network topology information with other routers. If routing software is used when not required, system network information may be unnecessarily transmitted across the network. If there is no need to make the router software available, removing it provides a safeguard against its activation. CCE-27594-1 _{package_remove quagga} - name: Ensure quagga is removed package: name: quagga state: absent tags: - package_quagga_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27594-1 - NIST-800-53-SC-32 include remove_quagga class remove_quagga { package { 'quagga': ensure => 'purged', } } package --remove=quagga The zebra service can be disabled with the following command: $ sudo systemctl disable zebra.service 12 15 8 APO13.01 DSS05.02 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32 PR.PT-4 SRG-OS-000480-GPOS-00227 Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If routing daemons are used when not required, system network information may be unnecessarily transmitted across the network. CCE-27191-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'zebra.service' "$SYSTEMCTL_EXEC" disable 'zebra.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^zebra.socket\>' && "$SYSTEMCTL_EXEC" disable 'zebra.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'zebra.service' - name: Disable service zebra service: name: zebra enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_zebra_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27191-6 - NIST-800-53-SC-32 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service zebra if applicable service: name: zebra.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_zebra_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27191-6 - NIST-800-53-SC-32 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, and this server software should be disabled on any system on which it is not needed. This section discusses mechanisms for preventing the DNS server from interfering with other services. This is done both to protect the remainder of the network should a nameserver be compromised, and to make direct attacks on nameservers more difficult. Install the bind-chroot package: $ sudo yum install bind-chroot Place a valid named.conf file inside the chroot jail: $ sudo cp /etc/named.conf /var/named/chroot/etc/named.conf $ sudo chown root:root /var/named/chroot/etc/named.conf $ sudo chmod 644 /var/named/chroot/etc/named.conf Create and populate an appropriate zone directory within the jail, based on the options directive. If your named.conf includes: options { directory "/path/to/DIRNAME "; ... } then copy that directory and its contents from the original zone directory: $ sudo cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME Add or correct the following line within /etc/sysconfig/named: ROOTDIR=/var/named/chroot If you are running BIND in a chroot jail, then you should use the jailed named.conf as the primary nameserver configuration file. That is, when this guide recommends editing /etc/named.conf, you should instead edit /var/named/chroot/etc/named.conf. Since DNS is a high-risk service which must frequently be made available to the entire Internet, it is strongly recommended that no other services be offered by systems which act as organizational DNS servers. This section discusses DNS configuration options which make it more difficult for attackers to gain access to private DNS data or to modify DNS data. Is it possible to run external and internal nameservers on separate systems? If so, follow the configuration guidance in this section. On the external nameserver, edit /etc/named.conf to add or correct the following directives: options { allow-query { any; }; recursion no; ... }; zone "example.com " IN { ... }; On the internal nameserver, edit /etc/named.conf. Add or correct the following directives, where SUBNET is the numerical IP representation of your organization in the form xxx.xxx.xxx.xxx/xx: acl internal { SUBNET ; localhost; }; options { allow-query { internal; }; ... }; zone "internal.example.com " IN { ... }; If it is not possible to run external and internal nameservers on separate physical systems, run BIND9 and simulate this feature using views. Edit /etc/named.conf. Add or correct the following directives (where SUBNET is the numerical IP representation of your organization in the form xxx.xxx.xxx.xxx/xx): acl internal { SUBNET ; localhost; }; view "internal-view" { match-clients { internal; }; zone "." IN { type hint; file "db.cache"; }; zone "internal.example.com " IN { ... }; }; view "external-view" { match-clients { any; }; recursion no; zone "example.com " IN { ... }; }; As shown in the example, database files which are required for recursion, such as the root hints file, must be available to any clients which are allowed to make recursive queries. Under typical circumstances, this includes only the internal clients which are allowed to use this server as a general-purpose nameserver. Is it necessary for a secondary nameserver to receive zone data via zone transfer from the primary server? If not, follow the instructions in this section. If so, see the next section for instructions on protecting zone transfers. Add or correct the following directive within /etc/named.conf: options { allow-transfer { none; }; ... } If both the primary and secondary nameserver are under your control, or if you have only one nameserver, it may be possible to use an external configuration management mechanism to distribute zone updates. In that case, it is not necessary to allow zone transfers within BIND itself, so they should be disabled to avoid the potential for abuse. CCE-80327-0 Is there a mission-critical reason to enable the risky dynamic update functionality? If not, edit /etc/named.conf. For each zone specification, correct the following directive if necessary: zone "example.com " IN { allow-update { none; }; ... }; Dynamic updates allow remote servers to add, delete, or modify any entries in your zone file. Therefore, they should be considered highly risky, and disabled unless there is a very good reason for their use. If dynamic updates must be allowed, IP-based ACLs are insufficient protection, since they are easily spoofed. Instead, use TSIG keys (see the previous section for an example), and consider using the update-policy directive to restrict changes to only the precise type of change needed. CCE-80329-6 If it is necessary for a secondary nameserver to receive zone data via zone transfer from the primary server, follow the instructions here. Use dnssec-keygen to create a symmetric key file in the current directory: $ cd /tmp $ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com Kdns.example.com .+aaa +iiiii This output is the name of a file containing the new key. Read the file to find the base64-encoded key string: $ sudo cat Kdns.example.com .+NNN +MMMMM .key dns.example.com IN KEY 512 3 157 base64-key-string Add the directives to /etc/named.conf on the primary server: key zone-transfer-key { algorithm hmac-md5; secret "base64-key-string "; }; zone "example.com " IN { type master; allow-transfer { key zone-transfer-key; }; ... }; Add the directives below to /etc/named.conf on the secondary nameserver: key zone-transfer-key { algorithm hmac-md5; secret "base64-key-string "; }; server IP-OF-MASTER { keys { zone-transfer-key; }; }; zone "example.com " IN { type slave; masters { IP-OF-MASTER ; }; ... }; The purpose of the dnssec-keygen command is to create the shared secret string base64-key-string. Once this secret has been obtained and inserted into named.conf on the primary and secondary servers, the key files Kdns.example.com .+NNN +MMMMM .key and Kdns.example.com .+NNN +MMMMM .private are no longer needed, and may safely be deleted. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The BIND transaction signature (TSIG) functionality allows primary and secondary nameservers to use a shared secret to verify authorization to perform zone transfers. This method is more secure than using IP-based limiting to restrict nameserver access, since IP addresses can be easily spoofed. However, if you cannot configure TSIG between your servers because, for instance, the secondary nameserver is not under your control and its administrators are unwilling to configure TSIG, you can configure an allow-transfer directive with numerical IP addresses or ACLs as a last resort. CCE-80328-8 DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on Red Hat Enterprise Linux 7 by default. The remainder of this section discusses secure configuration of systems which must be nameservers. The named service can be disabled with the following command: $ sudo systemctl disable named.service 2.2.8 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 All network services involve some risk of compromise due to implementation flaws and should be disabled if possible. CCE-80325-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'named.service' "$SYSTEMCTL_EXEC" disable 'named.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^named.socket\>' && "$SYSTEMCTL_EXEC" disable 'named.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'named.service' - name: Disable service named service: name: named enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_named_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80325-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service named if applicable service: name: named.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_named_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80325-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The named service is provided by the bind package. The bind package can be removed with the following command: $ sudo yum erase bind 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 If there is no need to make DNS server software available, removing it provides a safeguard against its activation. CCE-80326-2 _{package_remove bind} - name: Ensure bind is removed package: name: bind state: absent tags: - package_bind_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80326-2 - NIST-800-53-CM-7 include remove_bind class remove_bind { package { 'bind': ensure => 'purged', } } package --remove=bind LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Red Hat Enterprise Linux 7 includes software that enables a system to act as both an LDAP client and server. This section details some security-relevant settings for an OpenLDAP server. Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html. Create the PKI directory for LDAP certificates if it does not already exist: $ sudo mkdir /etc/pki/tls/ldap $ sudo chown root:root /etc/pki/tls/ldap $ sudo chmod 755 /etc/pki/tls/ldap Using removable media or some other secure transmission format, install the certificate files onto the LDAP server: /etc/pki/tls/ldap/serverkey.pem: the private key ldapserverkey.pem/etc/pki/tls/ldap/servercert.pem: the certificate file ldapservercert.pem Verify the ownership and permissions of these files: $ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem $ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem $ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem $ sudo chmod 640 /etc/pki/tls/ldap/servercert.pem Verify that the CA's public certificate file has been installed as /etc/pki/tls/CA/cacert.pem, and has the correct permissions: $ sudo mkdir /etc/pki/tls/CA $ sudo chown root:root /etc/pki/tls/CA/cacert.pem $ sudo chmod 644 /etc/pki/tls/CA/cacert.pem As a result of these steps, the LDAP server will have access to its own private certificate and the key with which that certificate is encrypted, and to the public certificate file belonging to the CA. Note that it would be possible for the key to be protected further, so that processes running as ldap could not read it. If this were done, the LDAP server process would need to be restarted manually whenever the server rebooted. The openldap-servers package should be removed if not in use. Is this system the OpenLDAP server? If not, remove the package. The openldap-servers package can be removed with the following command: $ sudo yum erase openldap-servers The openldap-servers RPM is not installed by default on a Red Hat Enterprise Linux 7 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems. CCE-80293-4 _{package_remove openldap-servers} - name: Ensure openldap-servers is removed package: name: openldap-servers state: absent tags: - package_openldap-servers_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80293-4 - NIST-800-53-CM-7 include remove_openldap-servers class remove_openldap-servers { package { 'openldap-servers': ensure => 'purged', } } package --remove=openldap-servers This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate configuration files. Red Hat Enterprise Linux 7 provides an automated configuration tool called authconfig and a graphical wrapper for authconfig called system-config-authentication. However, these tools do not provide as much control over configuration as manual editing of configuration files. The authconfig tools do not allow you to specify locations of SSL certificate files, which is useful when trying to use SSL cleanly across several protocols. Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html. Before configuring any system to be an LDAP client, ensure that a working LDAP server is present on the network. To determine if LDAP is being used for authentication, use the following command: $ sudo grep -i useldapauth /etc/sysconfig/authconfig If USELDAPAUTH=yes, then LDAP is being used. If not, set USELDAPAUTH to yes. 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-001453 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(2) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000250-GPOS-00093 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. CCE-80448-4 Ensure a copy of a trusted CA certificate has been placed in the file /etc/pki/tls/CA/cacert.pem. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, edit the file /etc/nslcd.conf, and add or correct either of the following lines: tls_cacertdir /etc/pki/tls/CA or tls_cacertfile /etc/pki/tls/CA/cacert.pem Then review the LDAP server and ensure TLS has been configured. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000776 CCI-000778 CCI-001453 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA. CCE-80292-6 This check verifies that Red Hat Enterprise Linux 7 implements cryptography to protect the integrity of remote LDAP authentication sessions. To determine if LDAP is being used for authentication, use the following command: $ sudo grep -i useldapauth /etc/sysconfig/authconfig If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command: $ sudo grep -i ssl /etc/pam_ldap.conf 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-001453 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(2) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000250-GPOS-00093 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. CCE-80291-8 # Use LDAP for authentication _{replace_or_append '/etc/sysconfig/authconfig' 'USELDAPAUTH' 'yes' 'CCE-80291-8' '%s=%s' # Configure client to use TLS for all authentications replace_or_append '/etc/nslcd.conf' 'ssl' 'start_tls' 'CCE-80291-8' '%s %s'} The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. This guide recommends configuring networking on clients by manually editing the appropriate files under /etc/sysconfig. Use of DHCP can make client systems vulnerable to compromise by rogue DHCP servers, and should be avoided unless necessary. If using DHCP is necessary, however, there are best practices that should be followed to minimize security risk. DHCP is the default network configuration method provided by the system installer, and common on many networks. Nevertheless, manual management of IP addresses for systems implies a greater degree of management and accountability for network activity. For each interface on the system (e.g. eth0), edit /etc/sysconfig/network-scripts/ifcfg-interface and make the following changes: Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=255.255.255.0 IPADDR=192.168.1.2 GATEWAY=192.168.1.1 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances. CCE-80337-9 If the system must act as a DHCP server, the configuration information it serves should be minimized. Also, support for other protocols and DNS-updating schemes should be explicitly disabled unless needed. The configuration file for dhcpd is called /etc/dhcp/dhcpd.conf. The file begins with a number of global configuration options. The remainder of the file is divided into sections, one for each block of addresses offered by dhcpd, each of which contains configuration options specific to that address block. Ensure that the following line exists in /etc/rsyslog.conf: daemon.* /var/log/daemon.log Configure logwatch or other log monitoring tools to summarize error conditions reported by the dhcpd process. 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-12 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 By default, dhcpd logs notices to the daemon facility. Sending all daemon messages to a dedicated log file is part of the syslog configuration outlined in the Logging and Auditing section CCE-80336-1 Unless your network needs to support older BOOTP clients, disable support for the bootp protocol by adding or correcting the global option: deny bootp; 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The bootp option tells dhcpd to respond to BOOTP queries. If support for this simpler protocol is not needed, it should be disabled to remove attack vectors against the DHCP server. CCE-80334-6 To prevent the DHCP server from receiving DNS information from clients, edit /etc/dhcp/dhcpd.conf, and add or correct the following global option: ddns-update-style none; The ddns-update-style option controls only whether the DHCP server will attempt to act as a Dynamic DNS client. As long as the DNS server itself is correctly configured to reject DDNS attempts, an incorrect ddns-update-style setting on the client is harmless (but should be fixed as a best practice). 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The Dynamic DNS protocol is used to remotely update the data served by a DNS server. DHCP servers can use Dynamic DNS to publish information about their clients. This setup carries security risks, and its use is not recommended. If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS transactions be protected using TSIG or some other cryptographic authentication mechanism. See dhcpd.conf(5) for more information about protecting the DHCP server from passing along malicious DNS data from its clients. CCE-80332-0 Edit /etc/dhcp/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information via DHCP: option domain-name option domain-name-servers option nis-domain option nis-servers option ntp-servers option routers option time-offset By default, the Red Hat Enterprise Linux client installation uses DHCP to request much of the above information from the DHCP server. In particular, domain-name, domain-name-servers, and routers are configured via DHCP. These settings are typically necessary for proper network functionality, but are also usually static across systems at a given site. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Because the configuration information provided by the DHCP server could be maliciously provided to clients by a rogue DHCP server, the amount of information provided via DHCP should be minimized. Remove these definitions from the DHCP server configuration to ensure that legitimate clients do not unnecessarily rely on DHCP for this information. Edit /etc/dhcp/dhcpd.conf and add or correct the following global option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible: deny declines; 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The DHCPDECLINE message can be sent by a DHCP client to indicate that it does not consider the lease offered by the server to be valid. By issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP addresses, causing the DHCP server to forget old address allocations. CCE-80333-8 The DHCP server dhcpd is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled and removed. If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The dhcp package can be removed with the following command: $ sudo yum erase dhcp 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. CCE-80331-2 _{package_remove dhcp} - name: Ensure dhcp is removed package: name: dhcp state: absent tags: - package_dhcp_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80331-2 - NIST-800-53-CM-7 include remove_dhcp class remove_dhcp { package { 'dhcp': ensure => 'purged', } } package --remove=dhcp The dhcpd service should be disabled on any system that does not need to act as a DHCP server. The dhcpd service can be disabled with the following command: $ sudo systemctl disable dhcpd.service 2.2.5 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one. CCE-80330-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'dhcpd.service' "$SYSTEMCTL_EXEC" disable 'dhcpd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^dhcpd.socket\>' && "$SYSTEMCTL_EXEC" disable 'dhcpd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'dhcpd.service' - name: Disable service dhcpd service: name: dhcpd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_dhcpd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80330-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service dhcpd if applicable service: name: dhcpd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_dhcpd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80330-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") If DHCP must be used, then certain configuration changes can minimize the amount of information it receives and applies from the network, and thus the amount of incorrect information a rogue DHCP server could successfully distribute. For more information on configuring dhclient, see the dhclient(8) and dhclient.conf(5) man pages. Create the file /etc/dhcp/dhclient.conf, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, do one of the following: If the setting should not be configured remotely by the DHCP server, select an appropriate static value, and add the line: supersede setting value; If the setting should be configured remotely by the DHCP server, add the lines: request setting; require setting; For example, suppose the DHCP server should provide only the IP address itself and the subnet mask. Then the entire file should look like: supersede domain-name "example.com"; supersede domain-name-servers 192.168.1.2; supersede nis-domain ""; supersede nis-servers ""; supersede ntp-servers "ntp.example.com "; supersede routers 192.168.1.1; supersede time-offset -18000; request subnet-mask; require subnet-mask; In this example, the options nis-servers and nis-domain are set to empty strings, on the assumption that the deprecated NIS protocol is not in use. It is necessary to supersede settings for unused services so that they cannot be set by a hostile DHCP server. If an option is set to an empty string, dhclient will typically not attempt to configure the service. By default, the DHCP client program, dhclient, requests and applies ten configuration options (in addition to the IP address) from the DHCP server. subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many of the options requested and applied by dhclient may be the same for every system on a network. It is recommended that almost all configuration options be assigned statically, and only options which must vary on a host-by-host basis be assigned via DHCP. This limits the damage which can be done by a rogue DHCP server. If appropriate for your site, it is also possible to supersede the host-name directive in /etc/dhcp/dhclient.conf, establishing a static hostname for the system. However, dhclient does not use the host name option provided by the DHCP server (instead using the value provided by a reverse DNS lookup). When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two software packages that provide Samba support. The first, samba-client, provides a series of command line tools that enable a client system to access Samba shares. The second, simply labeled samba, provides the Samba service. It is this second package that allows a Linux system to act as an Active Directory server, a domain controller, or as a domain member. Only the samba-client package is installed by default. Even after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to provide Microsoft Windows file and print sharing functionality. The smb service can be disabled with the following command: $ sudo systemctl disable smb.service 2.2.12 CCI-001436 Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed. CCE-80277-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'smb.service' "$SYSTEMCTL_EXEC" disable 'smb.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^smb.socket\>' && "$SYSTEMCTL_EXEC" disable 'smb.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'smb.service' - name: Disable service smb service: name: smb enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_smb_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80277-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service smb if applicable service: name: smb.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_smb_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80277-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The samba package can be removed with the following command: $ sudo yum erase samba If there is no need to make the Samba software available, removing it provides a safeguard against its activation. CCE-80278-5 _{package_remove samba} - name: Ensure samba is removed package: name: samba state: absent tags: - package_samba_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80278-5 include remove_samba class remove_samba { package { 'samba': ensure => 'purged', } } package --remove=samba All settings for the Samba daemon can be found in /etc/samba/smb.conf. Settings are divided between a [global] configuration section and a series of user created share definition sections meant to describe file or print shares on the system. By default, Samba will operate in user mode and allow client systems to access local home directories and printers. It is recommended that these settings be changed or that additional limitations be set in place. By default, Samba utilizes the CUPS printing service to enable printer sharing with Microsoft Windows workstations. If there are no printers on the local system, or if printer sharing with Microsoft Windows is not required, disable the printer sharing capability by commenting out the following lines, found in /etc/samba/smb.conf: [global] load printers = yes cups options = raw [printers] comment = All Printers path = /usr/spool/samba browseable = no guest ok = no writable = no printable = yes There may be other options present, but these are the only options enabled and uncommented by default. Removing the [printers] share should be enough for most users. If the Samba printer sharing capability is needed, consider disabling the Samba network browsing capability or restricting access to a particular set of users or network addresses. Set the valid users parameter to a small subset of users or restrict it to a particular group of users with the shorthand @. Separate each user or group of users with a space. For example, under the [printers] share: [printers] valid users = user @printerusers Only users with local user accounts will be able to log in to Samba shares by default. Shares can be limited to particular users or network addresses. Use the hosts allow and hosts deny directives accordingly, and consider setting the valid users directive to a limited subset of users or to a group of users. Separate each address, user, or user group with a space as follows for a particular share or global: [share] hosts allow = 192.168.1. 127.0.0.1 valid users = userone usertwo @usergroup It is also possible to limit read and write access to particular users with the read list and write list options, though the permissions set by the system itself will override these settings. Set the read only attribute for each share to ensure that global settings will not accidentally override the individual share settings. Then, as with the valid users directive, separate each user or group of users with a space: [share] read only = yes write list = userone usertwo @usergroup The samba-common package should be installed. The samba-common package can be installed with the following command: $ sudo yum install samba-common If the samba-common package is not installed, samba cannot be configured. CCE-80360-1 _{package_install samba-common} - name: Ensure samba-common is installed package: name: samba-common state: present tags: - package_samba-common_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80360-1 include install_samba-common class install_samba-common { package { 'samba-common': ensure => 'installed', } } package --add=samba-common Administrators should not use administrator accounts to access Samba file and printer shares. Disable the root user and the wheel administrator group: [share] invalid users = root @wheel If administrator accounts cannot be disabled, ensure that local system passwords and Samba service passwords do not match. Typically, administrator access is required when Samba must create user and system accounts and shares. Domain member servers and standalone servers may not need administrator access at all. If that is the case, add the invalid users parameter to [global] instead. CCE-80279-3 To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf: client signing = mandatory Requiring samba clients such as smbclient to use packet signing ensures they can only communicate with servers that support packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. CCE-80280-1 ###################################################################### #By Luke "Brisk-OH" Brisk #luke.brisk@boeing.com or luke.brisk@gmail.com ###################################################################### CLIENTSIGNING=$( grep -ic 'client signing' /etc/samba/smb.conf ) if [ "$CLIENTSIGNING" -eq 0 ]; then # Add to global section sed -i 's/\[global\]/\[global\]\n\n\tclient signing = mandatory/g' /etc/samba/smb.conf else sed -i 's/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/ client signing = mandatory/g' /etc/samba/smb.conf fi - name: Check if /etc/samba/smb.conf exists stat: path: /etc/samba/smb.conf register: st_smb tags: - require_smb_client_signing - unknown_severity - configure_strategy - low_complexity - medium_disruption - CCE-80280-1 - name: Require Client SMB Packet Signing, if using smbclient lineinfile: dest: /etc/samba/smb.conf line: client signing = mandatory state: present insertafter: [global] when: st_smb.stat.exists and True tags: - require_smb_client_signing - unknown_severity - configure_strategy - low_complexity - medium_disruption - CCE-80280-1 Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure signing options (either sec=krb5i or sec=ntlmv2i) are used. See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers who can support SMB packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. CCE-80281-9 The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: The HTTP port is commonly probed by malicious sourcesWeb server software is very complex, and includes a long history of vulnerabilitiesThe HTTP protocol is unencrypted and vulnerable to passive monitoring The system's default web server software is Apache 2 and is provided in the RPM package httpd. If httpd was not installed and activated, but the system needs to act as a web server, then it should be installed on the system. Follow these guidelines to install it defensively. The httpd package can be installed with the following command: $ sudo yum install httpd This method of installation is recommended over installing the "Web Server" package group during the system installation process. The Web Server package group includes many packages which are likely extraneous, while the command-line method installs only the required httpd package itself. The default httpd installation minimizes the number of modules that are compiled directly into the binary (core prefork http_core mod_so). This minimizes risk by limiting the capabilities allowed by the web server. Query the set of compiled-in modules using the following command: $ httpd -l If the number of compiled-in modules is significantly larger than the aforementioned set, this guide recommends re-installing httpd with a reduced configuration. Minimizing the number of modules that are compiled into the httpd binary, reduces risk by limiting the capabilities allowed by the webserver. If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system. The httpd service can be disabled with the following command: $ sudo systemctl disable httpd.service 2.2.10 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Running web server software provides a network-based avenue of attack, and should be disabled if not needed. CCE-80300-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'httpd.service' "$SYSTEMCTL_EXEC" disable 'httpd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^httpd.socket\>' && "$SYSTEMCTL_EXEC" disable 'httpd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'httpd.service' - name: Disable service httpd service: name: httpd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_httpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80300-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service httpd if applicable service: name: httpd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_httpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80300-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The httpd package can be removed with the following command: $ sudo yum erase httpd 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 If there is no need to make the web server software available, removing it provides a safeguard against its activation. CCE-80301-5 _{package_remove httpd} - name: Ensure httpd is removed package: name: httpd state: absent tags: - package_httpd_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80301-5 - NIST-800-53-CM-7 include remove_httpd class remove_httpd { package { 'httpd': ensure => 'purged', } } package --remove=httpd The httpd configuration file is /etc/httpd/conf/httpd.conf. Apply the recommendations in the remainder of this section to this file. The setting for MaxKeepAliveRequests in httpd.conf 100000 10000 100 100 1000 500 The setting for LogLevel in /etc/httpd/conf/httpd.conf warn crit emerg error warn alert The ServerTokens and ServerSignature directives determine how much information the web server discloses about the configuration of the system. ServerTokens Prod restricts information in page headers, returning only the word "Apache." Add or correct the following directive in /etc/httpd/conf/httpd.conf: ServerTokens Prod 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. CCE-80302-3 ServerSignature Off restricts httpd from displaying server version number on error pages. Add or correct the following directive in /etc/httpd/conf/httpd.conf: ServerSignature Off 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. CCE-80303-1 The following configuration steps should be taken on the system which hosts the web server, in order to provide as safe an environment as possible for the web server. Running httpd inside a chroot jail is designed to isolate the web server process to a small section of the filesystem, limiting the damage if it is compromised. Versions of Apache greater than 2.2.10 (such as the one included with Red Hat Enterprise Linux 7) provide the ChrootDir directive. To run Apache inside a chroot jail in /chroot/apache, add the following line to /etc/httpd/conf/httpd.conf: ChrootDir /chroot/apache This necessitates placing all files required by httpd inside /chroot/apache , including httpd's binaries, modules, configuration files, and served web pages. The details of this configuration are beyond the scope of this guide. This may also require additional SELinux configuration. Minimize access to critical httpd files and directories. All httpd logs must be owned by root user and group. By default, the path for httpd logs is /var/log/httpd/ To properly set the owner of /var/log/httpd, run the command: $ sudo chown root /var/log/httpd To properly set the owner of /var/log/httpd/*, run the command: $ sudo chown root /var/log/httpd/* RHEL-07-WG255 A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web administrator with valuable information. Because of the information that is captured in the logs, it is critical that only authorized individuals have access to the logs. CCE-80562-2 Ensure that the permissions on the web server log directory is set to 700: $ sudo chmod 700 /var/log/httpd/ This is its default setting. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. To ensure the integrity of the log files and protect the SA and the web manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files. CCE-80322-1 To properly set the permissions of /etc/http/conf.modules.d/*, run the command: $ sudo chmod 0640 /etc/http/conf.modules.d/* 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. CCE-80382-5 To properly set the permissions of /etc/http/conf, run the command: $ sudo chmod 0750 /etc/http/conf Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or alter the server's configuration files. CCE-80323-9 To properly set the permissions of /etc/http/conf.d/*, run the command: $ sudo chmod 0640 /etc/http/conf.d/* 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. CCE-80381-7 find /etc/httpd/conf.d -regex '^/etc/httpd/conf.d/.*$' -exec chmod 0640 {} \; - name: Find /etc/httpd/conf.d file(s) find: paths: "/etc/httpd/conf.d" patterns: "^.*$" use_regex: yes register: files_found tags: - file_permissions_httpd_server_conf_d_files - unknown_severity - configure_strategy - low_complexity - low_disruption - CCE-80381-7 - NIST-800-53-CM-7 - name: Set permissions for /etc/httpd/conf.d file(s) file: path: "{{ item.path }}" mode: 0640 with_items: - "{{ files_found.files }}" tags: - file_permissions_httpd_server_conf_d_files - unknown_severity - configure_strategy - low_complexity - low_disruption - CCE-80381-7 - NIST-800-53-CM-7 To properly set the permissions of /etc/http/conf/*, run the command: $ sudo chmod 0640 /etc/http/conf/* 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. CCE-80324-7 find /etc/httpd/conf -regex '^/etc/httpd/conf/.*$' -exec chmod 0640 {} \; - name: Find /etc/httpd/conf file(s) find: paths: "/etc/httpd/conf" patterns: "^.*$" use_regex: yes register: files_found tags: - file_permissions_httpd_server_conf_files - unknown_severity - configure_strategy - low_complexity - low_disruption - CCE-80324-7 - NIST-800-53-CM-7 - name: Set permissions for /etc/httpd/conf file(s) file: path: "{{ item.path }}" mode: 0640 with_items: - "{{ files_found.files }}" tags: - file_permissions_httpd_server_conf_files - unknown_severity - configure_strategy - low_complexity - low_disruption - CCE-80324-7 - NIST-800-53-CM-7 Ensure that the SSH server service is enabled. The sshd service can be enabled with the following command: $ sudo systemctl enable sshd.service RHEL-07-WG230 Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used. An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server. Install anti-virus software on the system and set it to automatically scan new files that are introduced to the web server. RHEL-07-WG237 Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mobile code. A remote web user, whose agency has a Memorandum of Agreement (MOA) with the hosting agency and has submitted a DoD form 2875 (System Authorization Access Request (SAAR)) or an equivalent document, will be allowed to post files to a temporary location on the server. All posted files to this temporary location will be scanned for viruses and content checked for malicious or mobile code. Only files free of viruses and malicious or mobile code will be posted to the appropriate DocumentRoot directory. CCE-80561-4 By default, firewalld blocks access to the ports used by the web server. To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=http To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=https RHEL-07-WG610 Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS. Denial-of-service attacks are difficult to detect and prevent while maintaining acceptable access to authorized users. However, some traffic-shaping modules can be used to address the problem. Well-known DoS protection modules include: mod_cband mod_bwshare mod_limitipconn mod_evasive Denial-of-service prevention should be implemented for a web server if such a threat exists. However, specific configuration details are very dependent on the environment and often best left at the discretion of the administrator. Among the modules available for httpd are several whose use may improve the security of the web server installation. This section recommends and discusses the deployment of security-relevant modules. The security module provides an application level firewall for httpd. Following its installation with the base ruleset, specific configuration advice can be found at http://www.modsecurity.org/ to design a policy that best matches the security needs of the web applications. Usage of mod_security is highly recommended for some environments, but it should be noted this module does not ship with Red Hat Enterprise Linux itself, and instead is provided via Extra Packages for Enterprise Linux (EPEL). For more information on EPEL please refer to http://fedoraproject.org/wiki/EPEL. Install the security module: The mod_security package can be installed with the following command: $ sudo yum install mod_security mod_security provides an additional level of protection for the web server by enabling the administrator to implement content access policies and filters at the application layer. CCE-80321-3 Because HTTP is a plain text protocol, all traffic is susceptible to passive monitoring. If there is a need for confidentiality, SSL should be configured and enabled to encrypt content. Note: mod_nss is a FIPS 140-2 certified alternative to mod_ssl. The modules share a considerable amount of code and should be nearly identical in functionality. If FIPS 140-2 validation is required, then mod_nss should be used. If it provides some feature or its greater compatibility is required, then mod_ssl should be used. Disable old SSL and TLS version and enable the latest TLS encryption by setting the following in /etc/httpd/conf.modules.d/ssl.conf: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 Make sure to also set SSLEngine to on in /etc/httpd/conf.modules.d/ssl.conf like the following: SSLEngine on RHEL-07-WG340 Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled. CCE-80557-2 SSLVerifyClient should be set and configured to require by setting the following in /etc/httpd/conf/httpd.conf: SSLVerifyClient require RHEL-07-WG140 Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. CCE-80558-0 Configure the web site to use a valid organizationally defined certificate. For DoD, this is a DoD server certificate issued by the DoD CA. RHEL-07-WG350 This check verifies that DoD is a hosted web site's CA. The certificate is actually a DoD-issued server certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not for the server (Certificate belongs to), if the certificate is not issued by DoD (Certificate was issued by), or if the current date is not included in the valid date (Certificate is valid from), then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised. CCE-80559-8 Install the mod_ssl module: The mod_ssl package can be installed with the following command: $ sudo yum install mod_ssl mod_ssl provides encryption capabilities for the httpd Web server. Unencrypted content is transmitted in plain text which could be passively monitored and accessed by unauthorized parties. CCE-80320-5 The Directory tags in the web server configuration file allow finer grained access control for a specified directory. All web directories should be configured on a case-by-case basis, allowing access only where needed. The default configuration for the web (/var/www/html) Directory allows directory indexing (Indexes) and the following of symbolic links (FollowSymLinks). Neither of these is recommended. The /var/www/html directory hierarchy should not be viewable via the web, and symlinks should only be followed if the owner of the symlink also owns the linked file. Ensure that this policy is adhered to by altering the related section of the configuration: <Directory "/var/www/html"> # ... Options SymLinksIfOwnerMatch # ... </Directory> Access to the web server's directory hierarchy could allow access to unauthorized files by web clients. Following symbolic links could also allow such access. CCE-80317-1 All accessible web directories should be configured with similarly restrictive settings. The Options directive should be limited to necessary functionality and the AllowOverride directive should be used only if needed. The Order and Deny access control tags should be used to deny access by default, allowing access only where necessary. Directories accessible from a web client should be configured with the least amount of access possible in order to avoid unauthorized access to restricted content or server information. CCE-80318-9 The httpd root directory should always have the most restrictive configuration enabled. <Directory / > Options None AllowOverride None Order allow,deny </Directory> The Web Server's root directory content should be protected from unauthorized access by web clients. CCE-80316-3 Set AllowOverride to none for each instant of <Directory>. RHEL-07-WG400 CGI scripts represents one of the most common and exploitable means of compromising a web server. By definition, CGI are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not otherwise limited unless the SA or Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript and shell (sh, ksh, bash) are popular choices. CCE-80554-9 If any directories that contain dynamic scripts can be accessed via FTP by any group or user that does not require access, remove permissions to such directories that allow anonymous access. Also, ensure that any such access employs an encrypted connection. RHEL-07-WG430 The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site. CCE-80553-1 Configure permissions for each instance of Alias, ScriptAlias, and ScriptAliasMatch that exist. $ sudo find DIR -type d -exec chmod 755 {} \; $ sudo find DIR -type f -exec chmod 555 {} \; Where DIR matches the paths from Alias, ScriptAlias, and ScriptAliasMatch. RHEL-07-WG290 Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset. CCE-80556-4 Web server methods are defined in section 9 of RFC 2616 ( http://www.ietf.org/rfc/rfc2616.txt). If a web server does not require the implementation of all available methods, they should be disabled. Note: GET and POST are the most common methods. A majority of the others are limited to the WebDAV protocol. <Directory /var/www/html> # ... # Only allow specific methods (this command is case-sensitive!) <LimitExcept GET POST> Order allow,deny </LimitExcept> # ... </Directory> Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server. CCE-80319-7 Web content directories should not be shared anonymously over remote filesystems such as nfs and smb. Remove the shares from the applicable directories. RHEL-07-WG210 Sharing web content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their contents to unnecessary access. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web content or cause web server performance problems. CCE-80555-6 PHP is a widely-used and often misconfigured server-side scripting language. It should be used with caution, but configured appropriately when needed. Review /etc/php.ini and make the following changes if possible: # Do not expose PHP error messages to external users display_errors = Off # Enable safe mode safe_mode = On # Only allow access to executables in isolated directory safe_mode_exec_dir = php-required-executables-path # Limit external access to PHP environment safe_mode_allowed_env_vars = PHP_ # Restrict PHP information leakage expose_php = Off # Log all errors log_errors = On # Do not register globals for input data register_globals = Off # Minimize allowable PHP post size post_max_size = 1K # Ensure PHP redirects appropriately cgi.force_redirect = 0 # Disallow uploading unless necessary file_uploads = Off # Disallow treatment of file requests as fopen calls allow_url_fopen = Off # Enable SQL safe mode sql.safe_mode = On A default installation of httpd includes a plethora of dynamically shared objects (DSO) that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be disabled in the configuration file by removing the corresponding LoadModule directive. Note: A DSO only provides additional functionality if associated directives are included in the httpd configuration file. It should also be noted that removing a DSO will produce errors on httpd startup if the configuration file contains directives that apply to that module. Refer to http://httpd.apache.org/docs/ for details on which directives are associated with each DSO. Following each DSO removal, the configuration can be tested with the following command to check if everything still works: $ sudo service httpd configtest The purpose of each of the modules loaded by default will now be addressed one at a time. If none of a module's directives are being used, remove it. These modules comprise a basic subset of modules that are likely needed for base httpd functionality; ensure they are not commented out in /etc/httpd/conf/httpd.conf: LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule log_config_module modules/mod_log_config.so LoadModule logio_module modules/mod_logio.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mome.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. The following modules are necessary if this web server will provide content that will be restricted by a password. Authentication can be performed using local plain text password files (authn_file), local DBM password files (authn_dbm) or an LDAP directory. The only module required by the web server depends on your choice of authentication. Comment out the modules you don't need from the following: LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_dbm_module modules/mod_authn_dbm.so authn_alias allows for authentication based on aliases. authn_anon allows anonymous authentication similar to that of anonymous ftp sites. authz_owner allows authorization based on file ownership. authz_dbm allows for authorization based on group membership if the web server is using DBM authentication. If the above functionality is unnecessary, comment out the related module: #LoadModule authn_alias_module modules/mod_authn_alias.so #LoadModule authn_anon_module modules/mod_authn_anon.so #LoadModule authz_owner_module modules/mod_authz_owner.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so The Include directive directs httpd to load supplementary configuration files from a provided path. The default configuration loads all files that end in .conf from the /etc/httpd/conf.d directory. To restrict excess configuration, the following line should be commented out and replaced with Include directives that only reference required configuration files: #Include conf.d/*.conf If the above change was made, ensure that the SSL encryption remains loaded by explicitly including the corresponding configuration file: Include conf.d/ssl.conf If PHP is necessary, a similar alteration must be made: Include conf.d/php.conf Explicitly listing the configuration files to be loaded during web server start-up avoids the possibility of unwanted or malicious configuration files to be automatically included as part of the server's running configuration. The following modules perform very specific tasks, sometimes providing access to just a few additional directives. If such functionality is not required (or if you are not using these directives), comment out the associated module: External filtering (response passed through external program prior to client delivery) #LoadModule ext_filter_module modules/mod_ext_filter.soUser-specified Cache Control and Expiration #LoadModule expires_module modules/mod_expires.soCompression Output Filter (provides content compression prior to client delivery) #LoadModule deflate_module modules/mod_deflate.soHTTP Response/Request Header Customization #LoadModule headers_module modules/mod_headers.soUser activity monitoring via cookies #LoadModule usertrack_module modules/mod_usertrack.soDynamically configured mass virtual hosting #LoadModule vhost_alias_module modules/mod_vhost_alias.so Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. The ldap module provides HTTP authentication via an LDAP directory. If its functionality is unnecessary, comment out the related modules: #LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so If LDAP is to be used, SSL encryption should be used as well. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80306-4 The cgi module allows HTML to interact with the CGI web programming language. If this functionality is unnecessary, comment out the module: #LoadModule cgi_module modules/mod_cgi.so If the web server requires the use of CGI, enable mod_cgi. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80315-5 The speling module attempts to find a document match by allowing one misspelling in an otherwise failed request. If this functionality is unnecessary, comment out the module: #LoadModule speling_module modules/mod_speling.so This functionality weakens server security by making site enumeration easier. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80312-2 The status module provides real-time access to statistics on the internal operation of the web server. This may constitute an unnecessary information leak and should be disabled unless necessary. To do so, comment out the related module: #LoadModule status_module modules/mod_status.so If there is a critical need for this module, ensure that access to the status page is properly restricted to a limited set of hosts in the status handler configuration. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80310-6 The auth_digest module provides encrypted authentication sessions. If this functionality is unnecessary, comment out the related module: #LoadModule auth_digest_module modules/mod_auth_digest.so Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80304-9 The mime_magic module provides a second layer of MIME support that in most configurations is likely extraneous. If its functionality is unnecessary, comment out the related module: #LoadModule mime_magic_module modules/mod_mime_magic.so Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80308-0 The info module creates a web page illustrating the configuration of the web server. This can create an unnecessary security leak and should be disabled. If its functionality is unnecessary, comment out the module: #LoadModule info_module modules/mod_info.so If there is a critical need for this module, use the Location directive to provide an access control list to restrict access to the information. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80311-4 Server Side Includes provide a method of dynamically generating web pages through the insertion of server-side code. However, the technology is also deprecated and introduces significant security concerns. If this functionality is unnecessary, comment out the related module: #LoadModule include_module modules/mod_include.so If there is a critical need for Server Side Includes, they should be enabled with the option IncludesNoExec to prevent arbitrary code execution. Additionally, user supplied data should be encoded to prevent cross-site scripting vulnerabilities. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80307-2 The mod_rewrite module is very powerful and can protect against certain classes of web attacks. However, it is also very complex and has a significant history of vulnerabilities itself. If its functionality is unnecessary, comment out the related module: #LoadModule rewrite_module modules/mod_rewrite.so Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80305-6 The cache module allows httpd to cache data, optimizing access to frequently accessed content. However, it introduces potential security flaws such as the possibility of circumventing Allow and Deny directives. If this functionality is unnecessary, comment out the module: #LoadModule cache_module modules/mod_cache.so If caching is required, it should not be enabled for any limited-access content. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80314-8 WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. If its functionality is unnecessary, comment out the related modules: #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.so If there is a critical need for WebDAV, extra care should be taken in its configuration. Since DAV access allows remote clients to manipulate server files, any location on the server that is DAV enabled should be protected by access controls. Minimizing the number of loadable modules available to the web server, reduces risk by limiting the capabilities allowed by the web server. CCE-80309-8 The proxy module provides proxying support, allowing httpd to forward requests and serve as a gateway for other servers. If its functionality is unnecessary, comment out the module: #LoadModule proxy_module modules/mod_proxy.so If proxy support is needed, load mod_proxy and the appropriate proxy protocol handler module (one of mod_proxy_http, mod_proxy_ftp, or mod_proxy_connect). Additionally, make certain that a server is secure before enabling proxying, as open proxy servers are a security risk. mod_proxy_balancer enables load balancing, but requires that mod status be enabled. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80313-0 The log_config_module should exist and be configured in the /etc/httpd/conf/httpd.conf file by adding the following module to configure logging: log_config_module RHEL-07-WG240 A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Without these log files, SAs and web managers are seriously hindered in their efforts to respond appropriately to suspicious or criminal actions targeted at the web site. CCE-80552-3 PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. If the mod_perl module is installed, enable Perl Taint checking in /etc/httpd/conf/httpd.conf. To enable Perl Taint checking, add or uncomment the following to /etc/httpd/conf.d/perl.conf: PerlSwitches -T RHEL-07-WG460 PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation. Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message. CCE-80560-6 Running httpd inside a chroot jail is designed to isolate the web server process to a small section of the filesystem, limiting the damage if it is compromised. Versions of Apache greater than 2.2.10 (such as the one included with Red Hat Enterprise Linux 7) provide the ChrootDir directive. To run Apache inside a chroot jail in /chroot/apache, add the following line to /etc/httpd/conf/httpd.conf: ChrootDir /chroot/apache This necessitates placing all files required by httpd inside /chroot/apache , including httpd's binaries, modules, configuration files, and served web pages. The details of this configuration are beyond the scope of this guide. This may also require additional SELinux configuration. Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. [\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times. --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$ I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t. The DocumentRoot directory is used for storing web content and data. Ensure that the DocumentRoot directory exists on a separate logical volume at installation time, or migrate it using LVM. RHEL-07-WG205 Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is can be to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion. For each <Directory> instance, remove the following: FollowSymLinks If symbolic links are allowed, the following can be added for each <Directory> instance: Options SymLinksIfOwnerMatchDisable RHEL-07-WG360 A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory. .java and .jpp files should not exist and should be removed from the web server. RHEL-07-WG490 From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application's logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code. Every DocumentRoot that is configured should have an index.html file that exists. Add an index.html file to every configured DocumentRoot. RHEL-07-WG170 The goal is to completely control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories with default pages. This practice helps ensure that the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. Remove any robots.txt files that may exist with any web content. Other methods must be employed if there is information on the web site that needs protection from search engines and public view. Inspect all instances of DocumentRoot and Alias and remove any robots.txt file. $ sudo rm -f path/to/robots.txt RHEL-07-WG310 Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user. To request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker's time searching and traversing the web site to find files that might be relevant. If information on the web site needs to be protected from search engines and public view, other methods must be used. Configure a login banner for each website when authentication is required for user access. RHEL-07-WG265 A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff. Use only secure encrypted logons and connections for uploading files to the web site. RHEL-07-WG235 Logging in to a web server via an unencrypted protocol or service, to upload documents to the web site, is a risk if proper encryption is not utilized to protect the data being transmitted. An encrypted protocol or service must be used for remote access to web administration tasks. ErrorLog should be enabled and set to the following in /etc/httpd/conf/httpd.conf: ErrorLog "logs/error_log" RHEL-07-WA00605 The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. CCE-81130-7 To minimize exposure of private assets to unnecesarry risk by attackers, public web servers must be isolated from internal systems. Logically relocate public web servers to be isolated from internal systems. In addition, ensure the public web server does not have trusted connections with assets outside the confines of the demilitarizez done (DMZ) other than application and/or database servers that are a part of the same system as the web server. RHEL-07-WA060 Public web servers are by nature more vulnerabile to attack from publically based sources, such as the public Internet. Once compromised, a public server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DoD DMZ Extension, if hosted on the NIPRNet, with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources. An improperly located public web server is a potential threat to the entire network. Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Isolate the private web server from the public DMZ and separate it from the internal general population LAN. RHEL-07-WA070 Insider threat may be accidental or intentional but, in either case, can cause a disruption in service of the web server. To protect the private web server from these threats, it must be located on a separate controlled access subnet and must not be part of the public DMZ that houses the public web servers. it also cannot be located inside the enclave as part of the local general population LAN. The MaxKeepAliveRequests directive should be set and configured to _{or greater by setting the following in /etc/httpd/conf/httpd.conf: MaxKeepAliveRequests} RHEL-07-WG110 Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive, (i.e., a parameter used to limit the amount of time a connection may be inactive). CCE-80551-5 It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. RHEL-07-WG040 When folders, drives, or other resources are directly shared between the public web server and private servers the intent of data and resource segregation can be compromised. In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that isolates inbound traffic from external network to the internal network, resources such as printers, files, and folders/directories will not be shared between public web servers and assets located within the internal network. Normally, a service account is established for the web server. This is because a privileged account is not desirable and the server is designed to run for long uninterrupted periods of time. The SA or Web Manager will need password access to the web server to restart the service in the event or an emergency as the web server is not to restart automatically after an unscheduled interruption. RHEL-07-WG050 If the password is not entrusted to an SA or web manager the ability to ensure the availability of the web server is compromised. LogFormat should be enabled and set to the following in /etc/httpd/conf/httpd.conf: LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined RHEL-07-WA00612 The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. The LogFormat directive defines the format and information to be included in the access log entries. CCE-80548-1 Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. RHEL-07-WG420 Such backup copies contain the same sensitive information as the actual scripts being executed and, as such, are useful to malicious users. Techniques and systems exist today that search web servers for such files and are able to exploit the information contained in them. Backup copies of files are automatically created by some text editors such such as emacs and VIM. Editors may write a backup file with an extension ~ added to the name of the original file. The edit plus editor will create a .bak file. Of course, this would imply the presence and use of development tools on the web server, which is a finding under WG130. Having backup scripts on the web server provides one more opportunity for malicious persons to view these scripts and use the information found in them. Users must not be allowed to access the shell programs. RHEL-07-WG370 Shell programs might execute shell escapes and could then perform unauthorized activities that could damage the security posture of the web server. A shell is a program that serves as the basic interface between the user and the operating system. In this regard, there are shells that are security risks in the context of a web server and shells that are unauthorized. CustomLog should be enabled and set to the following in /etc/httpd/conf/httpd.conf: CustomLog "logs/access_log" combined RHEL-07-WA00615 The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. The CustomLog directive specifies the log file, syslog facility, or piped logging utility. CCE-80549-9 LogLevel should be enabled and set to _{. Add or edit the following in /etc/httpd/conf/httpd.conf: LogLevel} RHEL-07-WA00620 The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. While the ErrorLog directive configures the error log file name, the LogLevel directive is used to configure the severity level for the error logs. The log level values are the standard syslog levels: emerg, alert, crit, error, warn, notice, info and debug. CCE-80550-7 The presence of a compiler on a production server facilitates the malicious user's task of creating custom versions of programs and installing Trojan Horses or viruses. RHEL-07-WG080 An attacker's code could be uploaded and compiled on the server under attack. The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline support to systems utilizing SSSD. SSSD using caching to reduce load on authentication servers permit offline authentication as well as store extended user data. For more information, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/SSSD.html Value of the memcache_timeout option in the [nss] section of SSSD config /etc/sssd/sssd.conf. 300 1800 300 86400 180 900 600 Value of the ssh_known_hosts_timeout option in the [ssh] section of SSSD configuration file /etc/sssd/sssd.conf. 300 1800 180 86400 180 900 600 The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline support to systems utilizing SSSD. SSSD using caching to reduce load on authentication servers permit offline authentication as well as store extended user data. SSSD can support many backends including LDAP. The sssd-ldap backend allows SSSD to fetch identity information from an LDAP server. Path of a directory that contains Certificate Authority certificates. /etc/openldap/cacerts Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacertdir option in /etc/sssd/sssd.conf to point to the path for the X.509 certificates used for peer authentication. ldap_tls_cacertdir /path/to/tls/cacert CCI-001453 SRG-OS-000250-GPOS-00093 RHEL-07-040190 SV-86853r3_rule Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. CCE-80515-0 var_sssd_ldap_tls_ca_dir="_{" SSSD_CONF="/etc/sssd/sssd.conf" LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_cacertdir' DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" # Try find [domain/..] and ldap_tls_cacertdir in sssd.conf, if it exists, set to CA directory # if it isn't here, add it, if [domain/..] doesn't exist, add it here for default domain if grep -qzosP $LDAP_REGEX $SSSD_CONF; then sed -i "s~ldap_tls_cacertdir[^(\n)]*~ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir~" $SSSD_CONF elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then sed -i "/$DOMAIN_REGEX/a ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[domain/default]\nldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" >> $SSSD_CONF fi} - name: XCCDF Value var_sssd_ldap_tls_ca_dir # promote to variable set_fact: var_sssd_ldap_tls_ca_dir: !!str _{tags: - always - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes tags: - sssd_ldap_configure_tls_ca_dir - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80515-0 - DISA-STIG-RHEL-07-040190 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group and set CA directory (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } - { section: domain/default, option: ldap_tls_cacertdir, value: "{{ var_sssd_ldap_tls_ca_dir }}" } when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_ldap_configure_tls_ca_dir - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80515-0 - DISA-STIG-RHEL-07-040190 - name: "Configure LDAPs path to CA directory" ini_file: path: /etc/sssd/sssd.conf section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}" option: ldap_tls_cacertdir value: "{{ var_sssd_ldap_tls_ca_dir }}" create: yes mode: 0600 when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_ldap_configure_tls_ca_dir - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80515-0 - DISA-STIG-RHEL-07-040190} This check verifies that Red Hat Enterprise Linux 7 implements cryptography to protect the integrity of remote LDAP authentication sessions. To determine if LDAP is being used for authentication, use the following command: $ sudo grep -i useldapauth /etc/sysconfig/authconfig If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command: $ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf RHEL-07-040180 SV-86851r3_rule 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-001453 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(2) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000250-GPOS-00093 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. CCE-80546-5 AUTHCONFIG="/etc/sysconfig/authconfig" USELDAPAUTH_REGEX="^USELDAPAUTH=" SSSD_CONF="/etc/sssd/sssd.conf" LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls' DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" # Try find USELDAPAUTH in authconfig. If its here set to 'yes', otherwise append USELDAPAUTH=yes grep -qs "^USELDAPAUTH=" "$AUTHCONFIG" && sed -i 's/^USELDAPAUTH=.*/USELDAPAUTH=yes/g' $AUTHCONFIG if ! [ $? -eq 0 ]; then echo "USELDAPAUTH=yes" >> $AUTHCONFIG fi # Try find [domain/..] and ldap_id_use_start_tls in sssd.conf, if it exists, set to 'True' # if ldap_id_use_start_tls isn't here, add it # if [domain/..] doesn't exist, add it here for default domain if grep -qzosP $LDAP_REGEX $SSSD_CONF; then sed -i 's/ldap_id_use_start_tls[^(\n)]*/ldap_id_use_start_tls = True/' $SSSD_CONF elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then sed -i "/$DOMAIN_REGEX/a ldap_id_use_start_tls = True" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[domain/default]\nldap_id_use_start_tls = True" >> $SSSD_CONF fi - name: "Set LDAP to be used for authentication" lineinfile: path: /etc/sysconfig/authconfig regexp: '^USELDAPAUTH=' line: 'USELDAPAUTH=yes' create: yes tags: - sssd_ldap_start_tls - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80546-5 - NIST-800-53-AC-17(2) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040180 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes tags: - sssd_ldap_start_tls - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80546-5 - NIST-800-53-AC-17(2) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040180 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group and use STARTTLS (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: domain/default section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } - { section: domain/default, option: ldap_id_use_start_tls, value: true} when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_ldap_start_tls - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80546-5 - NIST-800-53-AC-17(2) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040180 - name: "Configure LDAP to use STARTTLS" ini_file: path: /etc/sssd/sssd.conf section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}" option: ldap_id_use_start_tls value: true create: yes mode: 0600 when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_ldap_start_tls - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80546-5 - NIST-800-53-AC-17(2) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040180 Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacert option in /etc/sssd/sssd.conf to point to the path for the X.509 certificates used for peer authentication. ldap_tls_cacert /path/to/tls/ca.cert CCI-001453 SRG-OS-000250-GPOS-00093 RHEL-07-040200 SV-86855r3_rule Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. CCE-80516-8 SSSD's memory cache should be configured to set to expire records after seconds. To configure SSSD to expire memory cache, set memcache_timeout to under the [nss] section in /etc/sssd/sssd.conf. For example: [nss] memcache_timeout = 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-002007 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(10) IA-5(13) PR.AC-1 PR.AC-6 PR.AC-7 FIA_AFL.1 SRG-OS-000383-GPOS-00166 If cached authentication information is out-of-date, the validity of the authentication information may be questionable. CCE-80364-3 var_sssd_memcache_timeout="_{" SSSD_CONF="/etc/sssd/sssd.conf" MEMCACHE_TIMEOUT_REGEX="[[:space:]]*\[nss]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" NSS_REGEX="[[:space:]]*\[nss]" # Try find [nss] and memcache_timeout in sssd.conf, if it exists, set to # var_sssd_memcache_timeout, if it isn't here, add it, if [nss] doesn't # exist, add it there if grep -qzosP $MEMCACHE_TIMEOUT_REGEX $SSSD_CONF; then sed -i "s/memcache_timeout[^(\n)]*/memcache_timeout = $var_sssd_memcache_timeout/" $SSSD_CONF elif grep -qs $NSS_REGEX $SSSD_CONF; then sed -i "/$NSS_REGEX/a memcache_timeout = $var_sssd_memcache_timeout" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[nss]\nmemcache_timeout = $var_sssd_memcache_timeout" >> $SSSD_CONF fi} - name: XCCDF Value var_sssd_memcache_timeout # promote to variable set_fact: var_sssd_memcache_timeout: !!str _{tags: - always - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes changed_when: False tags: - sssd_memcache_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80364-3 - NIST-800-53-IA-5(10) - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_memcache_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80364-3 - NIST-800-53-IA-5(10) - NIST-800-53-IA-5(13) - name: "Configure SSSD's Memory Cache to Expire" ini_file: dest: /etc/sssd/sssd.conf section: nss option: memcache_timeout value: "{{ var_sssd_memcache_timeout }}" create: yes mode: 0600 tags: - sssd_memcache_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80364-3 - NIST-800-53-IA-5(10) - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} SSSD should be configured to run SSSD pam services. To configure SSSD to known SSH hosts, add pam to services under the [sssd] section in /etc/sssd/sssd.conf. For example: [sssd] services = sudo, autofs, pam RHEL-07-041002 SV-87051r4_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-001948 CCI-001953 CCI-001954 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2(11) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000375-GPOS-00160 SRG-OS-000375-GPOS-00161 SRG-OS-000375-GPOS-00162 SRG-OS-000107-VMM-000530 Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. CCE-80437-7 SSSD_SERVICES_PAM_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*pam.*$" SSSD_SERVICES_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*$" SSSD_PAM_SERVICES="[sssd] services = pam" SSSD_CONF="/etc/sssd/sssd.conf" # If there is services line with pam, good # If there is services line without pam, append pam # If not echo services line with pam grep -q "$SSSD_SERVICES_PAM_REGEX" $SSSD_CONF || \ grep -q "$SSSD_SERVICES_REGEX" $SSSD_CONF && \ sed -i "s/$SSSD_SERVICES_REGEX/&, pam/" $SSSD_CONF || \ echo "$SSSD_PAM_SERVICES" >> $SSSD_CONF SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set pam_cert_auth to true under the [pam] section in /etc/sssd/sssd.conf. For example: [pam] pam_cert_auth = true CCI-001954 SRG-OS-000375-GPOS-00160 SRG-OS-000107-VMM-000530 Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80570-5 SSSD_CONF="/etc/sssd/sssd.conf" SSSD_OPT="pam_cert_auth" SSSD_OPT_VAL=true PAM_REGEX="[[:space:]]*\[pam]" PAM_OPT_REGEX="${PAM_REGEX}([^\n\[]*\n+)+?[[:space:]]*${SSSD_OPT}" if grep -qzosP $PAM_OPT_REGEX $SSSD_CONF; then sed -i "s/${SSSD_OPT}[^(\n)]*/${SSSD_OPT} = ${SSSD_OPT_VAL}/" $SSSD_CONF elif grep -qs $PAM_REGEX $SSSD_CONF; then sed -i "/$PAM_REGEX/a ${SSSD_OPT} = ${SSSD_OPT_VAL}" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[pam]\n${SSSD_OPT} = ${SSSD_OPT_VAL}" >> $SSSD_CONF fi - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes changed_when: False tags: - sssd_enable_smartcards - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80570-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_enable_smartcards - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80570-5 - name: "Enable Smartcards in SSSD" ini_file: dest: /etc/sssd/sssd.conf section: pam option: pam_cert_auth value: true create: yes mode: 0600 tags: - sssd_enable_smartcards - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80570-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example: [pam] offline_credentials_expiration = 1 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-002007 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(13) PR.AC-1 PR.AC-6 PR.AC-7 FIA_AFL.1 SRG-OS-000383-GPOS-00166 If cached authentication information is out-of-date, the validity of the authentication information may be questionable. CCE-80365-0 SSSD_CONF="/etc/sssd/sssd.conf" SSSD_OPT="offline_credentials_expiration" SSSD_OPT_VAL=1 PAM_REGEX="[[:space:]]*\[pam]" PAM_OPT_REGEX="${PAM_REGEX}([^\n\[]*\n+)+?[[:space:]]*${SSSD_OPT}" # Try find [pam] and offline_credentials_expiration in sssd.conf, if it exists # set it to 1, if it doesn't exist add it, if [pam] section doesn't exist add # the section and the configuration option. if grep -qzosP $PAM_OPT_REGEX $SSSD_CONF; then sed -i "s/${SSSD_OPT}[^(\n)]*/${SSSD_OPT} = ${SSSD_OPT_VAL}/" $SSSD_CONF elif grep -qs $PAM_REGEX $SSSD_CONF; then sed -i "/$PAM_REGEX/a ${SSSD_OPT} = ${SSSD_OPT_VAL}" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[pam]\n${SSSD_OPT} = ${SSSD_OPT_VAL}" >> $SSSD_CONF fi - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes changed_when: False tags: - sssd_offline_cred_expiration - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80365-0 - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_offline_cred_expiration - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80365-0 - NIST-800-53-IA-5(13) - name: "Configure SSD to Expire Offline Credentials" ini_file: dest: /etc/sssd/sssd.conf section: pam option: offline_credentials_expiration value: 1 create: yes mode: 0600 tags: - sssd_offline_cred_expiration - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80365-0 - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The sssd package should be installed. The sssd package can be installed with the following command: $ sudo yum install sssd 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(10) PR.AC-1 PR.AC-6 PR.AC-7 CCE-80362-7 _{package_install sssd} - name: Ensure sssd is installed package: name: sssd state: present tags: - package_sssd_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80362-7 - NIST-800-53-IA-5(10) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_sssd class install_sssd { package { 'sssd': ensure => 'installed', } } package --add=sssd SSSD should be configured to expire keys from known SSH hosts after seconds. To configure SSSD to known SSH hosts, set ssh_known_hosts_timeout to under the [ssh] section in /etc/sssd/sssd.conf. For example: [ssh] ssh_known_hosts_timeout = 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-002007 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(13) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000383-GPOS-00166 If cached authentication information is out-of-date, the validity of the authentication information may be questionable. CCE-80366-8 var_sssd_ssh_known_hosts_timeout="_{" SSSD_CONF="/etc/sssd/sssd.conf" SSH_KNOWN_HOSTS_TIMEOUT_REGEX="[[:space:]]*\[ssh]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" SSH_REGEX="[[:space:]]*\[ssh]" # Try find [ssh] and ssh_known_hosts_timeout in sssd.conf, if it exists, set to # var_sssd_ssh_known_hosts_timeout, if it isn't here, add it, if [ssh] doesn't # exist, add it there if grep -qzosP $SSH_KNOWN_HOSTS_TIMEOUT_REGEX $SSSD_CONF; then sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout/" $SSSD_CONF elif grep -qs $SSH_REGEX $SSSD_CONF; then sed -i "/$SSH_REGEX/a ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> $SSSD_CONF fi} - name: XCCDF Value var_sssd_ssh_known_hosts_timeout # promote to variable set_fact: var_sssd_ssh_known_hosts_timeout: !!str _{tags: - always - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes changed_when: False tags: - sssd_ssh_known_hosts_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80366-8 - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_ssh_known_hosts_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80366-8 - NIST-800-53-IA-5(13) - name: "Configure SSSD to Expire SSH Known Hosts" ini_file: dest: /etc/sssd/sssd.conf section: ssh option: ssh_known_hosts_timeout value: "{{ var_sssd_ssh_known_hosts_timeout }}" create: yes mode: 0600 tags: - sssd_ssh_known_hosts_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80366-8 - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} The SSSD service should be enabled. The sssd service can be enabled with the following command: $ sudo systemctl enable sssd.service 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(10) PR.AC-1 PR.AC-6 PR.AC-7 CCE-80363-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'sssd.service' "$SYSTEMCTL_EXEC" enable 'sssd.service' - name: Enable service sssd service: name: sssd enabled: "yes" state: "started" tags: - service_sssd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80363-5 - NIST-800-53-IA-5(10) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can be used both to ensure that time is consistent among a network of systems, and that their time is consistent with the outside world. If every system on a network reliably reports the same time, then it is much easier to correlate log messages in case of an attack. In addition, a number of cryptographic protocols (such as Kerberos) use timestamps to prevent certain types of attacks. If your network does not have synchronized time, these protocols may be unreliable or even unusable. Depending on the specifics of the network, global time accuracy may be just as important as local synchronization, or not very important at all. If your network is connected to the Internet, using a public timeserver (or one provided by your enterprise) provides globally accurate timestamps which may be essential in investigating or responding to an attack which originated outside of your network. A typical network setup involves a small number of internal systems operating as NTP servers, and the remainder obtaining time information from those internal servers. There is a choice between the daemons ntpd and chronyd, which are available from the repositories in the ntp and chrony packages respectively. The default chronyd daemon can work well when external time references are only intermittently accesible, can perform well even when the network is congested for longer periods of time, can usually synchronize the clock faster and with better time accuracy, and quickly adapts to sudden changes in the rate of the clock, for example, due to changes in the temperature of the crystal oscillator. Chronyd should be considered for all systems which are frequently suspended or otherwise intermittently disconnected and reconnected to a network. Mobile and virtual systems for example. The ntpd NTP daemon fully supports NTP protocol version 4 (RFC 5905), including broadcast, multicast, manycast clients and servers, and the orphan mode. It also supports extra authentication schemes based on public-key cryptography (RFC 5906). The NTP daemon (ntpd) should be considered for systems which are normally kept permanently on. Systems which are required to use broadcast or multicast IP, or to perform authentication of packets with the Autokey protocol, should consider using ntpd. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of features of chronyd and ntpd daemon features respectively, and for further guidance how to choose between the two NTP daemons. The upstream manual pages at http://chrony.tuxfamily.org/manual.html for chronyd and http://www.ntp.org for ntpd provide additional information on the capabilities and configuration of each of the NTP daemons. The maximum NTP or Chrony poll interval number in seconds specified as a power of two. 10 10 17 The list of vendor-approved time servers 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org 0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons. Additional NTP servers can be specified for time synchronization. To do so, perform the following: if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below. Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: server ntpserver 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.3 Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems. CCE-27012-4 var_multiple_time_servers="_{" # Invoke the function without args, so its body is substituded right here. ensure_there_are_servers_in_ntp_compatible_config_file config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" [ "$(grep -c '^server' "$config_file")" -gt 1 ] || ensure_there_are_servers_in_ntp_compatible_config_file "$config_file" "$var_multiple_time_servers"} The systemd_timesyncd service can be enabled with the following command: $ sudo systemctl enable systemd_timesyncd.service NT012(R03) 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 Enabling the systemd_timesyncd service ensures that this host uses the ntp protocol to fetch time data from a ntp server. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. Additional information on Ubuntu network time protocol is available at https://help.ubuntu.com/lts/serverguide/NTP.html.en. The maxpoll should be configured to _{in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following: maxpoll} RHEL-07-040500 SV-86893r4_rule 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-001891 CCI-002046 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1)(a) PR.PT-1 SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144 Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. CCE-80439-3 var_time_service_set_maxpoll="_{" config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" # Set maxpoll values to var_time_service_set_maxpoll sed -i "s/^\(server.*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \2/" "$config_file" # Add maxpoll to server entries without maxpoll grep "^server" "$config_file" | grep -v maxpoll | while read -r line ; do sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file" done} Run the following command to determine the current status of the chronyd service: $ systemctl is-active chronyd If the service is running, it should return the following: active Note: The chronyd daemon is enabled by default. Run the following command to determine the current status of the ntpd service: $ systemctl is-active ntpd If the service is running, it should return the following: active Note: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for guidance which NTP daemon to choose depending on the environment used. 2.2.1.1 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 3.3.7 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 SRG-OS-000356-VMM-001340 Enabling some of chronyd or ntpd services ensures that the NTP daemon will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate CCE-27444-9 if ! `rpm -q --quiet chrony` && ! `rpm -q --quiet ntp-`; then _{package_install chrony service_command enable chronyd elif `rpm -q --quiet chrony`; then if ! [ `/usr/sbin/pidof ntpd` ] ; then service_command enable chronyd fi else service_command enable ntpd fi} The ntpd service should be installed. NT012(R03) 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906. _{package_install ntp} - name: Ensure ntp is installed package: name: ntp state: present tags: - package_ntp_installed - high_severity - enable_strategy - low_complexity - low_disruption - NIST-800-53-AU-8(1) - PCI-DSS-Req-10.4 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_ntp class install_ntp { package { 'ntp': ensure => 'installed', } } package --add=ntp The ntpd service can be enabled with the following command: $ sudo systemctl enable ntpd.service 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The NTP daemon offers all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate. SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'ntpd.service' "$SYSTEMCTL_EXEC" enable 'ntpd.service' - name: Enable service ntpd service: name: ntpd enabled: "yes" state: "started" tags: - service_ntpd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - NIST-800-53-AU-8(1) - PCI-DSS-Req-10.4 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Additional NTP servers can be specified for time synchronization in the file /etc/ntp.conf. To do so, add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: server ntpserver 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.3 Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems. Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons. To specify a remote NTP server for time synchronization, perform the following: if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: server ntpserver This instructs the NTP software to contact that remote server to obtain time data. 3.6 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 3.3.7 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.1 Req-10.4.3 Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. CCE-27278-1 var_multiple_time_servers="_{" # Invoke the function without args, so its body is substituded right here. ensure_there_are_servers_in_ntp_compatible_config_file config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" grep -q ^server "$config_file" || ensure_there_are_servers_in_ntp_compatible_config_file "$config_file" "$var_multiple_time_servers"} To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: server ntpserver This instructs the NTP software to contact that remote server to obtain time data. 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.1 Req-10.4.3 Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. The ntpd service can be enabled with the following command: $ sudo systemctl enable ntpd.service NT012(R03) 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The NTP daemon offers all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate. This section addresses the base services that are installed on a Red Hat Enterprise Linux 7 default installation which are not covered in other sections. Some of these services listen on the network and should be treated with particular discretion. Other services are local system utilities that may or may not be extraneous. In general, system services should be disabled if not required. The Automatic Bug Reporting Tool (abrt) collects and reports crash data when an application crash is detected. Using a variety of plugins, abrt can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The abrt package can be removed with the following command: $ sudo yum erase abrt Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. _{package_remove abrt} - name: Ensure abrt is removed package: name: abrt state: absent tags: - package_abrt_removed - medium_severity - disable_strategy - low_complexity - low_disruption include remove_abrt class remove_abrt { package { 'abrt': ensure => 'purged', } } package --remove=abrt The cgred service moves tasks into control groups according to parameters set in the /etc/cgrules.conf configuration file. The cgred service can be disabled with the following command: $ sudo systemctl disable cgred.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Unless control groups are used to manage system resources, running the cgred service service is not necessary. CCE-80255-3 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'cgred.service' "$SYSTEMCTL_EXEC" disable 'cgred.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cgred.socket\>' && "$SYSTEMCTL_EXEC" disable 'cgred.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'cgred.service' - name: Disable service cgred service: name: cgred enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_cgred_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80255-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service cgred if applicable service: name: cgred.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_cgred_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80255-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") D-Bus provides an IPC mechanism used by a growing list of programs, such as those used for Gnome, Bluetooth, and Avahi. Due to these dependencies, disabling D-Bus may not be practical for many systems. The messagebus service can be disabled with the following command: $ sudo systemctl disable messagebus.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 If no services which require D-Bus are needed, then it can be disabled. As a broker for IPC between processes of different privilege levels, it could be a target for attack. However, disabling D-Bus is likely to be impractical for any system which needs to provide a graphical login session. CCE-80260-3 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'messagebus.service' "$SYSTEMCTL_EXEC" disable 'messagebus.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^messagebus.socket\>' && "$SYSTEMCTL_EXEC" disable 'messagebus.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'messagebus.service' - name: Disable service messagebus service: name: messagebus enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_messagebus_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80260-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service messagebus if applicable service: name: messagebus.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_messagebus_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80260-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The Advanced Configuration and Power Interface Daemon (acpid) dispatches ACPI events (such as power/reset button depressed) to userspace programs. The acpid service can be disabled with the following command: $ sudo systemctl disable acpid.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 ACPI support is highly desirable for systems in some network roles, such as laptops or desktops. For other systems, such as servers, it may permit accidental or trivially achievable denial of service situations and disabling it is appropriate. CCE-80252-0 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'acpid.service' "$SYSTEMCTL_EXEC" disable 'acpid.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^acpid.socket\>' && "$SYSTEMCTL_EXEC" disable 'acpid.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'acpid.service' - name: Disable service acpid service: name: acpid enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_acpid_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80252-0 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service acpid if applicable service: name: acpid.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_acpid_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80252-0 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The rdisc service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The rdisc service can be disabled with the following command: $ sudo systemctl disable rdisc.service 1 11 12 13 14 15 16 18 3 4 6 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS01.05 DSS03.01 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 CCI-000382 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.11.2.6 A.12.1.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-17(8) AC-4 CM-7 DE.AE-1 ID.AM-3 PR.AC-3 PR.AC-5 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information. CCE-80268-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rdisc.service' "$SYSTEMCTL_EXEC" disable 'rdisc.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rdisc.socket\>' && "$SYSTEMCTL_EXEC" disable 'rdisc.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rdisc.service' - name: Disable service rdisc service: name: rdisc enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rdisc_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80268-6 - NIST-800-53-AC-17(8) - NIST-800-53-AC-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rdisc if applicable service: name: rdisc.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rdisc_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80268-6 - NIST-800-53-AC-17(8) - NIST-800-53-AC-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The netconsole service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The netconsole service can be disabled with the following command: $ sudo systemctl disable netconsole.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000381 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The netconsole service is not necessary unless there is a need to debug kernel panics, which is not common. CCE-80261-1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'netconsole.service' "$SYSTEMCTL_EXEC" disable 'netconsole.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^netconsole.socket\>' && "$SYSTEMCTL_EXEC" disable 'netconsole.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'netconsole.service' - name: Disable service netconsole service: name: netconsole enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_netconsole_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80261-1 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service netconsole if applicable service: name: netconsole.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_netconsole_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80261-1 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Certmonger is a D-Bus based service that attempts to simplify interaction with certifying authorities on networks which use public-key infrastructure. It is often combined with Red Hat's IPA (Identity Policy Audit) security information management solution to aid in the management of certificates. The certmonger service can be disabled with the following command: $ sudo systemctl disable certmonger.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The services provided by certmonger may be essential for systems fulfilling some roles a PKI infrastructure, but its functionality is not necessary for many other use cases. CCE-80253-8 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'certmonger.service' "$SYSTEMCTL_EXEC" disable 'certmonger.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^certmonger.socket\>' && "$SYSTEMCTL_EXEC" disable 'certmonger.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'certmonger.service' - name: Disable service certmonger service: name: certmonger enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_certmonger_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80253-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service certmonger if applicable service: name: certmonger.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_certmonger_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80253-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The quota_nld service provides notifications to users of disk space quota violations. It listens to the kernel via a netlink socket for disk quota violations and notifies the appropriate user of the violation using D-Bus or by sending a message to the terminal that the user has last accessed. The quota_nld service can be disabled with the following command: $ sudo systemctl disable quota_nld.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 If disk quotas are enforced on the local system, then the quota_nld service likely provides useful functionality and should remain enabled. However, if disk quotas are not used or user notification of disk quota violation is not desired then there is no need to run this service. CCE-80267-8 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'quota_nld.service' "$SYSTEMCTL_EXEC" disable 'quota_nld.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^quota_nld.socket\>' && "$SYSTEMCTL_EXEC" disable 'quota_nld.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'quota_nld.service' - name: Disable service quota_nld service: name: quota_nld enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_quota_nld_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80267-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service quota_nld if applicable service: name: quota_nld.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_quota_nld_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80267-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The process accounting service, psacct, works with programs including acct and ac to allow system administrators to view user activity, such as commands issued by users of the system. The psacct service can be enabled with the following command: $ sudo systemctl enable psacct.service 1 11 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.06 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 4.3.2.6.7 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 6.1 SR 6.2 SR 7.6 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.15.2.2 A.9.1.2 AU-12 CM-7 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.IP-1 PR.PT-1 PR.PT-3 The psacct service can provide administrators a convenient view into some user activities. However, it should be noted that the auditing system and its audit records provide more authoritative and comprehensive records. CCE-80265-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'psacct.service' "$SYSTEMCTL_EXEC" enable 'psacct.service' - name: Enable service psacct service: name: psacct enabled: "yes" state: "started" tags: - service_psacct_enabled - unknown_severity - enable_strategy - low_complexity - low_disruption - CCE-80265-2 - NIST-800-53-AU-12 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The rhnsd service can be disabled with the following command: $ sudo systemctl disable rhnsd.service 1.2.5 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000382 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the rhnsd daemon can remain on. CCE-80269-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rhnsd.service' "$SYSTEMCTL_EXEC" disable 'rhnsd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rhnsd.socket\>' && "$SYSTEMCTL_EXEC" disable 'rhnsd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rhnsd.service' - name: Disable service rhnsd service: name: rhnsd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rhnsd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80269-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rhnsd if applicable service: name: rhnsd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rhnsd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80269-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The process accounting service, psacct, works with programs including acct and ac to allow system administrators to view user activity, such as commands issued by users of the system. The psacct package can be installed with the following command: $ sudo yum install psacct 1 11 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.06 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 4.3.2.6.7 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 6.1 SR 6.2 SR 7.6 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.15.2.2 A.9.1.2 AU-12 CM-7 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.IP-1 PR.PT-1 PR.PT-3 The psacct service can provide administrators a convenient view into some user activities. However, it should be noted that the auditing system and its audit records provide more authoritative and comprehensive records. _{package_install psacct} - name: Ensure psacct is installed package: name: psacct state: present tags: - package_psacct_installed - unknown_severity - enable_strategy - low_complexity - low_disruption - NIST-800-53-AU-12 - NIST-800-53-CM-7 include install_psacct class install_psacct { package { 'psacct': ensure => 'installed', } } package --add=psacct The mdmonitor service is used for monitoring a software RAID array; hardware RAID setups do not use this service. The mdmonitor service can be disabled with the following command: $ sudo systemctl disable mdmonitor.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 If software RAID monitoring is not required, there is no need to run this service. CCE-80259-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'mdmonitor.service' "$SYSTEMCTL_EXEC" disable 'mdmonitor.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^mdmonitor.socket\>' && "$SYSTEMCTL_EXEC" disable 'mdmonitor.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'mdmonitor.service' - name: Disable service mdmonitor service: name: mdmonitor enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_mdmonitor_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80259-5 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service mdmonitor if applicable service: name: mdmonitor.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_mdmonitor_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80259-5 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The irqbalance service optimizes the balance between power savings and performance through distribution of hardware interrupts across multiple processors. The irqbalance service can be enabled with the following command: $ sudo systemctl enable irqbalance.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 In an environment with multiple processors (now common), the irqbalance service provides potential speedups for handling interrupt requests. CCE-80257-9 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'irqbalance.service' "$SYSTEMCTL_EXEC" enable 'irqbalance.service' - name: Enable service irqbalance service: name: irqbalance enabled: "yes" state: "started" tags: - service_irqbalance_enabled - unknown_severity - enable_strategy - low_complexity - low_disruption - CCE-80257-9 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The oddjobd service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with oddjobd through the system message bus. The oddjobd service can be disabled with the following command: $ sudo systemctl disable oddjobd.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000381 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The oddjobd service may provide necessary functionality in some environments, and can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues. CCE-80263-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'oddjobd.service' "$SYSTEMCTL_EXEC" disable 'oddjobd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^oddjobd.socket\>' && "$SYSTEMCTL_EXEC" disable 'oddjobd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'oddjobd.service' - name: Disable service oddjobd service: name: oddjobd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_oddjobd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80263-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service oddjobd if applicable service: name: oddjobd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_oddjobd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80263-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") SMART (Self-Monitoring, Analysis, and Reporting Technology) is a feature of hard drives that allows them to detect symptoms of disk failure and relay an appropriate warning. The smartd service can be disabled with the following command: $ sudo systemctl disable smartd.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 SMART can help protect against denial of service due to failing hardware. Nevertheless, if it is not needed or the system's drives are not SMART-capable (such as solid state drives), it can be disabled. CCE-80272-8 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'smartd.service' "$SYSTEMCTL_EXEC" disable 'smartd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^smartd.socket\>' && "$SYSTEMCTL_EXEC" disable 'smartd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'smartd.service' - name: Disable service smartd service: name: smartd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_smartd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80272-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service smartd if applicable service: name: smartd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_smartd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80272-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The qpidd service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The qpidd service can be disabled with the following command: $ sudo systemctl disable qpidd.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000382 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections, which increases the attack surface of the system. If the system is not intended to receive AMQP traffic, then the qpidd service is not needed and should be disabled or removed. CCE-80266-0 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'qpidd.service' "$SYSTEMCTL_EXEC" disable 'qpidd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^qpidd.socket\>' && "$SYSTEMCTL_EXEC" disable 'qpidd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'qpidd.service' - name: Disable service qpidd service: name: qpidd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_qpidd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80266-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service qpidd if applicable service: name: qpidd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_qpidd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80266-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The Automatic Bug Reporting Tool (abrtd) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The abrtd service can be disabled with the following command: $ sudo systemctl disable abrtd.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. CCE-26872-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'abrtd.service' "$SYSTEMCTL_EXEC" disable 'abrtd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^abrtd.socket\>' && "$SYSTEMCTL_EXEC" disable 'abrtd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'abrtd.service' - name: Disable service abrtd service: name: abrtd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_abrtd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-26872-2 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service abrtd if applicable service: name: abrtd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_abrtd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-26872-2 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The cpupower service can adjust the clock speed of supported CPUs based upon the current processing load thereby conserving power and reducing heat. The cpupower service can be disabled with the following command: $ sudo systemctl disable cpupower.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The cpupower service is only necessary if adjusting the CPU clock speed provides benefit. Traditionally this has included laptops (to enhance battery life), but may also apply to server or desktop environments where conserving power is highly desirable or necessary. CCE-80256-1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'cpupower.service' "$SYSTEMCTL_EXEC" disable 'cpupower.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cpupower.socket\>' && "$SYSTEMCTL_EXEC" disable 'cpupower.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'cpupower.service' - name: Disable service cpupower service: name: cpupower enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_cpupower_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80256-1 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service cpupower if applicable service: name: cpupower.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_cpupower_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80256-1 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The saslauthd service handles plaintext authentication requests on behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into a single process, and can also be used to provide proxy authentication services to clients that do not understand SASL based authentication. The saslauthd service can be disabled with the following command: $ sudo systemctl disable saslauthd.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The saslauthd service provides essential functionality for performing authentication in some directory environments, such as those which use Kerberos and LDAP. For others, however, in which only local files may be consulted, it is not necessary and should be disabled. CCE-80271-0 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'saslauthd.service' "$SYSTEMCTL_EXEC" disable 'saslauthd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^saslauthd.socket\>' && "$SYSTEMCTL_EXEC" disable 'saslauthd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'saslauthd.service' - name: Disable service saslauthd service: name: saslauthd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_saslauthd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80271-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service saslauthd if applicable service: name: saslauthd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_saslauthd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80271-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Control groups allow an administrator to allocate system resources (such as CPU, memory, network bandwidth, etc) among a defined group (or groups) of processes executing on a system. The cgconfig daemon starts at boot and establishes the predefined control groups. The cgconfig service can be disabled with the following command: $ sudo systemctl disable cgconfig.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Unless control groups are used to manage system resources, running the cgconfig service is not necessary. CCE-80254-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'cgconfig.service' "$SYSTEMCTL_EXEC" disable 'cgconfig.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cgconfig.socket\>' && "$SYSTEMCTL_EXEC" disable 'cgconfig.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'cgconfig.service' - name: Disable service cgconfig service: name: cgconfig enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_cgconfig_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80254-6 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service cgconfig if applicable service: name: cgconfig.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_cgconfig_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80254-6 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in /etc/ntp/step-tickers or /etc/ntp.conf and then sets the local hardware clock to the newly synchronized system time. The ntpdate service can be disabled with the following command: $ sudo systemctl disable ntpdate.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000382 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The ntpdate service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated. CCE-80262-9 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'ntpdate.service' "$SYSTEMCTL_EXEC" disable 'ntpdate.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^ntpdate.socket\>' && "$SYSTEMCTL_EXEC" disable 'ntpdate.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'ntpdate.service' - name: Disable service ntpdate service: name: ntpdate enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_ntpdate_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80262-9 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service ntpdate if applicable service: name: ntpdate.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_ntpdate_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80262-9 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command: $ sudo systemctl disable kdump.service RHEL-07-021300 SV-86681r2_rule 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000366 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 CM-6(b) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. CCE-80258-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'kdump.service' "$SYSTEMCTL_EXEC" disable 'kdump.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^kdump.socket\>' && "$SYSTEMCTL_EXEC" disable 'kdump.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'kdump.service' - name: Disable service kdump service: name: kdump enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_kdump_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80258-7 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-CM-6(b) - DISA-STIG-RHEL-07-021300 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service kdump if applicable service: name: kdump.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_kdump_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80258-7 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-CM-6(b) - DISA-STIG-RHEL-07-021300 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") kdump --disable The Red Hat Subscription Manager (rhsmcertd) periodically checks for changes in the entitlement certificates for a registered system and updates it accordingly. The rhsmcertd service can be disabled with the following command: $ sudo systemctl disable rhsmcertd.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The rhsmcertd service can provide administrators with some additional control over which of their systems are entitled to particular subscriptions. However, for systems that are managed locally or which are not expected to require remote changes to their subscription status, it is unnecessary and can be disabled. CCE-80270-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rhsmcertd.service' "$SYSTEMCTL_EXEC" disable 'rhsmcertd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rhsmcertd.socket\>' && "$SYSTEMCTL_EXEC" disable 'rhsmcertd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rhsmcertd.service' - name: Disable service rhsmcertd service: name: rhsmcertd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rhsmcertd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80270-2 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rhsmcertd if applicable service: name: rhsmcertd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rhsmcertd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80270-2 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The portreserve service is a TCP port reservation utility that can be used to prevent portmap from binding to well known TCP ports that are required for other services. The portreserve service can be disabled with the following command: $ sudo systemctl disable portreserve.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The portreserve service provides helpful functionality by preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed. CCE-80264-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'portreserve.service' "$SYSTEMCTL_EXEC" disable 'portreserve.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^portreserve.socket\>' && "$SYSTEMCTL_EXEC" disable 'portreserve.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'portreserve.service' - name: Disable service portreserve service: name: portreserve enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_portreserve_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80264-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service portreserve if applicable service: name: portreserve.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_portreserve_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80264-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The sysstat service resets various I/O and CPU performance statistics to zero in order to begin counting from a fresh state at boot time. The sysstat service can be disabled with the following command: $ sudo systemctl disable sysstat.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 By default the sysstat service merely runs a program at boot to reset the statistics, which can be retrieved using programs such as sar and sadc. These may provide useful insight into system operation, but unless used this service can be disabled. CCE-80273-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'sysstat.service' "$SYSTEMCTL_EXEC" disable 'sysstat.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^sysstat.socket\>' && "$SYSTEMCTL_EXEC" disable 'sysstat.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'sysstat.service' - name: Disable service sysstat service: name: sysstat enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_sysstat_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80273-6 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service sysstat if applicable service: name: sysstat.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_sysstat_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80273-6 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, through the use of public key cryptography. The implementation included with the system is called OpenSSH, and more detailed documentation is available from its website, http://www.openssh.org. Its server program is called sshd and provided by the RPM package openssh-server. Specify port the SSH server is listening. 22 Specify the FIPS approved MACs (message authentication code) algorithms that are used for data integrity protection by the SSH server. hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com Specify firewalld zone to enable SSH service. This value is used only for remediation purposes. block drop public work internal external home dmz public trusted Specify duration of allowed idle time. 7200 300 1800 300 3600 900 600 Specify the maximum number of authentication attempts per connection. 4 10 3 4 5 Specify the maximum number of idle message counts before session is terminated. 0 0 10 3 5 Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured. A value of 0 means that the policy doesn't care if OpenSSH server is installed or not. If it is installed, scanner will check for it's configuration, if it's not installed, the check will pass. A value of 1 indicates that OpenSSH server package is not required by the policy; A value of 2 indicates that OpenSSH server package is required by the policy. 0 2 1 If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file /etc/ssh/sshd_config. The following recommendations can be applied to this file. See the sshd_config(5) man page for more detailed information. If the SSH server is expected to only receive connections from the local network, then strengthen the default firewall rule for the SSH service to only accept connections from the appropriate network segment(s). Determine an appropriate network block, netwk, network mask, mask, and network protocol, ip_protocol, representing the systems on your network which will be allowed to access this SSH server. Run the following command: firewall-cmd --permanent --add-rich-rule='rule family="ip_protocol" source address="netwk/mask" service name="ssh" accept' SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file: StrictModes yes RHEL-07-040450 SV-86887r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-17(b) PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. CCE-80222-3 _{replace_or_append '/etc/ssh/sshd_config' '^StrictModes' 'yes' 'CCE-80222-3' '%s %s'} - name: "Enable Use of Strict Mode Checking" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?strictmodes line: StrictModes yes validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_enable_strictmodes - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80222-3 - NIST-800-53-AC-6 - NIST-800-53-AC-17(b) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") SSH can allow system users user host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled. To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: IgnoreUserKnownHosts yes RHEL-07-040380 SV-86873r3_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-17(b) CM-6(a) PR.IP-1 FIA_AFL.1 SRG-OS-000480-GPOS-00227 Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. CCE-80372-6 _{replace_or_append '/etc/ssh/sshd_config' '^IgnoreUserKnownHosts' 'yes' 'CCE-80372-6' '%s %s'} - name: "Disable SSH Support for User Known Hosts" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^IgnoreUserKnownHosts line: IgnoreUserKnownHosts yes insertbefore: ^Match firstmatch: yes validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_disable_user_known_hosts - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80372-6 - NIST-800-53-AC-17(b) - NIST-800-53-CM-6(a) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040380 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. RHEL-07-010300 SV-86563r3_rule 5.2.9 11 12 13 14 15 16 18 3 5 9 5.5.6 APO01.06 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 3.1.1 3.1.5 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-6 AC-17(b) CM-6(b) PR.AC-4 PR.AC-6 PR.DS-5 PR.IP-1 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00229 SRG-OS-000480-VMM-002000 Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. CCE-27471-2 _{replace_or_append '/etc/ssh/sshd_config' '^PermitEmptyPasswords' 'no' 'CCE-27471-2' '%s %s'} - name: Disable SSH Access via Empty Passwords lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^PermitEmptyPasswords line: PermitEmptyPasswords no validate: /usr/sbin/sshd -t -f %s tags: - sshd_disable_empty_passwords - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-27471-2 - NIST-800-53-AC-3 - NIST-800-53-AC-6 - NIST-800-53-AC-17(b) - NIST-800-53-CM-6(b) - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - CJIS-5.5.6 - DISA-STIG-RHEL-07-010300 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, edit /etc/ssh/sshd_config as follows: ClientAliveCountMax RHEL-07-040340 SV-86865r4_rule 5.2.12 1 12 13 14 15 16 18 3 5 7 8 5.5.6 APO13.01 BAI03.01 BAI03.02 BAI03.03 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.11 CCI-001133 CCI-002361 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.14.1.1 A.14.2.1 A.14.2.5 A.18.1.4 A.6.1.2 A.6.1.5 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(5) SA-8 AC-12 AC-17(b) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.IP-2 SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109A SRG-OS-000480-VMM-002000 This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. CCE-27082-7 var_sshd_set_keepalive="_{" replace_or_append '/etc/ssh/sshd_config' '^ClientAliveCountMax' "$var_sshd_set_keepalive" 'CCE-27082-7' '%s %s'} - name: XCCDF Value var_sshd_set_keepalive # promote to variable set_fact: var_sshd_set_keepalive: !!str _{tags: - always - name: Set SSH Client Alive Count lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^ClientAliveCountMax line: 'ClientAliveCountMax {{ var_sshd_set_keepalive }}' validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_set_keepalive - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27082-7 - NIST-800-53-AC-2(5) - NIST-800-53-SA-8 - NIST-800-53-AC-12 - NIST-800-53-AC-17(b) - NIST-800-171-3.1.11 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040340 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: ClientAliveInterval The timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. RHEL-07-040320 SV-86861r4_rule 5.2.12 1 12 13 14 15 16 18 3 5 7 8 5.5.6 APO13.01 BAI03.01 BAI03.02 BAI03.03 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.11 CCI-001133 CCI-002361 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.14.1.1 A.14.2.1 A.14.2.5 A.18.1.4 A.6.1.2 A.6.1.5 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(5) SA-8(i) AC-12 AC-17(b) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.IP-2 Req-8.1.8 SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109 SRG-OS-000480-VMM-002000 Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. CCE-27433-2 sshd_idle_timeout_value="_{" replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value 'CCE-27433-2' '%s %s'} - name: XCCDF Value sshd_idle_timeout_value # promote to variable set_fact: sshd_idle_timeout_value: !!str _{tags: - always - name: Set SSH Idle Timeout Interval lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^ClientAliveInterval line: "ClientAliveInterval {{ sshd_idle_timeout_value }}" validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_set_idle_timeout - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27433-2 - NIST-800-53-AC-2(5) - NIST-800-53-SA-8(i) - NIST-800-53-AC-12 - NIST-800-53-AC-17(b) - NIST-800-171-3.1.11 - PCI-DSS-Req-8.1.8 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040320 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SSH configuration allows any user with an account to access the system. In order to specify the users that are allowed to login via SSH and deny all other users, add or correct the following line in the /etc/ssh/sshd_config file: DenyUsers USER1 USER2 Where USER1 and USER2 are valid user names. 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.1.12 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system. CCE-80219-9 To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config: Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner. RHEL-07-040170 SV-86849r4_rule 5.2.16 1 12 15 16 5.5.6 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 CCI-000050 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) AC-17(b) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 SRG-OS-000023-VMM-000060 The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. CCE-27314-4 grep -q ^Banner /etc/ssh/sshd_config && \ sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "Banner /etc/issue" >> /etc/ssh/sshd_config fi - name: Enable SSH Warning Banner lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^Banner line: Banner /etc/issue validate: /usr/sbin/sshd -t -f %s tags: - sshd_enable_warning_banner - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27314-4 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c)(1) - NIST-800-53-AC-8(c)(2) - NIST-800-53-AC-8(c)(3) - NIST-800-53-AC-17(b) - NIST-800-171-3.1.9 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040170 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs: MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1 The man page sshd_config(5) contains a list of supported MACs. Only the following message authentication codes are FIPS 140-2 certified on Red Hat Enterprise Linux 7: - hmac-sha1 - hmac-sha2-256 - hmac-sha2-512 - hmac-sha1-etm@openssh.com - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for Red Hat Enterprise Linux 7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf RHEL-07-040400 SV-86877r3_rule 5.2.12 1 12 13 15 16 5 8 APO01.06 APO13.01 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.07 DSS06.02 DSS06.03 3.1.13 3.13.11 3.13.8 CCI-001453 164.308(b)(1) 164.308(b)(2) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) 164.314(b)(2)(i) 4.3.3.5.1 4.3.3.6.6 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.11.2.6 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-17(b) AC-17(2) IA-7 SC-13 PR.AC-1 PR.AC-3 PR.DS-5 PR.PT-4 SRG-OS-000250-GPOS-00093 SRG-OS-000480-VMM-002000 DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. CCE-27455-5 sshd_approved_macs="_{" replace_or_append '/etc/ssh/sshd_config' '^MACs' "$sshd_approved_macs" 'CCE-27455-5' '%s %s'} - name: XCCDF Value sshd_approved_macs # promote to variable set_fact: sshd_approved_macs: !!str _{tags: - always - name: "Use Only Approved MACs" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^MACs line: "MACs {{ sshd_approved_macs }}" validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_use_approved_macs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27455-5 - NIST-800-53-AC-17(b) - NIST-800-53-AC-17(2) - NIST-800-53-IA-7 - NIST-800-53-SC-13 - NIST-800-171-3.1.13 - NIST-800-171-3.13.11 - NIST-800-171-3.13.8 - DISA-STIG-RHEL-07-040400 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To ensure users are not able to override environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config: PermitUserEnvironment no RHEL-07-010460 SV-86581r3_rule 5.2.10 11 3 9 5.5.6 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-17(b) CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00229 SRG-OS-000480-VMM-002000 SSH environment options potentially allow users to bypass access restriction in some configurations. CCE-27363-1 _{replace_or_append '/etc/ssh/sshd_config' '^PermitUserEnvironment' 'no' 'CCE-27363-1' '%s %s'} - name: Do Not Allow SSH Environment Options lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^PermitUserEnvironment line: PermitUserEnvironment no validate: /usr/sbin/sshd -t -f %s tags: - sshd_do_not_permit_user_env - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27363-1 - NIST-800-53-AC-17(b) - NIST-800-53-CM-6(b) - NIST-800-171-3.1.12 - CJIS-5.5.6 - DISA-STIG-RHEL-07-010460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the /etc/ssh/sshd_config file: KerberosAuthentication no RHEL-07-040440 SV-86885r3_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000368 CCI-000318 CCI-001812 CCI-001813 CCI-001814 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(c) PR.IP-1 FIA_AFL.1 SRG-OS-000364-GPOS-00151 SRG-OS-000480-VMM-002000 Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. CCE-80221-5 _{replace_or_append '/etc/ssh/sshd_config' '^KerberosAuthentication' 'no' 'CCE-80221-5' '%s %s'} - name: "Disable Kerberos Authentication" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?kerberosauthentication line: KerberosAuthentication no validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_disable_kerb_auth - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80221-5 - NIST-800-53-CM-6(c) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears: Protocol 2 As of openssh-server version 7.4 and above, the only protocol supported is version 2, and line Protocol 2 in /etc/ssh/sshd_config is not necessary. RHEL-07-040390 SV-86875r4_rule 5.2.2 1 12 15 16 5 8 5.5.6 APO13.01 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.13 3.5.4 CCI-000197 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-17(b) AC-17(8).1(ii) IA-5(1)(c) PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 PR.PT-4 SRG-OS-000074-GPOS-00042 SRG-OS-000480-GPOS-00227 SRG-OS-000033-VMM-000140 SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. CCE-27320-1 _{replace_or_append '/etc/ssh/sshd_config' '^Protocol' '2' 'CCE-27320-1' '%s %s'} - name: "Allow Only SSH Protocol 2" lineinfile: dest: /etc/ssh/sshd_config regexp: "^Protocol [0-9]" line: "Protocol 2" validate: /usr/sbin/sshd -t -f %s #notify: :reload ssh tags: - sshd_allow_only_protocol2 - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-27320-1 - NIST-800-53-AC-17(b) - NIST-800-53-AC-17(8).1(ii) - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.5.4 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040390 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files. To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: IgnoreRhosts yes RHEL-07-040350 SV-86867r3_rule 5.2.6 11 12 14 15 16 18 3 5 9 5.5.6 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.1.12 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-17(b) CM-6(a) PR.AC-4 PR.AC-6 PR.IP-1 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00227 SRG-OS-000107-VMM-000530 SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. CCE-27377-1 _{replace_or_append '/etc/ssh/sshd_config' '^IgnoreRhosts' 'yes' 'CCE-27377-1' '%s %s'} - name: Disable SSH Support for .rhosts Files lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^IgnoreRhosts line: IgnoreRhosts yes validate: /usr/sbin/sshd -t -f %s tags: - sshd_disable_rhosts - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27377-1 - NIST-800-53-AC-3 - NIST-800-53-AC-17(b) - NIST-800-53-CM-6(a) - NIST-800-171-3.1.12 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040350 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: RhostsRSAAuthentication no As of openssh-server version 7.4 and above, the RhostsRSAAuthentication option has been deprecated, and the line RhostsRSAAuthentication no in /etc/ssh/sshd_config is not necessary. RHEL-07-040330 SV-86863r4_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(a) AC-17(b) PR.IP-1 FIA_AFL.1 SRG-OS-000480-GPOS-00227 Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. CCE-80373-4 _{replace_or_append '/etc/ssh/sshd_config' '^RhostsRSAAuthentication' 'no' 'CCE-80373-4' '%s %s'} - name: Disable SSH Support for Rhosts RSA Authentication lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^RhostsRSAAuthentication line: RhostsRSAAuthentication no validate: /usr/sbin/sshd -t -f %s tags: - sshd_disable_rhosts_rsa - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80373-4 - NIST-800-53-CM-6(a) - NIST-800-53-AC-17(b) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040330 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The INFO parameter specifices that record login and logout activity will be logged. To specify the log level in SSH, add or correct the following line in the /etc/ssh/sshd_config file: LogLevel INFO 5.2.3 AC-17(b) SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. CCE-80645-5 By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled. To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config: X11Forwarding yes RHEL-07-040710 SV-86927r4_rule 5.2.4 1 11 12 13 15 16 18 20 3 4 6 9 BAI03.08 BAI07.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS03.01 3.1.13 CCI-000366 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 7.6 A.12.1.1 A.12.1.2 A.12.1.4 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-2(1)(b) DE.AE-1 PR.DS-7 PR.IP-1 SRG-OS-000480-GPOS-00227 Open X displays allow an attacker to capture keystrokes and to execute commands remotely. CCE-80226-4 - name: Enable Encrypted X11 Forwarding lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^X11Forwarding line: X11Forwarding yes validate: /usr/sbin/sshd -t -f %s tags: - sshd_enable_x11_forwarding - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-80226-4 - NIST-800-53-CM-2(1)(b) - NIST-800-171-3.1.13 - DISA-STIG-RHEL-07-040710 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc The man page sshd_config(5) contains a list of supported ciphers. The following ciphers are FIPS 140-2 certified on Red Hat Enterprise Linux 7: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for Red Hat Enterprise Linux 7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf RHEL-07-040110 SV-86845r3_rule 5.2.10 1 11 12 14 15 16 18 3 5 6 8 9 5.5.6 APO11.04 APO13.01 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 MEA02.01 3.1.13 3.13.11 3.13.8 CCI-000068 CCI-000366 CCI-000803 164.308(b)(1) 164.308(b)(2) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) 164.314(b)(2)(i) 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-3 AC-17(b) AC-17(2) AU-10(5) CM-6(b) IA-5(1)(c) IA-7 SI-7 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.AC-7 PR.IP-1 PR.PT-1 PR.PT-3 PR.PT-4 SRG-OS-000033-GPOS-00014 SRG-OS-000120-GPOS-00061 SRG-OS-000125-GPOS-00065 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173 SRG-OS-000033-VMM-000140 SRG-OS-000478-VMM-001980 Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux 7. CCE-27295-5 _{replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' 'CCE-27295-5' '%s %s'} - name: Use Only Approved Ciphers lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^Ciphers line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_use_approved_ciphers - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27295-5 - NIST-800-53-AC-3 - NIST-800-53-AC-17(b) - NIST-800-53-AC-17(2) - NIST-800-53-AU-10(5) - NIST-800-53-CM-6(b) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-7 - NIST-800-53-SI-7 - NIST-800-171-3.1.13 - NIST-800-171-3.13.11 - NIST-800-171-3.13.8 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config: HostbasedAuthentication no RHEL-07-010470 SV-86583r3_rule 5.2.7 11 12 14 15 16 18 3 5 9 5.5.6 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-17 CM-6(b) PR.AC-4 PR.AC-6 PR.IP-1 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00229 SRG-OS-000480-VMM-002000 SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. CCE-27413-4 grep -q ^HostbasedAuthentication /etc/ssh/sshd_config && \ sed -i "s/HostbasedAuthentication.*/HostbasedAuthentication no/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config fi - name: Disable Host-Based Authentication lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^HostbasedAuthentication line: HostbasedAuthentication no tags: - disable_host_auth - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27413-4 - NIST-800-53-AC-3 - NIST-800-53-AC-17 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.12 - CJIS-5.5.6 - DISA-STIG-RHEL-07-010470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") By default, inbound connections to SSH's port are allowed. If the SSH server is being used but denied by the firewall, this exception should be added to the firewall configuration. To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=ssh 3.1.12 AC-17(a) If inbound SSH connections are expected, adding a firewall rule exception will allow remote access through the SSH port. CCE-80361-9 - name: Ensure firewalld is installed package: name: "{{ item }}" state: present with_items: - firewalld tags: - firewalld_sshd_port_enabled - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80361-9 - NIST-800-53-AC-17(a) - NIST-800-171-3.1.12 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: XCCDF Value sshd_listening_port # promote to variable set_fact: sshd_listening_port: !!str _{tags: - always - name: Enable SSHD in firewalld (custom port) firewalld: port: "{{ sshd_listening_port }}/tcp" permanent: yes state: enabled when: sshd_listening_port != 22 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - firewalld_sshd_port_enabled - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80361-9 - NIST-800-53-AC-17(a) - NIST-800-171-3.1.12 - name: Enable SSHD in firewalld (default port) firewalld: service: ssh permanent: yes state: enabled when: sshd_listening_port == 22 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - firewalld_sshd_port_enabled - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80361-9 - NIST-800-53-AC-17(a) - NIST-800-171-3.1.12} The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. to set MaxAUthTries edit /etc/ssh/sshd_config as follows: MaxAuthTries tries 5.2.5 Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. Limit the MACs to strong hash algorithms. The following line in /etc/ssh/sshd_config demonstrates use of those MACs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file: UsePrivilegeSeparation sandbox RHEL-07-040460 SV-86889r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-17(b) PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. CCE-80223-1 _{replace_or_append '/etc/ssh/sshd_config' '^UsePrivilegeSeparation' 'sandbox' 'CCE-80223-1' '%s %s'} - name: "Enable use of Privilege Separation" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?useprivilegeseparation line: UsePrivilegeSeparation sandbox validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_use_priv_separation - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80223-1 - NIST-800-53-AC-6 - NIST-800-53-AC-17(b) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file: PrintLastLog yes RHEL-07-040360 SV-86869r3_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 CCI-000366 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-9 AC-17(b) PR.AC-7 SRG-OS-000480-GPOS-00227 Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. CCE-80225-6 _{replace_or_append '/etc/ssh/sshd_config' '^PrintLastLog' 'yes' 'CCE-80225-6' '%s %s'} - name: Print last log lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^PrintLastLog line: PrintLastLog yes validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_print_last_log - medium_severity - CCE-80225-6 - NIST-800-53-AC-9 - NIST-800-53-AC-17(b) - DISA-STIG-RHEL-07-040360 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Limit the ciphers to strong algorithms. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of those ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr The man page sshd_config(5) contains a list of supported ciphers. Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use. Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the /etc/ssh/sshd_config file: GSSAPIAuthentication no RHEL-07-040430 SV-86883r3_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000368 CCI-000318 CCI-001812 CCI-001813 CCI-001814 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-17(b) CM-6(c) PR.IP-1 FIA_AFL.1 SRG-OS-000364-GPOS-00151 SRG-OS-000480-VMM-002000 GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. CCE-80220-7 _{replace_or_append '/etc/ssh/sshd_config' '^GSSAPIAuthentication' 'no' 'CCE-80220-7' '%s %s'} - name: "Disable GSSAPI Authentication" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?gssapiauthentication line: GSSAPIAuthentication no validate: /usr/sbin/sshd -t -f %s #notify: sshd -t -f %s tags: - sshd_disable_gssapi_auth - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80220-7 - NIST-800-53-AC-17(b) - NIST-800-53-CM-6(c) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040430 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise , it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file: Compression no or Compression delayed RHEL-07-040470 SV-86891r3_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially wih root privileges. CCE-80224-9 _{replace_or_append '/etc/ssh/sshd_config' '^Compression' 'no' 'CCE-80224-9' '%s %s'} - name: "Disable Compression or Set Compression to delayed" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?compression line: Compression delayed validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_disable_compression - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80224-9 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config: PermitRootLogin no RHEL-07-040370 SV-86871r3_rule 5.2.8 1 11 12 13 14 15 16 18 3 5 5.5.6 APO01.06 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.06 DSS06.10 3.1.1 3.1.5 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-3 AC-6(2) AC-17(b) IA-2 IA-2(5) PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. CCE-27445-6 SSHD_CONFIG='/etc/ssh/sshd_config' # Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) # Obtain line number of first uncommented case-insensitive occurence of # PermitRootLogin directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG) # Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] then # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence # of PermitRootLogin directive sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG fi # Case: Match block directive present in $SSHD_CONFIG else # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] then # Prepend 'PermitRootLogin no' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed # before first Match block directive elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence # of PermitRootLogin directive sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed # after first Match block directive else # Prepend 'PermitRootLogin no' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG fi fi - name: "Disable SSH Root Login" lineinfile: create: yes dest: "/etc/ssh/sshd_config" regexp: "^PermitRootLogin" line: "PermitRootLogin no" insertafter: '(?i)^#?authentication' validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_disable_root_login - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27445-6 - NIST-800-53-AC-3 - NIST-800-53-AC-6(2) - NIST-800-53-AC-17(b) - NIST-800-53-IA-2 - NIST-800-53-IA-2(5) - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040370 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. The sshd service can be disabled with the following command: $ sudo systemctl disable sshd.service This is unusual, as SSH is a common method for encrypted and authenticated remote access. CCE-80217-3 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'sshd.service' "$SYSTEMCTL_EXEC" disable 'sshd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^sshd.socket\>' && "$SYSTEMCTL_EXEC" disable 'sshd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'sshd.service' - name: Disable service sshd service: name: sshd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_sshd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80217-3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service sshd if applicable service: name: sshd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_sshd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80217-3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The openssh-server package should be installed. The openssh-server package can be installed with the following command: $ sudo yum install openssh-server RHEL-07-040300 SV-86857r3_rule 13 14 APO01.06 DSS05.02 DSS05.04 DSS05.07 DSS06.02 DSS06.06 CCI-002418 CCI-002420 CCI-002421 CCI-002422 SR 3.1 SR 3.8 SR 4.1 SR 4.2 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-8 PR.DS-2 PR.DS-5 SRG-OS-000423-GPOS-00187 SRG-OS-000423-GPOS-00188 SRG-OS-000423-GPOS-00189 SRG-OS000423-GPOS-00190 Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. CCE-80215-7 _{package_install openssh-server} - name: Ensure openssh-server is installed package: name: openssh-server state: present tags: - package_openssh-server_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80215-7 - NIST-800-53-SC-8 - DISA-STIG-RHEL-07-040300 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_openssh-server class install_openssh-server { package { 'openssh-server': ensure => 'installed', } } package --add=openssh-server By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. To configure firewalld to prevent access, run the following command(s): firewall-cmd --permanent --remove-service=ssh 3.1.12 If inbound SSH connections are not expected, disallowing access to the SSH port will avoid possible exploitation of the port by an attacker. CCE-80218-1 The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command: $ sudo systemctl enable sshd.service RHEL-07-040310 SV-86859r3_rule 13 14 APO01.06 DSS05.02 DSS05.04 DSS05.07 DSS06.02 DSS06.06 3.1.13 3.5.4 3.13.8 CCI-002418 CCI-002420 CCI-002421 CCI-002422 SR 3.1 SR 3.8 SR 4.1 SR 4.2 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-8 PR.DS-2 PR.DS-5 SRG-OS-000423-GPOS-00187 SRG-OS-000423-GPOS-00188 SRG-OS-000423-GPOS-00189 SRG-OS000423-GPOS-00190 Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. CCE-80216-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'sshd.service' "$SYSTEMCTL_EXEC" enable 'sshd.service' - name: Enable service sshd service: name: sshd enabled: "yes" state: "started" tags: - service_sshd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80216-5 - NIST-800-53-SC-8 - NIST-800-171-3.1.13 - NIST-800-171-3.5.4 - NIST-800-171-3.13.8 - DISA-STIG-RHEL-07-040310 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub RHEL-07-040410 SV-86879r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.13 3.13.10 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 If a public host key file is modified by an unauthorized user, the SSH service may be compromised. CCE-27311-0 find /etc/ssh -regex '^/etc/ssh/.*.pub$' -exec chmod 0644 {} \; - name: Find /etc/ssh file(s) find: paths: "/etc/ssh" patterns: "^.*.pub$" use_regex: yes register: files_found tags: - file_permissions_sshd_pub_key - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27311-0 - NIST-800-53-AC-6 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-RHEL-07-040410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set permissions for /etc/ssh file(s) file: path: "{{ item.path }}" mode: 0644 with_items: - "{{ files_found.files }}" tags: - file_permissions_sshd_pub_key - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27311-0 - NIST-800-53-AC-6 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-RHEL-07-040410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include ssh_public_key_perms class ssh_public_key_perms { exec { 'sshd_pub_key': command => "chmod 0644 /etc/ssh/*.pub", path => '/bin:/usr/bin' } } To properly set the permissions of /etc/ssh/*_key, run the command: $ sudo chmod 0640 /etc/ssh/*_key RHEL-07-040420 SV-86881r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.13 3.13.10 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-17 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 If an unauthorized user obtains the private SSH host key file, the host could be impersonated. CCE-27485-2 find /etc/ssh -regex '^/etc/ssh/.*_key$' -exec chmod 0640 {} \; - name: Find /etc/ssh file(s) find: paths: "/etc/ssh" patterns: "^.*_key$" use_regex: yes register: files_found tags: - file_permissions_sshd_private_key - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27485-2 - NIST-800-53-AC-6 - NIST-800-53-AC-17 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-RHEL-07-040420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set permissions for /etc/ssh file(s) file: path: "{{ item.path }}" mode: 0640 with_items: - "{{ files_found.files }}" tags: - file_permissions_sshd_private_key - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27485-2 - NIST-800-53-AC-6 - NIST-800-53-AC-17 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-RHEL-07-040420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include ssh_private_key_perms class ssh_private_key_perms { exec { 'sshd_priv_key': command => "chmod 0640 /etc/ssh/*_key", path => '/bin:/usr/bin' } } By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. Edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line: -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT This is unusual, as SSH is a common method for encrypted and authenticated remote access. If inbound SSH connections are not expected, disallowing access to the SSH port will avoid possible exploitation of the port by an attacker. Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not running MTAs unnecessarily, and configure needed MTAs as defensively as possible. Very few systems at any site should be configured to directly receive email over the network. Users should instead use mail client programs to retrieve email from a central server that supports protocols such as IMAP or POP3. However, it is normal for most systems to be independently capable of sending email, for instance so that cron jobs can report output to an administrator. Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from the local system to a central site MTA (or directly delivered to a local account), but the system still cannot receive mail directly over a network. The alternatives program in Red Hat Enterprise Linux 7 permits selection of other mail server software (such as Sendmail), but Postfix is the default and is preferred. Postfix was coded with security in mind and can also be more effectively contained by SELinux as its modular design has resulted in separate processes performing specific actions. More information is available on its website, http://www.postfix.org. This section discusses settings for Postfix in a submission-only e-mail configuration. Specify an email address (string) for a root mail alias. system.administrator@mail.mil Set up an alias for root that forwards to a monitored email address: $ sudo echo "root: _{" >> /etc/aliases $ sudo newaliases} A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address. Edit the file /etc/postfix/main.cf to ensure that only the following inet_interfaces line appears: inet_interfaces = localhost 2.2.15 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000382 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 This ensures postfix accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack. CCE-80289-2 The guidance in this section is appropriate for any host which is operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or some other software. If SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended. There are also configurations for which it may be desirable to encrypt all mail in transit from one MTA to another, though such configurations are beyond the scope of this guide. In either event, the steps for creating and installing an SSL certificate are independent of the MTA in use, and are described here. Create the PKI directory for mail certificates, if it does not already exist: $ sudo mkdir /etc/pki/tls/mail $ sudo chown root:root /etc/pki/tls/mail $ sudo chmod 755 /etc/pki/tls/mail Using removable media or some other secure transmission format, install the files generated in the previous step onto the mail server: /etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem /etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem Verify the ownership and permissions of these files: $ sudo chown root:root /etc/pki/tls/mail/serverkey.pem $ sudo chown root:root /etc/pki/tls/mail/servercert.pem $ sudo chmod 600 /etc/pki/tls/mail/serverkey.pem $ sudo chmod 644 /etc/pki/tls/mail/servercert.pem Verify that the CA's public certificate file has been installed as /etc/pki/tls/CA/cacert.pem, and has the correct permissions: $ sudo chown root:root /etc/pki/tls/CA/cacert.pem $ sudo chmod 644 /etc/pki/tls/CA/cacert.pem Postfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is /etc/postfix/main.cf. Postfix's mail relay controls are implemented with the help of the smtpd recipient restrictions option, which controls the restrictions placed on the SMTP dialogue once the sender and recipient envelope addresses are known. The guidance in the following sections should be applied to all systems. If there are systems which must be allowed to relay mail, but which cannot be trusted to relay unconditionally, configure SMTP AUTH with SSL support. Edit /etc/postfix/main.cf, and configure the contents of the mynetworks variable in one of the following ways: If any system in the subnet containing the MTA may be trusted to relay messages, add or correct the following line: mynetworks_style = subnet This is also the default setting, and is in effect if all my_networks_style directives are commented.If only the MTA host itself is trusted to relay messages, add or correct the following line: mynetworks_style = hostIf the set of systems which can relay is more complicated, manually specify an entry for each netblock or IP address which is trusted to relay by setting the mynetworks variable directly: mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1 SMTP authentication allows remote clients to relay mail safely by requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses an authentication library called SASL, which is not part of Postfix itself. To enable the use of SASL authentication, see http://www.postfix.org/SASL_README.html To configure Postfix to restrict addresses to which it will send mail, see: http://www.postfix.org/SMTPD_ACCESS_README.html#danger The full contents of smtpd_recipient_restrictions will vary by site, since this is a common place to put spam restrictions and other site-specific options. The permit_mynetworks option allows all mail to be relayed from the systems in mynetworks. Then, the reject_unauth_destination option denies all mail whose destination address is not local, preventing any other systems from relaying. These two options should always appear in this order, and should usually follow one another immediately unless SMTP AUTH is used. To configure Postfix to restrict addresses to which it will send mail, see: http://www.postfix.org/SMTPD_ACCESS_README.html#danger The full contents of smtpd_recipient_restrictions will vary by site, since this is a common place to put spam restrictions and other site-specific options. The permit_mynetworks option allows all mail to be relayed from the systems in mynetworks. Then, the reject_unauth_destination option denies all mail whose destination address is not local, preventing any other systems from relaying. These two options should always appear in this order, and should usually follow one another immediately unless SMTP AUTH is used. Postfix provides options to use TLS for certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail or with SASL authentication. To configure Postfix to protect all SMTP AUTH transactions using TLS, see http://www.postfix.org/TLS_README.html. Modify the /etc/postfix/main.cf file to restrict client connections to the local network with the following command: $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-040680 SV-86921r3_rule If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. CCE-80512-7 if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf else sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf fi Edit /etc/postfix/main.cf. Edit the following lines to configure the amount of system resources Postfix can consume: default_process_limit = 100 smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 30 queue_minfree = 20971520 header_size_limit = 51200 message_size_limit = 10485760 smtpd_recipient_limit = 100 The values here are examples. Note: The values given here are examples, and may need to be modified for any particular site. By default, the Postfix anvil process gathers mail receipt statistics. To get information about about what connection rates are typical at your site, look in /var/log/maillog for lines with the daemon name postfix/anvil. Edit /etc/postfix/main.cf, and add or correct the following line, substituting some other wording for the banner information if you prefer: smtpd_banner = $myhostname ESMTP 1 14 15 16 3 5 6 7 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AC-22 AU-13 DE.CM-3 PR.PT-1 The default greeting banner discloses that the listening mail process is Postfix. When remote mail senders connect to the MTA on port 25, they are greeted by an initial banner as part of the SMTP dialogue. This banner is necessary, but it frequently gives away too much information, including the MTA software which is in use, and sometimes also its version number. Remote mail senders do not need this information in order to send mail, so the banner should be changed to reveal only the hostname (which is already known and may be useful) and the word ESMTP, to indicate that the modern SMTP protocol variant is supported. CCE-80290-0 Sendmail is not the default mail transfer agent and is not installed by default. The sendmail package can be removed with the following command: $ sudo yum erase sendmail 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. CCE-80288-4 _{package_remove sendmail} - name: Ensure sendmail is removed package: name: sendmail state: absent tags: - package_sendmail_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80288-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include remove_sendmail class remove_sendmail { package { 'sendmail': ensure => 'purged', } } package --remove=sendmail The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The postfix service can be enabled with the following command: $ sudo systemctl enable postfix.service Local mail delivery is essential to some system maintenance and notification tasks. CCE-80287-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'postfix.service' "$SYSTEMCTL_EXEC" enable 'postfix.service' - name: Enable service postfix service: name: postfix enabled: "yes" state: "started" tags: - service_postfix_enabled - unknown_severity - enable_strategy - low_complexity - low_disruption - CCE-80287-6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at http://www.dovecot.org contains more detailed information about Dovecot configuration. If the system will operate as an IMAP or POP3 server, the dovecot software should be configured securely by following the recommendations below. SSL should be used to encrypt network traffic between the Dovecot server and its clients. Users must authenticate to the Dovecot server in order to read their mail, and passwords should never be transmitted in clear text. In addition, protecting mail as it is downloaded is a privacy measure, and clients may use SSL certificates to authenticate the server, preventing another system from impersonating the server. This option tells Dovecot where to find the the mail server's SSL Key. Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line (note: the path below is the default path set by the Dovecot installation. If you are using a different path, ensure you reference the appropriate file): ssl_key = </etc/pki/dovecot/private/dovecot.pem SSL certificates are used by the client to authenticate the identity of the server, as well as to encrypt credentials and message traffic. Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. CCE-80298-3 To prevent Dovecot from attempting plaintext authentication of clients, edit /etc/dovecot/conf.d/10-auth.conf and add\or correct the following line: disable_plaintext_auth = yes Using plain text authentication to the mail server could allow an attacker access to credentials by monitoring network traffic. CCE-80299-1 To allow clients to make encrypted connections the ssl flag in Dovecot's configuration file needs to be set to yes. Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line: ssl = yes SSL encrypt network traffic between the Dovecot server and its clients protecting user credentials, mail as it is downloaded, and clients may use SSL certificates to authenticate the server, preventing another system from impersonating the server. CCE-80296-7 This option tells Dovecot where to find the the mail server's SSL Certificate. Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line (note: the path below is the default path set by the Dovecot installation. If you are using a different path, ensure you reference the appropriate file): ssl_cert = </etc/pki/dovecot/certs/dovecot.pem" SSL certificates are used by the client to authenticate the identity of the server, as well as to encrypt credentials and message traffic. Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. CCE-80297-5 The default firewalld configuration does not allow inbound access to any services. This modification will allow remote hosts to initiate connections to the IMAP daemon, while keeping all other ports on the server in their default protected state. To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-port=143/tcp Dovecot supports the IMAP and POP3 protocols, as well as SSL-protected versions of those protocols. Configure the Dovecot server to support only the protocols needed by your site. Edit /etc/dovecot/dovecot.conf. Add or correct the following lines, replacing PROTOCOL with only the subset of protocols (imap, imaps, pop3, pop3s) required: protocols = PROTOCOL If possible, require SSL protection for all transactions. The SSL protocol variants listen on alternate ports (995 instead of 110 for pop3s, and 993 instead of 143 for imaps), and require SSL-aware clients. An alternate approach is to listen on the standard port and require the client to use the STARTTLS command before authenticating. If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed. The dovecot service can be disabled with the following command: $ sudo systemctl disable dovecot.service 2.2.11 Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed. CCE-80294-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'dovecot.service' "$SYSTEMCTL_EXEC" disable 'dovecot.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^dovecot.socket\>' && "$SYSTEMCTL_EXEC" disable 'dovecot.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'dovecot.service' - name: Disable service dovecot service: name: dovecot enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_dovecot_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80294-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service dovecot if applicable service: name: dovecot.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_dovecot_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80294-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The dovecot package can be removed with the following command: $ sudo yum erase dovecot If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. CCE-80295-9 _{package_remove dovecot} - name: Ensure dovecot is removed package: name: dovecot state: absent tags: - package_dovecot_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80295-9 include remove_dovecot class remove_dovecot { package { 'dovecot': ensure => 'purged', } } package --remove=dovecot Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc. The support for Yellowpages should not be installed unless it is required. NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used. The inet-based telnet daemon should be uninstalled. NT007(R03) 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled. ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP. _{package_remove ntpdate} - name: Ensure ntpdate is removed package: name: ntpdate state: absent tags: - package_ntpdate_removed - low_severity - disable_strategy - low_complexity - low_disruption include remove_ntpdate class remove_ntpdate { package { 'ntpdate': ensure => 'purged', } } package --remove=ntpdate The telnet daemon, even with ssl support, should be uninstalled. NT007(R02) 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 telnet, even with ssl support, should not be installed. When remote shell is required, up-to-date ssh daemon can be used. The telnet daemon should be uninstalled. NT007(R03) 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NFS and its dependencies, and then details steps which should be taken to secure NFS's configuration. This section is relevant to systems operating as NFS clients, as well as to those operating as NFS servers. The steps in this section are appropriate for systems which operate as NFS servers. If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exporting the filesystem read-only removes an attack vector against the server. The default filesystem export mode is ro, so do not specify rw without a good reason. Linux's NFS implementation uses the file /etc/exports to control what filesystems and directories may be accessed via NFS. (See the exports(5) manpage for more information about the format of this file.) The syntax of the exports file is not necessarily checked fully on reload, and syntax errors can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying the file. The syntax of each line in /etc/exports is: /DIR host1(opt1,opt2) host2(opt3) where /DIR is a directory or filesystem to export, hostN is an IP address, netblock, hostname, domain, or netgroup to which to export, and optN is an option. When configuring NFS exports, ensure that each export line in /etc/exports contains a list of hosts which are allowed to access that export. If no hosts are specified on an export line, then that export is available to any remote host which requests it. All lines of the exports file should specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that unknown or remote hosts will be denied. Authorized hosts can be specified in several different formats: Name or alias that is recognized by the resolverFully qualified domain nameIP addressIP subnets in the format address/netmask or address/CIDR If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobody). This provides some mild protection against remote abuse of an NFS server. Root squashing is enabled by default, and should not be disabled. Ensure that no line in /etc/exports contains the option no_root_squash. If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system. CCE-80241-3 The all_squash maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the all_squash option from the file /etc/exports. The all_squash option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID. Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add sec=krb5:krb5i:krb5p to each export in /etc/exports. 1 12 14 15 16 18 3 5 DSS05.04 DSS05.10 DSS06.10 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.3 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.6.1.2 A.9.1.2 A.9.2.1 A.9.2.3 A.9.2.4 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-14(1) PR.AC-4 PR.AC-7 SRG-OS-000480-GPOS-00227 When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. CCE-27464-7 By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the insecure_locks option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the insecure_locks option from the file /etc/exports. CCI-000764 Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. CCE-80243-9 By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control over systems connected to its network, and if NFS requests are prohibited at the border firewall, this offers some protection against malicious requests from unprivileged users. Therefore, the default should not be changed. To ensure that the default has not been changed, ensure no line in /etc/exports contains the option insecure. 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 Allowing client requests to be made from ports higher than 1024 could allow a unprivileged user to initiate an NFS connection. If the unprivileged user account has been compromised, an attacker could gain access to data on the NFS server. CCE-80242-1 If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS. The steps in this section will prevent a system from operating as either an NFS client or an NFS server. Only perform these steps on systems which do not need NFS at all. If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. All of these daemons run with elevated privileges, and many listen for network connections. If they are not needed, they should be disabled to improve system security posture. The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command: $ sudo systemctl disable rpcgssd.service CCE-80229-8 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rpcgssd.service' "$SYSTEMCTL_EXEC" disable 'rpcgssd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcgssd.socket\>' && "$SYSTEMCTL_EXEC" disable 'rpcgssd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rpcgssd.service' - name: Disable service rpcgssd service: name: rpcgssd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rpcgssd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80229-8 - name: Disable socket of service rpcgssd if applicable service: name: rpcgssd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rpcgssd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80229-8 The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command: $ sudo systemctl disable rpcidmapd.service CCE-80231-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rpcidmapd.service' "$SYSTEMCTL_EXEC" disable 'rpcidmapd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcidmapd.socket\>' && "$SYSTEMCTL_EXEC" disable 'rpcidmapd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rpcidmapd.service' - name: Disable service rpcidmapd service: name: rpcidmapd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rpcidmapd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80231-4 - name: Disable socket of service rpcidmapd if applicable service: name: rpcidmapd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rpcidmapd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80231-4 The Network File System Lock (nfslock) service starts the required remote procedure call (RPC) processes which allow clients to lock files on the server. If the local system is not configured to mount NFS filesystems then this service should be disabled. The nfslock service can be disabled with the following command: $ sudo systemctl disable nfslock.service CCE-80228-0 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'nfslock.service' "$SYSTEMCTL_EXEC" disable 'nfslock.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^nfslock.socket\>' && "$SYSTEMCTL_EXEC" disable 'nfslock.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'nfslock.service' - name: Disable service nfslock service: name: nfslock enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_nfslock_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80228-0 - name: Disable socket of service nfslock if applicable service: name: nfslock.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_nfslock_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80228-0 The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. If the system does not require RPC (such as for NFS servers) then this service should be disabled. The rpcbind service can be disabled with the following command: $ sudo systemctl disable rpcbind.service 2.2.7 CCE-80230-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rpcbind.service' "$SYSTEMCTL_EXEC" disable 'rpcbind.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcbind.socket\>' && "$SYSTEMCTL_EXEC" disable 'rpcbind.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rpcbind.service' - name: Disable service rpcbind service: name: rpcbind enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rpcbind_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80230-6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rpcbind if applicable service: name: rpcbind.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rpcbind_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80230-6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: $ mount -t nfs,nfs4,smbfs,cifs,ncpfs If the command did not return any output then disable netfs. The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command: $ sudo systemctl disable netfs.service The steps in this section are appropriate for all systems which run NFS, whether they operate as clients or as servers. Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never be accessible from outside the organization. However, by default for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port dynamically at service startup time. Dynamic ports cannot be protected by port filtering firewalls such as firewalld. Therefore, restrict each service to always use a given port, so that firewalling can be done effectively. Note that, because of the way RPC is implemented, it is not possible to disable the RPC Bind service even if ports are assigned statically to all RPC services. In NFSv4, the mounting and locking protocols have been incorporated into the protocol, and the server listens on the the well-known TCP port 2049. As such, NFSv4 does not need to interact with the rpcbind, lockd, and rpc.statd daemons, which can and should be disabled in a pure NFSv4 environment. The rpc.mountd daemon is still required on the NFS server to setup exports, but is not involved in any over-the-wire operations. Configure the lockd daemon to use a static UDP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: LOCKD_UDPPORT=lockd-port Where lockd-port is a port which is not used by any other service on your network. Restricting services to always use a given port enables firewalling to be done more effectively. CCE-80233-0 Configure the lockd daemon to use a static TCP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: LOCKD_TCPPORT=lockd-port Where lockd-port is a port which is not used by any other service on your network. Restrict service to always use a given port, so that firewalling can be done effectively. CCE-80232-2 Configure the statd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: STATD_PORT=statd-port Where statd-port is a port which is not used by any other service on your network. Restricting services to always use a given port enables firewalling to be done more effectively. CCE-80234-8 Configure the mountd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: MOUNTD_PORT=statd-port Where mountd-port is a port which is not used by any other service on your network. Restricting services to always use a given port enables firewalling to be done more effectively. CCE-80235-5 If NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary security exposure. Due to the reliability and security problems caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for systems which act as NFS servers to also mount filesystems via NFS. At the least, crossed mounts (the situation in which each of two servers mounts a filesystem from the other) should never be used. The steps in this section are appropriate for systems which operate as NFS clients. Edit the file /etc/fstab. For each filesystem whose type (column 3) is nfs or nfs4, add the text ,nodev,nosuid to the list of mount options in column 4. If appropriate, also add ,noexec. See the section titled "Restrict Partition Mount Options" for a description of the effects of these options. In general, execution of files mounted via NFS should be considered risky because of the possibility that an adversary could intercept the request and substitute a malicious file. Allowing setuid files to be executed from remote servers is particularly risky, both for this reason and because it requires the clients to extend root-level trust to the NFS server. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. RHEL-07-021021 SV-87813r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. CCE-80436-9 _{include_mount_options_functions ensure_mount_option_for_vfstype "nfs[4]?" "noexec"} - name: "Get nfs and nfs4 mount points, that don't have noexec" shell: grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "noexec" | awk '{print $2}' register: points_register check_mode: no changed_when: False tags: - mount_option_noexec_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80436-9 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021021 - name: "Add noexec to mount points" shell: awk '$2=="{{ item }}"{$4=$4",noexec"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab with_items: - "{{ points_register.stdout_lines }}" when: (points_register.stdout | length > 0) and True tags: - mount_option_noexec_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80436-9 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021021 Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. RHEL-07-040750 SV-86935r4_rule 1 12 14 15 16 18 3 5 DSS05.04 DSS05.10 DSS06.10 CCI-000366 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.3 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.6.1.2 A.9.1.2 A.9.2.1 A.9.2.3 A.9.2.4 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-14(1) PR.AC-4 PR.AC-7 SRG-OS-000480-GPOS-00227 When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. CCE-27458-9 _{include_mount_options_functions ensure_mount_option_for_vfstype "nfs[4]?" "sec=krb5:krb5i:krb5p"} - name: "Get nfs and nfs4 mount points, that don't have Kerberos security option" shell: grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "sec=krb5:krb5i:krb5p" | awk '{print $2}' register: points_register check_mode: no changed_when: False tags: - mount_option_krb_sec_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-27458-9 - NIST-800-53-AC-14(1) - DISA-STIG-RHEL-07-040750 - name: "Add Kerberos security to mount points" shell: awk '$2=="{{ item }}"{$4=$4",sec=krb5:krb5i:krb5p"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab with_items: - "{{ points_register.stdout_lines }}" when: (points_register.stdout | length > 0) and True tags: - mount_option_krb_sec_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-27458-9 - NIST-800-53-AC-14(1) - DISA-STIG-RHEL-07-040750 Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. RHEL-07-021020 SV-86669r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. CCE-80240-5 _{include_mount_options_functions ensure_mount_option_for_vfstype "nfs[4]?" "nosuid"} - name: "Get nfs and nfs4 mount points, that don't have nosuid" shell: grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "nosuid" | awk '{print $2}' register: points_register check_mode: no changed_when: False tags: - mount_option_nosuid_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80240-5 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021020 - name: "Add nosuid to mount points" shell: awk '$2=="{{ item }}"{$4=$4",nosuid"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab with_items: - "{{ points_register.stdout_lines }}" when: (points_register.stdout | length > 0) and True tags: - mount_option_nosuid_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80240-5 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021020 Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. CCE-80239-7 _{include_mount_options_functions ensure_mount_option_for_vfstype "nfs[4]?" "nodev"} - name: "Get nfs and nfs4 mount points, that don't have nodev" shell: grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "nodev" | awk '{print $2}' register: points_register check_mode: no changed_when: False tags: - mount_option_nodev_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80239-7 - NIST-800-53-CM-7 - NIST-800-53-MP-2 - name: "Add nodev to mount points" shell: awk '$2=="{{ item }}"{$4=$4",nodev"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab with_items: - "{{ points_register.stdout_lines }}" when: (points_register.stdout | length > 0) and True tags: - mount_option_nodev_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80239-7 - NIST-800-53-CM-7 - NIST-800-53-MP-2 There is no need to run the NFS server daemons nfs and rpcsvcgssd except on a small number of properly secured systems designated as NFS servers. Ensure that these daemons are turned off on clients. To specify the UID and GID for remote root users, edit the /etc/exports file and add the following for each export: anonuid=value greater than UID_MAX from /etc/login.defs anongid=value greater than GID_MAX from /etc/login.defs Note that a value of "-1" is technically acceptable as this will randomize the anonuid and anongid values on a Red Hat Enterprise Linux 6 based NFS server. While acceptable from a security perspective, a value of -1 may cause interoperability issues, particularly with Red Hat Enterprise Linux 7 client systems. Alternatively, functionally equivalent values of 60001, 65534, 65535 may be used. Specifying the anonymous UID and GID ensures that the remote root user is mapped to a local account which has no permissions on the system. CCE-80236-3 The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service should be disabled. The nfs service can be disabled with the following command: $ sudo systemctl disable nfs.service 2.2.7 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 Unnecessary services should be disabled to decrease the attack surface of the system. CCE-80237-1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'nfs.service' "$SYSTEMCTL_EXEC" disable 'nfs.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^nfs.socket\>' && "$SYSTEMCTL_EXEC" disable 'nfs.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'nfs.service' - name: Disable service nfs service: name: nfs enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_nfs_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80237-1 - NIST-800-53-AC-3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service nfs if applicable service: name: nfs.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_nfs_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80237-1 - NIST-800-53-AC-3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcsvcgssd service can be disabled with the following command: $ sudo systemctl disable rpcsvcgssd.service Unnecessary services should be disabled to decrease the attack surface of the system. CCE-80238-9 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.service' "$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcsvcgssd.socket\>' && "$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rpcsvcgssd.service' - name: Disable service rpcsvcgssd service: name: rpcsvcgssd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rpcsvcgssd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80238-9 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rpcsvcgssd if applicable service: name: rpcsvcgssd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rpcsvcgssd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80238-9 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print jobs from other systems, process them, and send them to the appropriate printer. It also provides an interface for remote administration through a web browser. The CUPS service is installed and activated by default. The project homepage and more detailed documentation are available at http://www.cups.org. CUPS provides the ability to easily share local printers with other systems over the network. It does this by allowing systems to share lists of available printers. Additionally, each system that runs the CUPS service can potentially act as a print server. Whenever possible, the printer sharing and print server capabilities of CUPS should be limited or disabled. The following recommendations should demonstrate how to do just that. By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing. To disable printer browsing entirely, edit the CUPS configuration file, located at /etc/cups/cupsd.conf, to include the following: Browsing Off BrowseAllow none 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The CUPS print service can be configured to broadcast a list of available printers to the network. Other systems on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the system will no longer generate or receive such broadcasts. CCE-80283-5 To prevent remote users from potentially connecting to and using locally configured printers, disable the CUPS print server sharing capabilities. To do so, limit how the server will listen for print jobs by removing the more generic port directive from /etc/cups/cupsd.conf: Port 631 and replacing it with the Listen directive: Listen localhost:631 This will prevent remote users from printing to locally configured printers while still allowing local users on the system to print normally. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive. CCE-80284-3 The cups service can be disabled with the following command: $ sudo systemctl disable cups.service 2.2.4 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Turn off unneeded services to reduce attack surface. CCE-80282-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'cups.service' "$SYSTEMCTL_EXEC" disable 'cups.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cups.socket\>' && "$SYSTEMCTL_EXEC" disable 'cups.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'cups.service' - name: Disable service cups service: name: cups enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_cups_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80282-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service cups if applicable service: name: cups.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_cups_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80282-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The docker service is necessary to create containers, which are self-sufficient and self-contained applications using the resource isolation features of the kernel. The docker package provides necessary software to create containers, which are self-sufficient and self-contained applications using the resource isolation features of the kernel. The docker package can be installed with the following command: $ sudo yum install docker To be able to run the docker service, the docker package has to be installed. _{package_install docker} - name: Ensure docker is installed package: name: docker state: present tags: - package_docker_installed - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_docker class install_docker { package { 'docker': ensure => 'installed', } } package --add=docker To use Docker in production with the device mapper storage driver, the Docker daemon should be configured to use direct-lvm instead of loopback device as a storage. For setting up the LVM and configuring Docker, see the Docker Device Mapper Storage Documentation. For using Docker in production, the device mapper storage driver with loopback devices is discouraged. The suggested way of configuring device mapper storage driver is direct-lvm. Choosing the right storage driver and backing filesystem is crucial to stability and performance. CCE-80441-9 To enable the SELinux for the Docker service, the Docker service must be configured to run the Docker daemon with --selinux-enabled option. In /etc/sysconfig/docker configuration file, add or correct the following line to enable SELinux support in the Docker daemon: OPTIONS='--selinux-enabled' If SELinux is not explicitely enabled in the Docker daemon configuration, Docker does not use SELinux which means Docker runs unconfined, and SELinux will not provide security separation for Docker container processes. However enabling SELinux for the Docker service prevents an attacker or rogue container from attacking other container processes and content as well as prevents taking over the host operating system. CCE-80442-7 The docker service is commonly needed to create containers. The docker service can be enabled with the following command: $ sudo systemctl enable docker.service To be able to find any problems with misconfiguration of the docker daemon and running containers, the docker service has to be enabled. CCE-80440-1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'docker.service' "$SYSTEMCTL_EXEC" enable 'docker.service' - name: Enable service docker service: name: docker enabled: "yes" state: "started" tags: - service_docker_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80440-1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows a system to automatically identify resources on the network, such as printers or web servers. This capability is also known as mDNSresponder and is a major part of Zeroconf networking. Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it can reduce the system's vulnerability to such attacks. The avahi-daemon service can be disabled with the following command: $ sudo systemctl disable avahi-daemon.service 2.2.3 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. CCE-80338-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'avahi-daemon.service' "$SYSTEMCTL_EXEC" disable 'avahi-daemon.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^avahi-daemon.socket\>' && "$SYSTEMCTL_EXEC" disable 'avahi-daemon.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'avahi-daemon.service' - name: Disable service avahi-daemon service: name: avahi-daemon enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_avahi-daemon_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80338-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service avahi-daemon if applicable service: name: avahi-daemon.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_avahi-daemon_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80338-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") If your system requires the Avahi daemon, its configuration can be restricted to improve security. The Avahi daemon configuration file is /etc/avahi/avahi-daemon.conf. The following security recommendations should be applied to this file: See the avahi-daemon.conf(5) man page, or documentation at http://www.avahi.org, for more detailed information about the configuration options. To make Avahi ignore packets unless the TTL field is 255, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section: check-response-ttl=yes 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 This helps to ensure that only mDNS responses from the local network are processed, because the TTL field in a packet is decremented from its initial value of 255 whenever it is routed from one network to another. Although a properly-configured router or firewall should not allow mDNS packets into the local network at all, this option provides another check to ensure they are not permitted. CCE-80340-3 To prevent Avahi from publishing its records, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [publish] section: disable-publishing=yes 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 This helps ensure that no record will be published by Avahi. If you are using only IPv4, edit /etc/avahi/avahi-daemon.conf and ensure the following line exists in the [server] section: use-ipv6=no Similarly, if you are using only IPv6, disable IPv4 sockets with the line: use-ipv4=no 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 CCE-80339-5 If it is necessary to publish some information to the network, it should not be joined by any extraneous information, or by information supplied by a non-trusted source on the system. Prevent user applications from using Avahi to publish services by adding or correcting the following line in the [publish] section: disable-user-service-publishing=yes Implement as many of the following lines as possible, to restrict the information published by Avahi. publish-addresses=no publish-hinfo=no publish-workstation=no publish-domain=no Inspect the files in the directory /etc/avahi/services/. Unless there is an operational need to publish information about each of these services, delete the corresponding file. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 These options prevent publishing attempts from succeeding, and can be applied even if publishing is disabled entirely via disable-publishing. Alternatively, these can be used to restrict the types of published information in the event that some information must be published. CCE-80343-7 To prevent other mDNS stacks from running, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section: disallow-other-stacks=yes 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. CCE-80341-1 A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system acting as a proxy server should be dedicated to that purpose alone and be stored in a physically secure location. The system's default proxy server software is Squid, and provided in an RPM package of the same name. If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed. The squid service can be disabled with the following command: $ sudo systemctl disable squid.service 2.2.13 Running proxy server software provides a network-based avenue of attack, and should be removed if not needed. CCE-80285-0 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'squid.service' "$SYSTEMCTL_EXEC" disable 'squid.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^squid.socket\>' && "$SYSTEMCTL_EXEC" disable 'squid.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'squid.service' - name: Disable service squid service: name: squid enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_squid_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80285-0 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service squid if applicable service: name: squid.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_squid_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80285-0 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The squid package can be removed with the following command: $ sudo yum erase squid If there is no need to make the proxy server software available, removing it provides a safeguard against its activation. CCE-80286-8 _{package_remove squid} - name: Ensure squid is removed package: name: squid state: absent tags: - package_squid_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80286-8 include remove_squid class remove_squid { package { 'squid': ensure => 'purged', } } package --remove=squid The purpose of this guidance is to provide security configuration recommendations and baselines for the Red Hat Enterprise Linux 7 operating system. Recommended settings for the basic operating system are provided, as well as for many network services that the system can provide to other systems. The guide is intended for system administrators. Readers are assumed to possess basic system administration skills for Unix-like systems, as well as some familiarity with the product's documentation and administration conventions. Some instructions within this guide are complex. All directions should be followed completely and with understanding of their effects in order to avoid serious adverse effects on the system and its security. The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not explicitly covered. The simplest way to avoid vulnerabilities in software is to avoid installing that software. On Red Hat Enterprise Linux 7,the RPM Package Manager (originally Red Hat Package Manager, abbreviated RPM) allows for careful management of the set of software packages installed on a system. Installed software contributes to system vulnerability in several ways. Packages that include setuid programs may provide local attackers a potential path to privilege escalation. Packages that include network services may give this opportunity to network-based attackers. Packages that include programs which are predictably executed by local users (e.g. after graphical login) may provide opportunities for trojan horses or other attack code to be run undetected. The number of software packages installed on a system can almost always be significantly pruned to include only the software for which there is an environmental or operational need. Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such data exist, they should be applied. Even if data is expected to be transmitted only over a local network, it should still be encrypted. Encrypting authentication data, such as passwords, is particularly important. Networks of Red Hat Enterprise Linux 7 machines can and should be configured so that no unencrypted authentication data is ever transmitted between machines. Several tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve robustness against attack at the cost of relatively little configuration effort. In particular, this guide recommends and discusses the use of host-based firewalling, SELinux for protection against vulnerable services, and a logging and auditing infrastructure for detection of problems. Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compromised in the event that an attacker is able to successfully exploit a software flaw in one network service. Grant the least privilege necessary for user accounts and software to perform tasks. For example, sudo can be implemented to limit authorization to super user accounts on the system only to designated personnel. Another example is to limit logins on server systems to only those administrators who need to log into them in order to perform administration tasks. Using SELinux also follows the principle of least privilege: SELinux policy can confine software to perform only actions on the system that are specifically allowed. This can be far more restrictive than the actions permissible by the traditional Unix permissions model. Readers should heed the following points when using the guide. Commands intended for shell execution, as well as configuration file text, are featured in a monospace font. Italics are used to indicate instances where the system administrator must substitute the appropriate information into a command or configuration file. This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which the system will be deployed as closely as possible. Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instructions should never be blindly applied. Relevant discussion may occur after instructions for an action. Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the /bin/bash shell. Commands preceded with a hash mark (#) assume that the administrator will execute the commands as root, i.e. apply the command via sudo whenever possible, or use su to gain root privileges if sudo cannot be used. Commands which can be executed as a non-root user are are preceded by a dollar sign ($) prompt. A system reboot is implicitly required after some actions in order to complete the reconfiguration of the system. In many cases, the changes will not take effect until a reboot is performed. In order to ensure that changes are applied properly and to test functionality, always reboot the system after applying a set of recommendations from this guide. Contains rules that check correct system settings. The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo. Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. NOTE: The Linux Audit daemon auditd can be configured to use the augenrules program to read audit rules files (*.rules) located in /etc/audit/rules.d location and compile them to create the resulting form of the /etc/audit/audit.rules configuration file during the daemon startup (default configuration). Alternatively, the auditd daemon can use the auditctl utility to read audit rules from the /etc/audit/audit.rules configuration file during daemon startup, and load them into the kernel. The expected behavior is configured via the appropriate ExecStartPost directive setting in the /usr/lib/systemd/system/auditd.service configuration file. To instruct the auditd daemon to use the augenrules program to read audit rules (default configuration), use the following setting: ExecStartPost=-/sbin/augenrules --load in the /usr/lib/systemd/system/auditd.service configuration file. In order to instruct the auditd daemon to use the auditctl utility to read audit rules, use the following setting: ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules in the /usr/lib/systemd/system/auditd.service configuration file. Refer to [Service] section of the /usr/lib/systemd/system/auditd.service configuration file for further details. Government networks often have substantial auditing requirements and auditd can be configured to meet these requirements. Examining some example audit records demonstrates how the Linux audit system satisfies common requirements. The following example from Fedora Documentation available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages shows the substantial amount of information captured in a two typical "raw" audit messages, followed by a breakdown of the most important fields. In this example the message is SELinux-related and reports an AVC denial (and the associated system call) that occurred when the Apache HTTP Server attempted to access the /var/www/html/file1 file (labeled with the samba_share_t type): type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) msg=audit(1226874073.147:96)The number in parentheses is the unformatted time stamp (Epoch time) for the event, which can be converted to standard time by using the date command. { getattr }The item in braces indicates the permission that was denied. getattr indicates the source process was trying to read the target file's status information. This occurs before reading files. This action is denied due to the file being accessed having the wrong label. Commonly seen permissions include getattr, read, and write.comm="httpd"The executable that launched the process. The full path of the executable is found in the exe= section of the system call (SYSCALL) message, which in this case, is exe="/usr/sbin/httpd". path="/var/www/html/file1"The path to the object (target) the process attempted to access. scontext="unconfined_u:system_r:httpd_t:s0"The SELinux context of the process that attempted the denied action. In this case, it is the SELinux context of the Apache HTTP Server, which is running in the httpd_t domain. tcontext="unconfined_u:object_r:samba_share_t:s0"The SELinux context of the object (target) the process attempted to access. In this case, it is the SELinux context of file1. Note: the samba_share_t type is not accessible to processes running in the httpd_t domain. From the system call (SYSCALL) message, two items are of interest: success=no: indicates whether the denial (AVC) was enforced or not. success=no indicates the system call was not successful (SELinux denied access). success=yes indicates the system call was successful - this can be seen for permissive domains or unconfined domains, such as initrc_t and kernel_t. exe="/usr/sbin/httpd": the full path to the executable that launched the process, which in this case, is exe="/usr/sbin/httpd". The audit system writes data to /var/log/audit/audit.log. By default, auditd rotates 5 logs by size (6MB), retaining a maximum of 30MB of data in total, and refuses to write entries when the disk is too full. This minimizes the risk of audit data filling its partition and impacting other services. This also minimizes the risk of the audit daemon temporarily disabling the system if it cannot write audit log (which it can be configured to do). For a busy system or a system which is thoroughly auditing system activity, the default settings for data retention may be insufficient. The log file size needed will depend heavily on what types of events are being audited. First configure auditing to log all the events of interest. Then monitor the log size manually for awhile to determine what file size will allow you to keep the required data for the correct time period. Using a dedicated partition for /var/log/audit prevents the auditd logs from disrupting system functionality if they fill, and, more importantly, prevents other activity in /var from filling the partition and stopping the audit trail. (The audit logs are size-limited and therefore unlikely to grow without bound unless configured to do so.) Some machines may have requirements that no actions occur which cannot be audited. If this is the case, then auditd can be configured to halt the machine if it runs out of space. Note: Since older logs are rotated, configuring auditd this way does not prevent older logs from being rotated away before they can be viewed. If your system is configured to halt when logging cannot be performed, make sure this can never happen under normal circumstances! Ensure that /var/log/audit is on its own partition, and that this partition is larger than the maximum amount of data auditd will retain normally. The setting for action_mail_acct in /etc/audit/auditd.conf admin root root The setting for disk_error_action in /etc/audit/auditd.conf syslog single halt exec single email The setting for max_log_file_action in /etc/audit/auditd.conf rotate syslog keep_logs rotate suspend The setting for space_left (MB) in /etc/audit/auditd.conf 750 1000 100 100 500 250 The setting for disk_full_action in /etc/audisp/audisp-remote.conf syslog single suspend halt exec single email The setting for max_log_size in /etc/audit/auditd.conf 1 20 5 6 6 10 The setting for remote_server in /etc/audisp/audisp-remote.conf myhost.mydomain.com The setting for disk_full_action in /etc/audit/auditd.conf syslog single halt exec single email The setting for admin_space_left_action in /etc/audit/auditd.conf suspend halt exec single syslog single rotate email The setting for space_left_action in /etc/audit/auditd.conf suspend halt exec email syslog single rotate email The setting for num_logs in /etc/audit/auditd.conf 1 2 3 4 5 0 5 The setting for flush in /etc/audit/auditd.conf none incremental incremental_async data data sync The setting for network_failure_action in /etc/audisp/audisp-remote.conf syslog single suspend halt exec single email The auditd service can be configured to synchronously write audit event data to disk. Add or correct the following line in /etc/audit/auditd.conf to ensure that audit event data is fully synchronized with the log files on the disk: flush = 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.3.1 CCI-001576 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-9 AU-12(1) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. CCE-27331-8 var_auditd_flush="_{" AUDITCONFIG=/etc/audit/auditd.conf # if flush is present, flush param edited to var_auditd_flush # else flush param is defined by var_auditd_flush # # the freq param is only used value 'incremental' and will be # commented out if flush != incremental # # if flush == incremental && freq param is not defined, it # will be defined as the package-default value of 20 grep -q ^flush $AUDITCONFIG && \ sed -i 's/^flush.*/flush = '"$var_auditd_flush"'/g' $AUDITCONFIG if ! [ $? -eq 0 ]; then echo "flush = $var_auditd_flush" >> $AUDITCONFIG fi if ! [ "$var_auditd_flush" == "incremental" ]; then sed -i 's/^freq/##freq/g' $AUDITCONFIG elif [ "$var_auditd_flush" == "incremental" ]; then grep -q freq $AUDITCONFIG && \ sed -i 's/^#\+freq/freq/g' $AUDITCONFIG if ! [ $? -eq 0 ]; then echo "freq = 20" >> $AUDITCONFIG fi fi} - name: XCCDF Value var_auditd_flush # promote to variable set_fact: var_auditd_flush: !!str _{tags: - always - name: Configure auditd Flush Priority lineinfile: dest: /etc/audit/auditd.conf regexp: '^\s*flush\s*=\s*.*$' line: "flush = {{ var_auditd_flush }}" state: present #notify: reload auditd tags: - auditd_data_retention_flush - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27331-8 - NIST-800-53-AU-9 - NIST-800-53-AU-12(1) - NIST-800-171-3.3.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the enable_krb5 option in /etc/audisp/audisp-remote.conf, and set it with the following line: enable_krb5 = yes CCI-001851 FAU_GEN.1.1.c SRG-OS-000342-GPOS-00133 RHEL-07-030310 SV-86709r2_rule Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. CCE-80540-8 AUDISP_REMOTE_CONFIG="/etc/audisp/audisp-remote.conf" option="^enable_krb5" value="yes" _{replace_or_append $AUDISP_REMOTE_CONFIG "$option" "$value" "CCE-80540-8"} - name: Configure Kerberos 5 Encryption in Audit Event Multiplexor (audispd) lineinfile: dest: /etc/audisp/audisp-remote.conf line: enable_krb5 = yes regexp: ^\s*enable_krb5\s*=\s*.*$ state: present create: true tags: - auditd_audispd_encrypt_sent_records - medium_severity - low_complexity - low_disruption - CCE-80540-8 - DISA-STIG-RHEL-07-030310 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the remote_server option in /etc/audisp/audisp-remote.conf with an IP address or hostname of the system that the audispd plugin should send audit records to. For example replacing REMOTE_SYSTEM with an IP address or hostname: remote_server = REMOTE_SYSTEM CCI-001851 FAU_GEN.1.1.c SRG-OS-000342-GPOS-00133 RHEL-07-030300 SV-86707r2_rule SRG-OS-000051-VMM-000230 SRG-OS-000058-VMM-000270 SRG-OS-000059-VMM-000280 SRG-OS-000479-VMM-001990 SRG-OS-000479-VMM-001990 Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. CCE-80541-6 var_audispd_remote_server="_{" AUDITCONFIG=/etc/audisp/audisp-remote.conf replace_or_append $AUDITCONFIG '^remote_server' "$var_audispd_remote_server" "CCE-80541-6"} Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately: network_failure_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. CCI-001851 SRG-OS-000342-GPOS-00133 RHEL-07-030321 SV-87815r3_rule Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. CCE-80538-2 The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. var_auditd_disk_full_action="_{" replace_or_append /etc/audit/auditd.conf '^disk_full_action' "$var_auditd_disk_full_action" ""} - name: XCCDF Value var_auditd_disk_full_action # promote to variable set_fact: var_auditd_disk_full_action: !!str _{tags: - always - name: Configure auditd Disk Full Action when Disk Space Is Full lineinfile: dest: /etc/audit/auditd.conf line: "disk_full_action = {{ var_auditd_disk_full_action }}" regexp: '^\s*disk_full_action\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_disk_full_action - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of _{for STOREMB: max_log_file = STOREMB Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.} 5.2.1.1 1 11 12 13 14 15 16 19 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 AU-1(b) AU-11 IR-5 DE.AE-3 DE.AE-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. CCE-27319-3 var_auditd_max_log_file="_{" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^max_log_file' "$var_auditd_max_log_file" "CCE-27319-3"} - name: XCCDF Value var_auditd_max_log_file # promote to variable set_fact: var_auditd_max_log_file: !!str _{tags: - always - name: Configure auditd Max Log File Size lineinfile: dest: /etc/audit/auditd.conf regexp: '^\s*max_log_file\s*=\s*.*$' line: "max_log_file = {{ var_auditd_max_log_file }}" state: present #notify: reload auditd tags: - auditd_data_retention_max_log_file - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27319-3 - NIST-800-53-AU-1(b) - NIST-800-53-AU-11 - NIST-800-53-IR-5 - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately: space_left = SIZE_in_MB Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue. 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 CCI-001855 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 SRG-OS-000343-GPOS-00134 RHEL-07-030330 SV-86713r3_rule Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. CCE-80537-4 var_auditd_space_left="_{" grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf} - name: XCCDF Value var_auditd_space_left # promote to variable set_fact: var_auditd_space_left: !!str _{tags: - always - name: Configure auditd space_left on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf line: "space_left = {{ var_auditd_space_left }}" regexp: '^\s*space_left\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_retention_space_left - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80537-4 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 - PCI-DSS-Req-10.7 - DISA-STIG-RHEL-07-030330 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations: action_mail_acct = RHEL-07-030350 SV-86717r3_rule 5.2.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-001855 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(1) AU-5(a) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7.a SRG-OS-000343-GPOS-00134 Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. CCE-27394-6 var_auditd_action_mail_acct="_{" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^action_mail_acct' "$var_auditd_action_mail_acct" "CCE-27394-6"} - name: XCCDF Value var_auditd_action_mail_acct # promote to variable set_fact: var_auditd_action_mail_acct: !!str _{tags: - always - name: Configure auditd mail_acct Action on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf line: "action_mail_acct = {{ var_auditd_action_mail_acct }}" state: present #notify: reload auditd tags: - auditd_data_retention_action_mail_acct - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27394-6 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(1) - NIST-800-53-AU-5(a) - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - PCI-DSS-Req-10.7.a - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030350 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart 1 11 12 13 14 15 16 19 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-000136 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(B) 164.308(a)(5)(ii)(C) 164.308(a)(6)(ii) 164.308(a)(8) 164.310(d)(2)(iii) 164.312(b) 164.314(a)(2)(i)(C) 164.314(a)(2)(iii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 AU-1(b) AU-3(2) IR-5 DE.AE-3 DE.AE-5 PR.PT-1 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.3 SRG-OS-000051-VMM-000230 SRG-OS-000058-VMM-000270 SRG-OS-000059-VMM-000280 SRG-OS-000479-VMM-001990 SRG-OS-000479-VMM-001990 The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server CCE-27341-7 var_syslog_active="yes" AUDISP_SYSLOGCONFIG=/etc/audisp/plugins.d/syslog.conf _{replace_or_append $AUDISP_SYSLOGCONFIG '^active' "$var_syslog_active" "CCE-27341-7"} The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: admin_space_left_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. RHEL-07-030340 SV-86715r2_rule 5.2.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-000140 CCI-001343 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. CCE-27370-6 var_auditd_admin_space_left_action="_{" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^admin_space_left_action' "$var_auditd_admin_space_left_action" "CCE-27370-6"} - name: XCCDF Value var_auditd_admin_space_left_action # promote to variable set_fact: var_auditd_admin_space_left_action: !!str _{tags: - always - name: Configure auditd admin_space_left Action on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf line: "admin_space_left_action = {{ var_auditd_admin_space_left_action }}" regexp: '^\s*admin_space_left_action\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_retention_admin_space_left_action - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27370-6 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030340 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf: max_log_file_action = ACTION Possible values for ACTION are described in the auditd.conf man page. These include: syslogsuspendrotatekeep_logs Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive. 5.2.1.3 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-11 IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed. CCE-27231-0 var_auditd_max_log_file_action="_{" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^max_log_file_action' "$var_auditd_max_log_file_action" "CCE-27231-0"} - name: XCCDF Value var_auditd_max_log_file_action # promote to variable set_fact: var_auditd_max_log_file_action: !!str _{tags: - always - name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size lineinfile: dest: /etc/audit/auditd.conf line: "max_log_file_action = {{ var_auditd_max_log_file_action }}" regexp: '^\s*max_log_file_action\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_retention_max_log_file_action - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27231-0 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-11 - NIST-800-53-IR-5 - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately: space_left_action = ACTION Possible values for ACTION are described in the auditd.conf man page. These include: syslogemailexecsuspendsinglehalt Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt. RHEL-07-030340 SV-86715r2_rule 5.2.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-001855 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(1) AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 SRG-OS-000343-GPOS-00134 Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. CCE-27375-5 var_auditd_space_left_action="_{" # # If space_left_action present in /etc/audit/auditd.conf, change value # to var_auditd_space_left_action, else # add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf # AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^space_left_action' "$var_auditd_space_left_action" "CCE-27375-5"} - name: XCCDF Value var_auditd_space_left_action # promote to variable set_fact: var_auditd_space_left_action: !!str _{tags: - always - name: Configure auditd space_left Action on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf line: "space_left_action = {{ var_auditd_space_left_action }}" regexp: '^\s*space_left_action\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_retention_space_left_action - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27375-5 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(1) - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030340 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: disk_error_action = ACTION Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. CCE-80646-3 var_auditd_disk_error_action="_{" # # If disk_error_action present in /etc/audit/auditd.conf, change value # to var_auditd_disk_error_action, else # add "disk_error_action = $var_auditd_disk_error_action" to /etc/audit/auditd.conf # if grep --silent ^disk_error_action /etc/audit/auditd.conf ; then sed -i 's/^disk_error_action.*/disk_error_action = '"$var_auditd_disk_error_action"'/g' /etc/audit/auditd.conf else echo -e "\n# Set disk_error_action to $var_auditd_disk_error_action per security requirements" >> /etc/audit/auditd.conf echo "disk_error_action = $var_auditd_disk_error_action" >> /etc/audit/auditd.conf fi} - name: XCCDF Value var_auditd_disk_error_action # promote to variable set_fact: var_auditd_disk_error_action: !!str _{tags: - always - name: Configure auditd Disk Error Action on Disk Error lineinfile: dest: /etc/audit/auditd.conf line: "disk_error_action = {{ var_auditd_disk_error_action }}" regexp: '^\s*disk_error_action\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_disk_error_action - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80646-3 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of _{: num_logs = NUMLOGS Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.} 1 11 12 13 14 15 16 19 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 AU-1(b) AU-11 IR-5 DE.AE-3 DE.AE-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. CCE-27348-2 var_auditd_num_logs="_{" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^num_logs' "$var_auditd_num_logs" "CCE-27348-2"} - name: XCCDF Value var_auditd_num_logs # promote to variable set_fact: var_auditd_num_logs: !!str _{tags: - always - name: Configure auditd Number of Logs Retained lineinfile: dest: /etc/audit/auditd.conf line: "num_logs = {{ var_auditd_num_logs }}" regexp: '^\s*num_logs\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_retention_num_logs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27348-2 - NIST-800-53-AU-1(b) - NIST-800-53-AU-11 - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. CCI-001851 SRG-OS-000342-GPOS-00133 RHEL-07-030320 SV-86711r3_rule Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. CCE-80539-0 The auditd program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing, but a full description of the auditing system's capabilities is beyond the scope of this guide. The mailing list linux-audit@redhat.com exists to facilitate community discussion of the auditing system. The audit subsystem supports extensive collection of events, including: Tracing of arbitrary system calls (identified by name or number) on entry or exit.Filtering by PID, UID, call success, system call argument (with some limitations), etc.Monitoring of specific files for modifications to the file's contents or metadata. Auditing rules at startup are controlled by the file /etc/audit/audit.rules. Add rules to it to meet the auditing requirements for your organization. Each line in /etc/audit/audit.rules represents a series of arguments that can be passed to auditctl and can be individually tested during runtime. See documentation in /usr/share/doc/audit-VERSION and in the related man pages for more details. If copying any example audit rulesets from /usr/share/doc/audit-VERSION, be sure to comment out the lines containing arch= which are not appropriate for your system's architecture. Then review and understand the following rules, ensuring rules are activated as needed for the appropriate architecture. After reviewing all the rules, reading the following sections, and editing as needed, the new rules can be activated as follows: $ sudo service auditd restart To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules Place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules. To capture invocation of rmmod, utility used to remove modules from kernel, add the following line: -w /usr/sbin/rmmod -p x -k modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030850 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80416-1 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/usr/sbin/rmmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/rmmod" "x" "modules"} To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module,finit_module,create_module,delete_module -F key=modules The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules. This rule checks for multiple syscalls related to kernel module loading and unloading; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_kernel_module_loading_insmodaudit_rules_kernel_module_loading_rmmodaudit_rules_kernel_module_loading_modprobe 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.7 The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-27129-6 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do GROUP="modules" PATTERN="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module -S create_module \(-F key=\|-k \).*" FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module -S create_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # Then perform the remediations for the watch rules # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/usr/sbin/insmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/insmod" "x" "modules" fix_audit_watch_rule "auditctl" "/usr/sbin/rmmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/rmmod" "x" "modules" fix_audit_watch_rule "auditctl" "/usr/sbin/modprobe" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/modprobe" "x" "modules"} To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S delete_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030830 SV-86813r4_rule 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80415-3 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S delete_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S delete_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # What architecture are we on? - name: Set architecture for audit delete_module tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false contains: ^.*delete_module.*$ patterns: '*.rules' register: find_delete_module tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_delete_module.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 - name: Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_delete_module.files | map(attribute=''path'') | list | first }}' when: find_delete_module.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 - name: Inserts/replaces the delete_module rule in rules.d lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b32 -S delete_module -k module-change' state: present create: true tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the delete_module rule in rules.d on x86_64 lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b64 -S delete_module -k module-change' state: present create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 # Inserts/replaces the delete_modules rule in /etc/audit/audit.rules - name: Inserts/replaces the delete_module rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b32 -S delete_module -k module-change' create: true tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the delete_module rule in audit.rules when on x86_64 lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b64 -S delete_module -k module-change' create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 To capture invocation of insmod, utility used to insert modules into kernel, use the following line: -w /usr/sbin/insmod -p x -k modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030840 SV-86815r5_rule 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80446-8 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/usr/sbin/insmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/insmod" "x" "modules"} If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S finit_module -F key=modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S finit_module -F key=modules RHEL-07-030821 SV-93707r2_rule 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80547-3 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S finit_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S finit_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # What architecture are we on? - name: Set architecture for audit finit_module tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false contains: ^.*finit_module.*$ patterns: '*.rules' register: find_finit_module tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_finit_module.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 - name: Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_finit_module.files | map(attribute=''path'') | list | first }}' when: find_finit_module.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 - name: Inserts/replaces the finit_module rule in rules.d lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b32 -S finit_module -k module-change' state: present create: true tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the finit_module rule in rules.d on x86_64 lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b64 -S finit_module -k module-change' state: present create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 # Inserts/replaces the finit_modules rule in /etc/audit/audit.rules - name: Inserts/replaces the finit_module rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b32 -S finit_module -k module-change' create: true tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the finit_module rule in audit.rules when on x86_64 lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b64 -S finit_module -k module-change' create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 To capture invocation of modprobe, utility used to insert / remove modules from kernel, add the following line: -w /usr/sbin/modprobe -p x -k modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030860 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80417-9 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/usr/sbin/modprobe" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/modprobe" "x" "modules"} To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S create_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030819 SV-93705r2_rule CCI-000172 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80661-2 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S create_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S create_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # What architecture are we on? - name: Set architecture for audit create_module tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false contains: ^.*create_module.*$ patterns: '*.rules' register: find_create_module tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_create_module.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 - name: Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_create_module.files | map(attribute=''path'') | list | first }}' when: find_create_module.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 - name: Inserts/replaces the create_module rule in rules.d lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b32 -S create_module -k module-change' state: present create: true tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the create_module rule in rules.d on x86_64 lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b64 -S create_module -k module-change' state: present create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 # Inserts/replaces the create_modules rule in /etc/audit/audit.rules - name: Inserts/replaces the create_module rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b32 -S create_module -k module-change' create: true tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the create_module rule in audit.rules when on x86_64 lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b64 -S create_module -k module-change' create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030820 SV-86811r4_rule 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80414-6 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S init_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # What architecture are we on? - name: Set architecture for audit init_module tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false contains: ^.*init_module.*$ patterns: '*.rules' register: find_init_module tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_init_module.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 - name: Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_init_module.files | map(attribute=''path'') | list | first }}' when: find_init_module.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 - name: Inserts/replaces the init_module rule in rules.d lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b32 -S init_module -k module-change' state: present create: true tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the init_module rule in rules.d on x86_64 lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b64 -S init_module -k module-change' state: present create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 # Inserts/replaces the init_modules rule in /etc/audit/audit.rules - name: Inserts/replaces the init_module rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b32 -S init_module -k module-change' create: true tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the init_module rule in audit.rules when on x86_64 lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b64 -S init_module -k module-change' create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins This rule checks for multiple syscalls related to login events; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_login_events_tallylogaudit_rules_login_events_faillockaudit_rules_login_events_lastlog 5.2.8 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.3 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-27204-7 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins" fix_audit_watch_rule "auditctl" "/var/run/faillock/" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/run/faillock/" "wa" "logins" fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins"} The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/lastlog -p wa -k logins RHEL-07-030620 SV-86771r3_rule 5.2.8 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 CCI-000126 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.3 SRG-OS-000392-GPOS-00172 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80384-1 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins"} # # What architecture are we on? # - name: Set architecture for audit lastlog tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k logins$" patterns: "*.rules" register: find_lastlog tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/logins.rules when: find_lastlog.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lastlog.files | map(attribute='path') | list | first }}" when: find_lastlog.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 - name: Inserts/replaces the lastlog rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /var/log/lastlog -p wa -k logins" create: yes tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lastlog rule in /etc/audit/audit.rules lineinfile: line: "-w /var/log/lastlog -p wa -k logins" state: present dest: /etc/audit/audit.rules tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/run/faillock -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/run/faillock -p wa -k logins RHEL-07-030610 SV-86769r4_rule 5.2.8 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 CCI-000126 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.3 SRG-OS-000392-GPOS-00172 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80383-3 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/var/run/faillock" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/run/faillock" "wa" "logins"} # # What architecture are we on? # - name: Set architecture for audit faillock tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k logins$" patterns: "*.rules" register: find_faillock tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/logins.rules when: find_faillock.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_faillock.files | map(attribute='path') | list | first }}" when: find_faillock.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 - name: Inserts/replaces the faillock rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /var/run/faillock -p wa -k logins" create: yes tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the faillock rule in /etc/audit/audit.rules lineinfile: line: "-w /var/run/faillock -p wa -k logins" state: present dest: /etc/audit/audit.rules tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins RHEL-07-030600 5.2.8 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 CCI-000126 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.3 SRG-OS-000392-GPOS-00172 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80994-7 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins"} # # What architecture are we on? # - name: Set architecture for audit tallylog tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k logins$" patterns: "*.rules" register: find_tallylog tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/logins.rules when: find_tallylog.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_tallylog.files | map(attribute='path') | list | first }}" when: find_tallylog.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 - name: Inserts/replaces the tallylog rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /var/log/tallylog -p wa -k logins" create: yes tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the tallylog rule in /etc/audit/audit.rules lineinfile: line: "-w /var/log/tallylog -p wa -k logins" state: present dest: /etc/audit/audit.rules tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time. All changes to the system time should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems: -a always,exit -F arch=b32 -S stime -F key=audit_time_rules Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems: -a always,exit -F arch=b32 -S stime -F key=audit_time_rules Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-27299-7 _{perform_audit_adjtimex_settimeofday_stime_remediation} If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-27216-1 _{perform_audit_adjtimex_settimeofday_stime_remediation} If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(b) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-27310-2 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" fix_audit_watch_rule "augenrules" "/etc/localtime" "wa" "audit_time_rules"} If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-27219-5 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*" GROUP="clock_settime" FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-27290-6 _{perform_audit_adjtimex_settimeofday_stime_remediation} At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows: -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030380 SV-86723r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27356-5 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchown.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fchown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchown tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fchown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchown.files | map(attribute='path') | list | first }}" when: find_fchown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 - name: Inserts/replaces the fchown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchown rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030440 SV-86735r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27213-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S setxattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit setxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_setxattr tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_setxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_setxattr.files | map(attribute='path') | list | first }}" when: find_setxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 - name: Inserts/replaces the setxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the setxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030370 SV-86721r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27364-9 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chown.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit chown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_chown tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_chown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chown.files | map(attribute='path') | list | first }}" when: find_chown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 - name: Inserts/replaces the chown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chown rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030400 SV-86727r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27387-0 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchownat.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fchownat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchownat tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fchownat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchownat.files | map(attribute='path') | list | first }}" when: find_fchownat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 - name: Inserts/replaces the fchownat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchownat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030390 SV-86725r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27083-5 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lchown.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit lchown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lchown tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_lchown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lchown.files | map(attribute='path') | list | first }}" when: find_lchown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 - name: Inserts/replaces the lchown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lchown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lchown rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030410 SV-86729r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27339-1 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chmod.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit chmod tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_chmod tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_chmod.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chmod.files | map(attribute='path') | list | first }}" when: find_chmod.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 - name: Inserts/replaces the chmod rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chmod rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chmod rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030470 SV-86741r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27367-2 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S removexattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit removexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_removexattr tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_removexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_removexattr.files | map(attribute='path') | list | first }}" when: find_removexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 - name: Inserts/replaces the removexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the removexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030420 SV-86731r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27393-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmod.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fchmod tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchmod tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fchmod.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchmod.files | map(attribute='path') | list | first }}" when: find_fchmod.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 - name: Inserts/replaces the fchmod rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmod rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030460 SV-86739r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27280-7 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit lsetxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lsetxattr tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_lsetxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lsetxattr.files | map(attribute='path') | list | first }}" when: find_lsetxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 - name: Inserts/replaces the lsetxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030480 SV-86743r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27353-2 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fremovexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fremovexattr tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fremovexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fremovexattr.files | map(attribute='path') | list | first }}" when: find_fremovexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 - name: Inserts/replaces the fremovexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030490 SV-86745r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27410-0 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit lremovexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lremovexattr tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_lremovexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lremovexattr.files | map(attribute='path') | list | first }}" when: find_lremovexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 - name: Inserts/replaces the lremovexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030450 SV-86737r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27389-6 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fsetxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fsetxattr tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fsetxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fsetxattr.files | map(attribute='path') | list | first }}" when: find_fsetxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 - name: Inserts/replaces the fsetxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030430 SV-86733r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27388-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmodat.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fchmodat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchmodat tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fchmodat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchmodat.files | map(attribute='path') | list | first }}" when: find_fchmodat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 - name: Inserts/replaces the fchmodat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 At a minimum, the audit system should collect the execution of SELinux privileged commands for all users and root. At a minimum, the audit system should collect any execution attempt of the seunshare command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/sbin/seunshare\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/seunshare.*$" patterns: "*.rules" register: find_seunshare tags: - audit_rules_execution_seunshare - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_seunshare.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_seunshare - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_seunshare.files | map(attribute='path') | list | first }}" when: find_seunshare.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_seunshare - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the seunshare rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_seunshare - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the seunshare rule in /etc/audit/audit.rules - name: Inserts/replaces the seunshare rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_seunshare - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change RHEL-07-030590 SV-86765r5_rule CCI-000172 CCI-002884 SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80660-4 PATTERN="-a always,exit -F path=/usr/sbin/setfiles\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/setfiles.*$" patterns: "*.rules" register: find_setfiles tags: - audit_rules_execution_setfiles - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80660-4 - DISA-STIG-RHEL-07-030590 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_setfiles.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_setfiles - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80660-4 - DISA-STIG-RHEL-07-030590 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_setfiles.files | map(attribute='path') | list | first }}" when: find_setfiles.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_setfiles - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80660-4 - DISA-STIG-RHEL-07-030590 - name: Inserts/replaces the setfiles rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_setfiles - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80660-4 - DISA-STIG-RHEL-07-030590 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the setfiles rule in /etc/audit/audit.rules - name: Inserts/replaces the setfiles rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_setfiles - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80660-4 - DISA-STIG-RHEL-07-030590 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change RHEL-07-030570 SV-86761r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80392-4 PATTERN="-a always,exit -F path=/usr/sbin/setsebool\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/setsebool.*$" patterns: "*.rules" register: find_setsebool tags: - audit_rules_execution_setsebool - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80392-4 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030570 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_setsebool.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_setsebool - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80392-4 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030570 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_setsebool.files | map(attribute='path') | list | first }}" when: find_setsebool.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_setsebool - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80392-4 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030570 - name: Inserts/replaces the setsebool rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_setsebool - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80392-4 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030570 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the setsebool rule in /etc/audit/audit.rules - name: Inserts/replaces the setsebool rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_setsebool - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80392-4 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030570 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change RHEL-07-030560 SV-86759r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80391-6 PATTERN="-a always,exit -F path=/usr/sbin/semanage\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/semanage.*$" patterns: "*.rules" register: find_semanage tags: - audit_rules_execution_semanage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80391-6 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030560 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_semanage.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_semanage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80391-6 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030560 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_semanage.files | map(attribute='path') | list | first }}" when: find_semanage.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_semanage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80391-6 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030560 - name: Inserts/replaces the semanage rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_semanage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80391-6 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030560 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the semanage rule in /etc/audit/audit.rules - name: Inserts/replaces the semanage rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_semanage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80391-6 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030560 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change RHEL-07-030580 SV-86763r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80393-2 PATTERN="-a always,exit -F path=/usr/bin/chcon\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/chcon.*$" patterns: "*.rules" register: find_chcon tags: - audit_rules_execution_chcon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80393-2 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030580 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_chcon.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_chcon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80393-2 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030580 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chcon.files | map(attribute='path') | list | first }}" when: find_chcon.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_chcon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80393-2 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030580 - name: Inserts/replaces the chcon rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_chcon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80393-2 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030580 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the chcon rule in /etc/audit/audit.rules - name: Inserts/replaces the chcon rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_chcon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80393-2 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030580 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect any execution attempt of the restorecon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80394-0 PATTERN="-a always,exit -F path=/usr/sbin/restorecon\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/restorecon.*$" patterns: "*.rules" register: find_restorecon tags: - audit_rules_execution_restorecon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80394-0 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_restorecon.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_restorecon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80394-0 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_restorecon.files | map(attribute='path') | list | first }}" when: find_restorecon.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_restorecon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80394-0 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - name: Inserts/replaces the restorecon rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_restorecon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80394-0 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the restorecon rule in /etc/audit/audit.rules - name: Inserts/replaces the restorecon rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_restorecon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80394-0 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete RHEL-07-030900 SV-86827r4_rule 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 MA-4(1)(a) DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000392-GPOS-00172 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-80412-0 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S rmdir.*" GROUP="delete" FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit rmdir tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=delete$" patterns: "*.rules" register: find_rmdir tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/delete.rules when: find_rmdir.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_rmdir.files | map(attribute='path') | list | first }}" when: find_rmdir.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 - name: Inserts/replaces the rmdir rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete" create: yes tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rmdir rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the rmdir rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rmdir rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete RHEL-07-030920 SV-86831r4_rule 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 MA-4(1)(a) DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000392-GPOS-00172 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-80662-0 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlinkat.*" GROUP="delete" FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit unlinkat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=delete$" patterns: "*.rules" register: find_unlinkat tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/delete.rules when: find_unlinkat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unlinkat.files | map(attribute='path') | list | first }}" when: find_unlinkat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 - name: Inserts/replaces the unlinkat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete" create: yes tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlinkat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the unlinkat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlinkat rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=unset -F key=delete This rule checks for multiple syscalls related to file deletion; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_file_deletion_events_rmdiraudit_rules_file_deletion_events_unlinkaudit_rules_file_deletion_events_unlinkat 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-27206-2 # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=unset -k *" # Use escaped BRE regex to specify rule group GROUP="\(rmdir\|unlink\|rename\)" FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=unset -k delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete RHEL-07-030880 SV-86823r4_rule 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 MA-4(1)(a) DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000392-GPOS-00172 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-80995-4 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S rename.*" GROUP="delete" FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit rename tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=delete$" patterns: "*.rules" register: find_rename tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/delete.rules when: find_rename.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_rename.files | map(attribute='path') | list | first }}" when: find_rename.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 - name: Inserts/replaces the rename rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete" create: yes tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rename rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the rename rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rename rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete RHEL-07-030890 SV-86825r4_rule 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 MA-4(1)(a) DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000392-GPOS-00172 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-80413-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S renameat.*" GROUP="delete" FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit renameat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=delete$" patterns: "*.rules" register: find_renameat tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/delete.rules when: find_renameat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_renameat.files | map(attribute='path') | list | first }}" when: find_renameat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 - name: Inserts/replaces the renameat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete" create: yes tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the renameat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the renameat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the renameat rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete RHEL-07-030910 SV-86829r4_rule 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 MA-4(1)(a) DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000392-GPOS-00172 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-80996-2 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlink.*" GROUP="delete" FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit unlink tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=delete$" patterns: "*.rules" register: find_unlink tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/delete.rules when: find_unlink.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unlink.files | map(attribute='path') | list | first }}" when: find_unlink.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 - name: Inserts/replaces the unlink rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete" create: yes tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlink rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the unlink rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlink rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 At a minimum, the audit system should collect the execution of privileged commands for all users and root. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030630 SV-86773r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80395-7 PATTERN="-a always,exit -F path=/usr/bin/passwd\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/passwd.*$" patterns: "*.rules" register: find_passwd tags: - audit_rules_privileged_commands_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80395-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030630 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_passwd.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80395-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030630 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_passwd.files | map(attribute='path') | list | first }}" when: find_passwd.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80395-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030630 - name: Inserts/replaces the passwd rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80395-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030630 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the passwd rule in /etc/audit/audit.rules - name: Inserts/replaces the passwd rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80395-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030630 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030690 SV-86785r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80401-3 PATTERN="-a always,exit -F path=/usr/bin/sudo\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/sudo.*$" patterns: "*.rules" register: find_sudo tags: - audit_rules_privileged_commands_sudo - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80401-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030690 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_sudo.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_sudo - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80401-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030690 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_sudo.files | map(attribute='path') | list | first }}" when: find_sudo.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_sudo - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80401-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030690 - name: Inserts/replaces the sudo rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_sudo - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80401-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030690 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the sudo rule in /etc/audit/audit.rules - name: Inserts/replaces the sudo rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_sudo - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80401-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030690 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/sbin/usernetctl\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/usernetctl.*$" patterns: "*.rules" register: find_usernetctl tags: - audit_rules_privileged_commands_usernetctl - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_usernetctl.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_usernetctl - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_usernetctl.files | map(attribute='path') | list | first }}" when: find_usernetctl.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_usernetctl - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the usernetctl rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_usernetctl - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the usernetctl rule in /etc/audit/audit.rules - name: Inserts/replaces the usernetctl rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_usernetctl - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030760 SV-86799r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80406-2 PATTERN="-a always,exit -F path=/usr/sbin/postdrop\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/postdrop.*$" patterns: "*.rules" register: find_postdrop tags: - audit_rules_privileged_commands_postdrop - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80406-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030760 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_postdrop.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_postdrop - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80406-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030760 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_postdrop.files | map(attribute='path') | list | first }}" when: find_postdrop.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_postdrop - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80406-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030760 - name: Inserts/replaces the postdrop rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_postdrop - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80406-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030760 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the postdrop rule in /etc/audit/audit.rules - name: Inserts/replaces the postdrop rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_postdrop - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80406-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030760 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030720 SV-86791r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80404-7 PATTERN="-a always,exit -F path=/usr/bin/chsh\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/chsh.*$" patterns: "*.rules" register: find_chsh tags: - audit_rules_privileged_commands_chsh - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80404-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030720 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_chsh.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_chsh - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80404-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030720 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chsh.files | map(attribute='path') | list | first }}" when: find_chsh.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_chsh - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80404-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030720 - name: Inserts/replaces the chsh rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_chsh - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80404-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030720 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the chsh rule in /etc/audit/audit.rules - name: Inserts/replaces the chsh rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_chsh - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80404-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030720 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/newgidmap\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/newgidmap.*$" patterns: "*.rules" register: find_newgidmap tags: - audit_rules_privileged_commands_newgidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_newgidmap.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newgidmap - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_newgidmap.files | map(attribute='path') | list | first }}" when: find_newgidmap.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newgidmap - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the newgidmap rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newgidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the newgidmap rule in /etc/audit/audit.rules - name: Inserts/replaces the newgidmap rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newgidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030770 SV-86801r3_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80407-0 PATTERN="-a always,exit -F path=/usr/sbin/postqueue\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/postqueue.*$" patterns: "*.rules" register: find_postqueue tags: - audit_rules_privileged_commands_postqueue - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80407-0 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030770 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_postqueue.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_postqueue - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80407-0 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030770 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_postqueue.files | map(attribute='path') | list | first }}" when: find_postqueue.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_postqueue - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80407-0 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030770 - name: Inserts/replaces the postqueue rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_postqueue - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80407-0 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030770 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the postqueue rule in /etc/audit/audit.rules - name: Inserts/replaces the postqueue rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_postqueue - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80407-0 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030770 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030660 SV-86779r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80398-1 PATTERN="-a always,exit -F path=/usr/bin/chage\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/chage.*$" patterns: "*.rules" register: find_chage tags: - audit_rules_privileged_commands_chage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80398-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030660 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_chage.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_chage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80398-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030660 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chage.files | map(attribute='path') | list | first }}" when: find_chage.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_chage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80398-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030660 - name: Inserts/replaces the chage rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_chage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80398-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030660 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the chage rule in /etc/audit/audit.rules - name: Inserts/replaces the chage rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_chage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80398-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030660 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030670 SV-86781r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80399-9 PATTERN="-a always,exit -F path=/usr/sbin/userhelper\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/userhelper.*$" patterns: "*.rules" register: find_userhelper tags: - audit_rules_privileged_commands_userhelper - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80399-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030670 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_userhelper.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_userhelper - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80399-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030670 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_userhelper.files | map(attribute='path') | list | first }}" when: find_userhelper.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_userhelper - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80399-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030670 - name: Inserts/replaces the userhelper rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_userhelper - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80399-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030670 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the userhelper rule in /etc/audit/audit.rules - name: Inserts/replaces the userhelper rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_userhelper - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80399-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030670 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/at\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/at.*$" patterns: "*.rules" register: find_at tags: - audit_rules_privileged_commands_at - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_at.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_at - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_at.files | map(attribute='path') | list | first }}" when: find_at.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_at - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the at rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_at - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the at rule in /etc/audit/audit.rules - name: Inserts/replaces the at rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_at - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030810 SV-86809r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80411-2 PATTERN="-a always,exit -F path=/usr/sbin/pam_timestamp_check\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/pam_timestamp_check.*$" patterns: "*.rules" register: find_pam_timestamp_check tags: - audit_rules_privileged_commands_pam_timestamp_check - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80411-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030810 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_pam_timestamp_check.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_pam_timestamp_check - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80411-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030810 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_pam_timestamp_check.files | map(attribute='path') | list | first }}" when: find_pam_timestamp_check.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_pam_timestamp_check - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80411-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030810 - name: Inserts/replaces the pam_timestamp_check rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_pam_timestamp_check - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80411-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030810 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the pam_timestamp_check rule in /etc/audit/audit.rules - name: Inserts/replaces the pam_timestamp_check rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_pam_timestamp_check - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80411-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030810 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030800 SV-86807r3_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80410-4 PATTERN="-a always,exit -F path=/usr/bin/crontab\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/crontab.*$" patterns: "*.rules" register: find_crontab tags: - audit_rules_privileged_commands_crontab - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80410-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030800 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_crontab.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_crontab - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80410-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030800 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_crontab.files | map(attribute='path') | list | first }}" when: find_crontab.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_crontab - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80410-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030800 - name: Inserts/replaces the crontab rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_crontab - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80410-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030800 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the crontab rule in /etc/audit/audit.rules - name: Inserts/replaces the crontab rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_crontab - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80410-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030800 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030750 SV-86797r5_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80405-4 PATTERN="-a always,exit -F path=/usr/bin/umount\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/umount.*$" patterns: "*.rules" register: find_umount tags: - audit_rules_privileged_commands_umount - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80405-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030750 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_umount.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_umount - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80405-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030750 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_umount.files | map(attribute='path') | list | first }}" when: find_umount.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_umount - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80405-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030750 - name: Inserts/replaces the umount rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_umount - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80405-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030750 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the umount rule in /etc/audit/audit.rules - name: Inserts/replaces the umount rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_umount - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80405-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030750 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030640 SV-86775r5_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80396-5 PATTERN="-a always,exit -F path=/usr/sbin/unix_chkpwd\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/unix_chkpwd.*$" patterns: "*.rules" register: find_unix_chkpwd tags: - audit_rules_privileged_commands_unix_chkpwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80396-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030640 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_unix_chkpwd.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_unix_chkpwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80396-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030640 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unix_chkpwd.files | map(attribute='path') | list | first }}" when: find_unix_chkpwd.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_unix_chkpwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80396-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030640 - name: Inserts/replaces the unix_chkpwd rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_unix_chkpwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80396-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030640 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the unix_chkpwd rule in /etc/audit/audit.rules - name: Inserts/replaces the unix_chkpwd rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_unix_chkpwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80396-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030640 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80409-6 PATTERN="-a always,exit -F path=/usr/libexec/pt_chown\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/libexec/pt_chown.*$" patterns: "*.rules" register: find_pt_chown tags: - audit_rules_privileged_commands_pt_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80409-6 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_pt_chown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_pt_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80409-6 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_pt_chown.files | map(attribute='path') | list | first }}" when: find_pt_chown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_pt_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80409-6 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - name: Inserts/replaces the pt_chown rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_pt_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80409-6 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the pt_chown rule in /etc/audit/audit.rules - name: Inserts/replaces the pt_chown rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_pt_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80409-6 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030780 SV-86803r3_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80408-8 PATTERN="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/libexec/openssh/ssh-keysign.*$" patterns: "*.rules" register: find_ssh_keysign tags: - audit_rules_privileged_commands_ssh_keysign - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80408-8 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030780 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_ssh_keysign.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_ssh_keysign - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80408-8 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030780 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_ssh_keysign.files | map(attribute='path') | list | first }}" when: find_ssh_keysign.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_ssh_keysign - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80408-8 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030780 - name: Inserts/replaces the ssh_keysign rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_ssh_keysign - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80408-8 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030780 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the ssh_keysign rule in /etc/audit/audit.rules - name: Inserts/replaces the ssh_keysign rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_ssh_keysign - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80408-8 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030780 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030730 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80402-1 PATTERN="-a always,exit -F path=/usr/bin/sudoedit\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/sudoedit.*$" patterns: "*.rules" register: find_sudoedit tags: - audit_rules_privileged_commands_sudoedit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80402-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030730 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_sudoedit.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_sudoedit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80402-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030730 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_sudoedit.files | map(attribute='path') | list | first }}" when: find_sudoedit.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_sudoedit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80402-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030730 - name: Inserts/replaces the sudoedit rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_sudoedit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80402-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030730 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the sudoedit rule in /etc/audit/audit.rules - name: Inserts/replaces the sudoedit rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_sudoedit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80402-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030730 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/mount\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/mount.*$" patterns: "*.rules" register: find_mount tags: - audit_rules_privileged_commands_mount - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_mount.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_mount - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_mount.files | map(attribute='path') | list | first }}" when: find_mount.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_mount - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the mount rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_mount - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the mount rule in /etc/audit/audit.rules - name: Inserts/replaces the mount rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_mount - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/newuidmap\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/newuidmap.*$" patterns: "*.rules" register: find_newuidmap tags: - audit_rules_privileged_commands_newuidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_newuidmap.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newuidmap - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_newuidmap.files | map(attribute='path') | list | first }}" when: find_newuidmap.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newuidmap - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the newuidmap rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newuidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the newuidmap rule in /etc/audit/audit.rules - name: Inserts/replaces the newuidmap rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newuidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030650 SV-86777r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80397-3 PATTERN="-a always,exit -F path=/usr/bin/gpasswd\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/gpasswd.*$" patterns: "*.rules" register: find_gpasswd tags: - audit_rules_privileged_commands_gpasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80397-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030650 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_gpasswd.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_gpasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80397-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030650 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_gpasswd.files | map(attribute='path') | list | first }}" when: find_gpasswd.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_gpasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80397-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030650 - name: Inserts/replaces the gpasswd rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_gpasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80397-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030650 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the gpasswd rule in /etc/audit/audit.rules - name: Inserts/replaces the gpasswd rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_gpasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80397-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030650 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged This rule checks for multiple syscalls related to privileged commands; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_privileged_commands_suaudit_rules_privileged_commands_umountaudit_rules_privileged_commands_passwd RHEL-07-030360 SV-86719r6_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO08.04 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-002234 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.5 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.3 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-2(4) AU-6(9) AU-12(a) AU-12(c) IR-5 DE.AE-2 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 DE.DP-4 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 RS.CO-2 Req-10.2.2 SRG-OS-000327-GPOS-00127 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-27437-3 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{perform_audit_rules_privileged_commands_remediation "auditctl" "1000" perform_audit_rules_privileged_commands_remediation "augenrules" "1000"} - name: Search for privileged commands shell: "find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat" check_mode: no register: find_result tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path={{ item }} .*$" patterns: "*.rules" with_items: - "{{ find_result.stdout_lines }}" register: files_result tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Overwrites the rule in rules.d lineinfile: path: "{{ item.1.path }}" line: '-a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: no regexp: "^.*path={{ item.0.item }} .*$" with_subelements: - "{{ files_result.results }}" - files tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Adds the rule in rules.d lineinfile: path: /etc/audit/rules.d/privileged.rules line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes with_items: - "{{ files_result.results }}" when: item.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 # Adds/overwrites the rule in /etc/audit/audit.rules - name: Inserts/replaces the rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes regexp: "^.*path={{ item.item }} .*$" with_items: - "{{ files_result.results }}" tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030680 SV-86783r5_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80400-5 PATTERN="-a always,exit -F path=/usr/bin/su\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/su.*$" patterns: "*.rules" register: find_su tags: - audit_rules_privileged_commands_su - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80400-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030680 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_su.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_su - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80400-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030680 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_su.files | map(attribute='path') | list | first }}" when: find_su.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_su - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80400-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030680 - name: Inserts/replaces the su rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_su - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80400-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030680 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the su rule in /etc/audit/audit.rules - name: Inserts/replaces the su rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_su - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80400-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030680 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030710 SV-86789r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80403-9 PATTERN="-a always,exit -F path=/usr/bin/newgrp\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/newgrp.*$" patterns: "*.rules" register: find_newgrp tags: - audit_rules_privileged_commands_newgrp - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80403-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030710 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_newgrp.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newgrp - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80403-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030710 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_newgrp.files | map(attribute='path') | list | first }}" when: find_newgrp.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newgrp - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80403-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030710 - name: Inserts/replaces the newgrp rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newgrp - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80403-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030710 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the newgrp rule in /etc/audit/audit.rules - name: Inserts/replaces the newgrp rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newgrp - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80403-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030710 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") At a minimum, the audit system should collect unauthorized file accesses for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S renameat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S renameat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit renameat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_renameat tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_renameat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_renameat.files | map(attribute='path') | list | first }}" when: find_renameat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the renameat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the renameat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the renameat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the renameat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 The audit system should collect unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system should collect detailed unauthorized file accesses for all users and root. The open syscall can be used to modify files if called for write operation of with O_TRUNC flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fchownat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchownat tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fchownat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchownat.files | map(attribute='path') | list | first }}" when: find_fchownat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fchownat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchownat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption The audit system should collect unauthorized file accesses for all users and root. The openat syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lchown -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lchown -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit lchown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lchown tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_lchown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lchown.files | map(attribute='path') | list | first }}" when: find_lchown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the lchown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lchown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lchown rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fchmodat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchmodat tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fchmodat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchmodat.files | map(attribute='path') | list | first }}" when: find_fchmodat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fchmodat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit removexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_removexattr tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_removexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_removexattr.files | map(attribute='path') | list | first }}" when: find_removexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the removexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the removexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chown -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chown -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit chown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_chown tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_chown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chown.files | map(attribute='path') | list | first }}" when: find_chown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the chown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chown rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchown -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchown -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fchown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchown tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fchown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchown.files | map(attribute='path') | list | first }}" when: find_fchown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fchown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchown rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030540 SV-86755r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80389-0 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S truncate -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S truncate -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit truncate tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_truncate tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_truncate.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_truncate.files | map(attribute='path') | list | first }}" when: find_truncate.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 - name: Inserts/replaces the truncate rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the truncate rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the truncate rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the truncate rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit setxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_setxattr tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_setxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_setxattr.files | map(attribute='path') | list | first }}" when: find_setxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the setxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the setxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit lremovexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lremovexattr tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_lremovexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lremovexattr.files | map(attribute='path') | list | first }}" when: find_lremovexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the lremovexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030500 SV-86747r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80385-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S creat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S creat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit creat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_creat tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_creat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_creat.files | map(attribute='path') | list | first }}" when: find_creat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 - name: Inserts/replaces the creat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the creat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the creat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the creat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 The audit system should collect unauthorized file accesses for all users and root. The open syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fremovexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fremovexattr tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fremovexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fremovexattr.files | map(attribute='path') | list | first }}" when: find_fremovexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fremovexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlink -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlink -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit unlink tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_unlink tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_unlink.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unlink.files | map(attribute='path') | list | first }}" when: find_unlink.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the unlink rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlink rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the unlink rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlink rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fsetxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fsetxattr tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fsetxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fsetxattr.files | map(attribute='path') | list | first }}" when: find_fsetxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fsetxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via openat syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030510 SV-86749r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80386-6 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit open tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_open tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_open.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_open.files | map(attribute='path') | list | first }}" when: find_open.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 - name: Inserts/replaces the open rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit lsetxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lsetxattr tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_lsetxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lsetxattr.files | map(attribute='path') | list | first }}" when: find_lsetxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the lsetxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chmod -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chmod -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit chmod tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_chmod tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_chmod.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chmod.files | map(attribute='path') | list | first }}" when: find_chmod.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the chmod rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chmod rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chmod rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030530 SV-86753r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80388-2 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_open_by_handle_at tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_open_by_handle_at.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_open_by_handle_at.files | map(attribute='path') | list | first }}" when: find_open_by_handle_at.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 - name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030550 SV-86757r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80390-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit ftruncate tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_ftruncate tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_ftruncate.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_ftruncate.files | map(attribute='path') | list | first }}" when: find_ftruncate.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 - name: Inserts/replaces the ftruncate rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the ftruncate rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the ftruncate rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the ftruncate rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit unlinkat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_unlinkat tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_unlinkat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unlinkat.files | map(attribute='path') | list | first }}" when: find_unlinkat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the unlinkat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlinkat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the unlinkat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlinkat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 The audit system should collect detailed unauthorized file accesses for all users and root. The openat syscall can be used to modify files if called for write operation of with O_TRUNC flag. The following auidt rules will asure that unsuccessful attempts to modify a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access This rule checks for multiple syscalls related to unsuccessful file modification; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_unsuccessful_file_modification_openaudit_rules_unsuccessful_file_modification_ftruncateaudit_rules_unsuccessful_file_modification_creat 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.4 Req-10.2.1 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-27347-4 # Perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do # First fix the -EACCES requirement PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>=1000 -F auid!=unset -k *" # Use escaped BRE regex to specify rule group GROUP="\(creat\|open\|truncate\)" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Then fix the -EPERM requirement PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>=1000 -F auid!=unset -k *" # No need to change content of $GROUP variable - it's the same as for -EACCES case above FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit fchmod tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchmod tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fchmod.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchmod.files | map(attribute='path') | list | first }}" when: find_fchmod.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fchmod rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmod rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption The audit system should collect detailed unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to modify files if called for write operation of with O_TRUNC flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030520 SV-86751r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80387-4 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S openat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S openat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit openat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_openat tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_openat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_openat.files | map(attribute='path') | list | first }}" when: find_openat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 - name: Inserts/replaces the openat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the openat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the openat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S rename -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S rename -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} # # What architecture are we on? # - name: Set architecture for audit rename tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_rename tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_rename.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_rename.files | map(attribute='path') | list | first }}" when: find_rename.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the rename rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rename rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the rename rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rename rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions RHEL-07-030700 SV-86787r5_rule 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000130 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(7)(b) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) iAU-3(1) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.2 Req-10.2.5.b SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. CCE-27461-3 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions" fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions" fix_audit_watch_rule "auditctl" "/etc/sudoers.d" "wa" "actions" fix_audit_watch_rule "augenrules" "/etc/sudoers.d" "wa" "actions"} If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification 5.2.6 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.5.5 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. CCE-27076-9 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -k *" # Use escaped BRE regex to specify rule group GROUP="set\(host\|domain\)name" FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # Then perform the remediations for the watch rules # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/issue" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/issue" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/hosts" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/hosts" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification"} If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification This rule checks for multiple syscalls related to account changes; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_usergroup_modification_groupaudit_rules_usergroup_modification_gshadowaudit_rules_usergroup_modification_passwd RHEL-07-030710 SV-86789r4_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.5 SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000241-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000476-GPOS-00221 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-27192-4 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"} The audit system should collect write events to /etc/passwd file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify FAU_GEN.1.1.c Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system should collect write events to /etc/group file for all group and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify FAU_GEN.1.1.c Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session 5.2.9 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.3 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-27301-1 # Perform the remediation # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/var/run/utmp" "wa" "session" fix_audit_watch_rule "augenrules" "/var/run/utmp" "wa" "session" fix_audit_watch_rule "auditctl" "/var/log/btmp" "wa" "session" fix_audit_watch_rule "augenrules" "/var/log/btmp" "wa" "session" fix_audit_watch_rule "auditctl" "/var/log/wtmp" "wa" "session" fix_audit_watch_rule "augenrules" "/var/log/wtmp" "wa" "session"} The audit system should collect write events to /etc/passwd file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify FAU_GEN.1.1.c Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command: $ sudo chmod 0750 /var/log/audit Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0700 /var/log/audit 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8 APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-1(b) AU-9 IR-5 DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4 If users can write to audit logs, audit trails can be modified or destroyed. if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') if ! [ "${GROUP}" == 'root' ] ; then chmod 0750 /var/log/audit else chmod 0700 /var/log/audit fi else chmod 0700 /var/log/audit fi The audit system should collect write events to /etc/group file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify FAU_GEN.1.1.c Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable: -e 2 If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable: -e 2 With this setting, a reboot will be required to change any audit rules. 4.1.18 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8 5.4.1.1 APO01.06 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.3.1 3.4.3 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.310(a)(2)(iv) 164.312(d) 164.310(d)(2)(iii) 164.312(b) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-1(b) AU-2(a) AU-2(c) AU-2(d) IR-5 DE.AE-3 DE.AE-5 ID.SC-4 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.5.2 Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation CCE-27097-5 # Traverse all of: # # /etc/audit/audit.rules, (for auditctl case) # /etc/audit/rules.d/*.rules (for augenrules case) # # files to check if '-e .*' setting is present in that '*.rules' file already. # If found, delete such occurrence since auditctl(8) manual page instructs the # '-e 2' rule should be placed as the last rule in the configuration find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' # Append '-e 2' requirement at the end of both: # * /etc/audit/audit.rules file (for auditctl case) # * /etc/audit/rules.d/immutable.rules (for augenrules case) for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" do echo '' >> $AUDIT_FILE echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE echo '-e 2' >> $AUDIT_FILE done The audit system should collect write events to /etc/group file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify FAU_GEN.1.1.c Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/shadow -p wa -k audit_rules_usergroup_modification RHEL-07-030873 SV-87823r4_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80431-0 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/shadow" "wa" "audit_rules_usergroup_modification"} # # What architecture are we on? # - name: Set architecture for audit shadow tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k audit_rules_usergroup_modification$" patterns: "*.rules" register: find_shadow tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_shadow.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_shadow.files | map(attribute='path') | list | first }}" when: find_shadow.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 - name: Inserts/replaces the shadow rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" create: yes tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the shadow rule in /etc/audit/audit.rules lineinfile: line: "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" state: present dest: /etc/audit/audit.rules tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The audit system should collect write events to /etc/passwd file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify FAU_GEN.1.1.c Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory are collected. -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rule to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rule to /etc/audit/audit.rules file. FAU_GEN.1.1.c Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.' At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export RHEL-07-030740 SV-86795r6_rule 5.2.13 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-3(1) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.7 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. CCE-27447-2 # Perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=unset -k *" GROUP="mount" FULL_RULE="-a always,exit -F arch=$ARCH -S mount -F auid>=1000 -F auid!=unset -k export" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification RHEL-07-030874 SV-87825r5_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80430-2 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"} # # What architecture are we on? # - name: Set architecture for audit opasswd tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k audit_rules_usergroup_modification$" patterns: "*.rules" register: find_opasswd tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_opasswd.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_opasswd.files | map(attribute='path') | list | first }}" when: find_opasswd.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 - name: Inserts/replaces the opasswd rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" create: yes tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the opasswd rule in /etc/audit/audit.rules lineinfile: line: "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" state: present dest: /etc/audit/audit.rules tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit, run the command: $ sudo chown root /var/log/audit To properly set the owner of /var/log/audit/*, run the command: $ sudo chown root /var/log/audit/* 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8 5.4.1.1 APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01 3.3.1 CCI-000163 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-1(b) AU-9 IR-5 DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.5.1 SRG-OS-000058-GPOS-00028 Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. CCE-80125-8 if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') if ! [ "${GROUP}" == 'root' ] ; then chown root.${GROUP} /var/log/audit chown root.${GROUP} /var/log/audit/audit.log* else chown root.root /var/log/audit chown root.root /var/log/audit/audit.log* fi else chown root.root /var/log/audit chown root.root /var/log/audit/audit.log* fi If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/selinux/ -p wa -k MAC-policy If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy 5.2.7 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.8 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. CCE-27168-4 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/selinux/" "wa" "MAC-policy" fix_audit_watch_rule "augenrules" "/etc/selinux/" "wa" "MAC-policy"} If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -f 2 If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to the top of the /etc/audit/audit.rules file: -f 2 RHEL-07-030010 SV-86705r4_rule 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 3.3.1 3.3.4 CCI-000139 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-5 AU-5(b) PR.PT-1 SRG-OS-000046-GPOS-00022 SRG-OS-000047-GPOS-00023 It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. CCE-80997-0 # Traverse all of: # # /etc/audit/audit.rules, (for auditctl case) # /etc/audit/rules.d/*.rules (for augenrules case) # # files to check if '-f .*' setting is present in that '*.rules' file already. # If found, delete such occurrence since auditctl(8) manual page instructs the # '-f 2' rule should be placed as the last rule in the configuration find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' # Append '-f 2' requirement at the end of both: # * /etc/audit/audit.rules file (for auditctl case) # * /etc/audit/rules.d/immutable.rules (for augenrules case) for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" do echo '' >> $AUDIT_FILE echo '# Set the audit.rules configuration to halt system upon audit failure per security requirements' >> $AUDIT_FILE echo '-f 2' >> $AUDIT_FILE done If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command: $ sudo chmod 0640 audit_file Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0600 audit_file 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8 5.4.1.1 APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01 3.3.1 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-1(b) AU-9 IR-5 DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.5 If users can write to audit logs, audit trails can be modified or destroyed. CCE-27205-4 if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') if ! [ "${GROUP}" == 'root' ] ; then chmod 0640 /var/log/audit/audit.log chmod 0440 /var/log/audit/audit.log.* else chmod 0600 /var/log/audit/audit.log chmod 0400 /var/log/audit/audit.log.* fi chmod 0640 /etc/audit/audit* chmod 0640 /etc/audit/rules.d/* else chmod 0600 /var/log/audit/audit.log chmod 0400 /var/log/audit/audit.log.* chmod 0640 /etc/audit/audit* chmod 0640 /etc/audit/rules.d/* fi If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification RHEL-07-030872 SV-87819r4_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80432-8 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/gshadow" "wa" "audit_rules_usergroup_modification"} # # What architecture are we on? # - name: Set architecture for audit gshadow tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k audit_rules_usergroup_modification$" patterns: "*.rules" register: find_gshadow tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_gshadow.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_gshadow.files | map(attribute='path') | list | first }}" when: find_gshadow.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 - name: Inserts/replaces the gshadow rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" create: yes tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the gshadow rule in /etc/audit/audit.rules lineinfile: line: "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" state: present dest: /etc/audit/audit.rules tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/passwd -p wa -k audit_rules_usergroup_modification RHEL-07-030870 SV-86821r5_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000476-GPOS-00221 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80435-1 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/passwd" "wa" "audit_rules_usergroup_modification"} # # What architecture are we on? # - name: Set architecture for audit passwd tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k audit_rules_usergroup_modification$" patterns: "*.rules" register: find_passwd tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_passwd.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_passwd.files | map(attribute='path') | list | first }}" when: find_passwd.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 - name: Inserts/replaces the passwd rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" create: yes tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the passwd rule in /etc/audit/audit.rules lineinfile: line: "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" state: present dest: /etc/audit/audit.rules tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification RHEL-07-030871 SV-87817r3_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80433-6 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/group" "wa" "audit_rules_usergroup_modification"} # # What architecture are we on? # - name: Set architecture for audit group tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k audit_rules_usergroup_modification$" patterns: "*.rules" register: find_group tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_group.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_group.files | map(attribute='path') | list | first }}" when: find_group.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 - name: Inserts/replaces the group rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /etc/group -p wa -k audit_rules_usergroup_modification" create: yes tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the group rule in /etc/audit/audit.rules lineinfile: line: "-w /etc/group -p wa -k audit_rules_usergroup_modification" state: present dest: /etc/audit/audit.rules tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192" The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken. # Correct the form of default kernel command line in GRUB if grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an audit_backlog_limit= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit_backlog_limit=[^[:space:]]*\(.*"\)/\1 audit_backlog_limit=8192 \2/' '/etc/default/grub' else # no audit_backlog_limit=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit_backlog_limit=8192"/' '/etc/default/grub' fi # Correct the form of kernel command line for each installed kernel in the bootloader grubby --update-kernel=ALL --args="audit_backlog_limit=8192" To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1" The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg 4.1.3 1 11 12 13 14 15 16 19 3 4 5 6 7 8 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.02 DSS05.03 DSS05.04 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.3.1 CCI-001464 CCI-000130 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C) 164.310(a)(2)(iv) 164.310(d)(2)(iii) 164.312(b) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(1) AU-14(1) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-10 AU-12 IR-5 DE.AE-3 DE.AE-5 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.3 Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. CCE-27212-0 # Correct the form of default kernel command line in GRUB if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an audit= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/' '/etc/default/grub' else # no audit=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=1"/' '/etc/default/grub' fi # Correct the form of kernel command line for each installed kernel in the bootloader grubby --update-kernel=ALL --args="audit=1" The auditd service should be installed. NT28(R50) The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparision with potential local access control policy such as SELinux policy. The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command: $ sudo systemctl enable auditd.service RHEL-07-030000 SV-86703r3_rule 4.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.3.1 3.3.2 3.3.6 CCI-000126 CCI-000131 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C) 164.310(a)(2)(iv) 164.310(d)(2)(iii) 164.312(b) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-2(g) AU-3 AC-17(1) AU-1(b) AU-10 AU-12(a) AU-12(c) AU-14(1) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.1 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000042-GPOS-00021 SRG-OS-000254-GPOS-00095 SRG-OS-000255-GPOS-00096 SRG-OS-000037-VMM-000150 SRG-OS-000063-VMM-000310 Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded. Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. CCE-27407-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'auditd.service' "$SYSTEMCTL_EXEC" enable 'auditd.service' - name: Enable service auditd service: name: auditd enabled: "yes" state: "started" tags: - service_auditd_enabled - high_severity - enable_strategy - low_complexity - low_disruption - CCE-27407-6 - NIST-800-53-AC-2(g) - NIST-800-53-AU-3 - NIST-800-53-AC-17(1) - NIST-800-53-AU-1(b) - NIST-800-53-AU-10 - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-AU-14(1) - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - NIST-800-171-3.3.2 - NIST-800-171-3.3.6 - PCI-DSS-Req-10.1 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030000 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lack of authentication, encryption, or reliable transport for messages sent over a network. However, due to its long history, syslog is a de facto standard which is supported by almost all Unix applications. In Red Hat Enterprise Linux 7, rsyslog has replaced ksyslogd as the syslog daemon of choice, and it includes some additional security features such as reliable, connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server. This section discusses how to configure rsyslog for best effect, and how to use tools provided with the system to maintain and monitor logs. If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised the root account on a system may delete the log entries which indicate that the system was attacked before they are seen by an administrator. However, it is recommended that logs be stored on the local host in addition to being sent to the loghost, especially if rsyslog has been configured to use the UDP protocol to send messages over a network. UDP does not guarantee reliable delivery, and moderately busy sites will lose log messages occasionally, especially in periods of high traffic which may be the result of an attack. In addition, remote rsyslog messages are not authenticated in any way by default, so it is easy for an attacker to introduce spurious messages to the central log server. Also, some problems cause loss of network connectivity, which will prevent the sending of messages to the central server. For all of these reasons, it is better to store log messages both centrally and on each host, so that they can be correlated if necessary. Specify an URI or IP address of a remote host where the log messages will be sent and stored. logcollector To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @loghost.example.com To use TCP for log message delivery: *.* @@loghost.example.com To use RELP for log message delivery: *.* :omrelp:loghost.example.com There must be a resolvable DNS CNAME or Alias record set to "_{" for logs to be sent correctly to the centralized logging utility.} RHEL-07-031000 SV-86833r2_rule 4.2.1.4 1 13 14 15 16 2 3 5 6 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS05.04 DSS05.07 MEA02.01 CCI-000366 CCI-001348 CCI-000136 CCI-001851 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(B) 164.308(a)(5)(ii)(C) 164.308(a)(6)(ii) 164.308(a)(8) 164.310(d)(2)(iii) 164.312(b) 164.314(a)(2)(i)(C) 164.314(a)(2)(iii) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.17.2.1 AU-3(2) AU-4(1) AU-9 PR.DS-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000480-GPOS-00227 SRG-OS-000032-VMM-000130 A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. CCE-27343-3 rsyslog_remote_loghost_address="_{" replace_or_append '/etc/rsyslog.conf' '^\*\.\*' "@@$rsyslog_remote_loghost_address" 'CCE-27343-3' '%s %s'} - name: XCCDF Value rsyslog_remote_loghost_address # promote to variable set_fact: rsyslog_remote_loghost_address: !!str _{tags: - always - name: "Set rsyslog remote loghost" lineinfile: dest: /etc/rsyslog.conf regexp: "^\\*\\.\\*" line: "*.* @@{{ rsyslog_remote_loghost_address }}" create: yes tags: - rsyslog_remote_loghost - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27343-3 - NIST-800-53-AU-3(2) - NIST-800-53-AU-4(1) - NIST-800-53-AU-9 - DISA-STIG-RHEL-07-031000 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} The file /etc/rsyslog.conf controls where log message are written. These are controlled by lines called rules, which consist of a selector and an action. These rules are often customized depending on the role of the system, the requirements of the environment, and whatever may enable the administrator to most effectively make use of log data. The default rules in Red Hat Enterprise Linux 7 are: *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log See the man page rsyslog.conf(5) for more information. Note that the rsyslog daemon can be configured to use a timestamp format that some log processing programs may not understand. If this occurs, edit the file /etc/rsyslog.conf and add or edit the following line: $ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat Specify group owner of all logfiles specified in /etc/rsyslog.conf. root adm root Specify user owner of all logfiles specified in /etc/rsyslog.conf. root adm root The owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: $ ls -l LOGFILE If the owner is not , run the following command to correct this: $ sudo chown _LOGFILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-001314 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 SI-11 PR.AC-4 PR.DS-5 Req-10.5.1 Req-10.5.2 The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. CCE-80189-4 The group-owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: $ ls -l LOGFILE If the owner is not , run the following command to correct this: $ sudo chgrp _LOGFILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-001314 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 SI-11 PR.AC-4 PR.DS-5 Req-10.5.1 Req-10.5.2 The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. CCE-80190-2 Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf: cron.* /var/log/cron RHEL-07-021100 SV-86675r2_rule 1 14 15 16 3 5 6 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 CCI-000366 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.15.2.1 A.15.2.2 AU-2(d) ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000480-GPOS-00227 Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. CCE-80380-9 if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then mkdir -p /etc/rsyslog.d echo "cron.* /var/log/cron" >> /etc/rsyslog.d/cron.conf fi The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions: $ ls -l LOGFILE If the permissions are not 600 or more restrictive, run the following command to correct this: $ sudo chmod 0600 LOGFILE" 4.2.1.3 CCI-001314 SI-11 Req-10.5.1 Req-10.5.2 Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. CCE-80191-0 # List of log file paths to be inspected for correct permissions # * Primarily inspect log file paths listed in /etc/rsyslog.conf RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" # * And also the log file paths listed after rsyslog's $IncludeConfig directive # (store the result into array for the case there's shell glob used as value of IncludeConfig) RSYSLOG_INCLUDE_CONFIG=($(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS # Browse each file selected above as containing paths of log files # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" do # From each of these files extract just particular log file path(s), thus: # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, # * Ignore empty lines, # * From the remaining valid rows select only fields constituting a log file path # Text file column is understood to represent a log file path if and only if all of the following are met: # * it contains at least one slash '/' character, # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters # Search log file for path(s) only in case it exists! if [[ -f "${LOG_FILE}" ]] then MATCHED_ITEMS=$(sed -e "/^[[:space:]|#|$]/d ; s/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g ; /^$/d" "${LOG_FILE}") # Since above sed command might return more than one item (delimited by newline), split the particular # matches entries into new array specific for this log file readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with # items from newly created array for this log file LOG_FILE_PATHS=("${LOG_FILE_PATHS[@]}" "${ARRAY_FOR_LOG_FILE[@]}") # Delete the temporary array unset ARRAY_FOR_LOG_FILE fi done for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" do # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing if [ -z "$LOG_FILE_PATH" ] then continue fi # Also for each log file check if its permissions differ from 600. If so, correct them if [ "$(/usr/bin/stat -c %a "$LOG_FILE_PATH")" -ne 600 ] then /bin/chmod 600 "$LOG_FILE_PATH" fi done By default, rsyslog does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the system thus to act as a log server. If the system is not a log server, then lines concerning these modules should remain commented out. The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian 8. The syslog-ng service can be enabled with the following command: $ sudo systemctl enable syslog-ng.service NT28(R46) NT28(R5) 5.1.2 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 A.17.2.1 AU-4(1) AU-12 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.DS-4 PR.PT-1 The syslog-ng service must be running in order to provide logging services, which are essential to system administration. syslog-ng can be installed in replacement of rsyslog. The syslog-ng-core package can be installed with the following command: $ sudo yum install syslog-ng-core NT28(R46) NT28(R5) 5.1.1 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-001311 CCI-001312 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9(2) PR.PT-1 The syslog-ng-core package provides the syslog-ng daemon, which provides system logging services. The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over UDP: $ModLoad imudp $UDPServerRun 514 4.2.1.5 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9 PR.PT-1 Many devices, such as switches, routers, and other Unix-like systems, may only support the traditional syslog transmission over UDP. If the system must act as a log server, this enables it to receive their messages as well. CCE-80194-4 The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are not found in /etc/rsyslog.conf: $ModLoad imtcp $InputTCPServerRun port $ModLoad imudp $UDPServerRun port $ModLoad imrelp $InputRELPServerRun port RHEL-07-031010 SV-86835r2_rule 1 11 12 13 14 15 16 18 3 4 5 6 8 9 APO01.06 APO11.04 APO13.01 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.07 DSS06.02 MEA02.01 CCI-000318 CCI-000368 CCI-001812 CCI-001813 CCI-001814 4.2.3.4 4.3.3.3.9 4.3.3.4 4.3.3.5.8 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 4.4.3.3 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AU-9(2) AC-4 CM-6(c) DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.IP-1 PR.PT-1 PR.PT-4 SRG-OS-000480-GPOS-00227 Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. CCE-80192-8 The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over TCP: $ModLoad imtcp $InputTCPServerRun 514 4.2.1.5 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9 PR.PT-1 If the system needs to act as a log server, this ensures that it can receive messages over a reliable TCP connection. CCE-80193-6 Is this system the central log server? If so, edit the file /etc/logwatch/conf/logwatch.conf as shown below. If SplitHosts is set, Logwatch will separate entries by hostname. This makes the report longer but significantly more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that information is almost always necessary SplitHosts = yes CCE-80197-7 On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate on the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not just the one on which it is running. HostLimit = no CCE-80196-9 Edit the file /etc/logrotate.d/syslog. Find the first line, which should look like this (wrapped for clarity): /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \ /var/log/boot.log /var/log/cron { Edit this line so that it contains a one-space-separated listing of each log file referenced in /etc/rsyslog.conf. All logs in use on a system must be rotated regularly, or the log files will consume disk space over time, eventually interfering with system operation. The file /etc/logrotate.d/syslog is the configuration file used by the logrotate program to maintain all log files written by syslog. By default, it rotates logs weekly and stores four archival copies of each log. These settings can be modified by editing /etc/logrotate.conf, but the defaults are sufficient for purposes of this guide. Note that logrotate is run nightly by the cron job /etc/cron.daily/logrotate. If particularly active logs need to be rotated more often than once a day, some other mechanism must be used. The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf: # rotate log files frequency daily 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000366 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9 PR.PT-1 Req-10.7 Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. CCE-80195-1 LOGROTATE_CONF_FILE="/etc/logrotate.conf" CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" # daily rotation is configured grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE # remove any line configuring weekly, monthly or yearly rotation sed -i -r "/^(weekly|monthly|yearly)$/d" $LOGROTATE_CONF_FILE # configure cron.daily if not already if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE fi Does your site have a central logserver which has been configured to report on logs received from all systems? If so: $ sudo rm /etc/cron.daily/0logwatch If no logserver exists, it will be necessary for each system to run Logwatch individually. Using a central logserver provides the security and reliability benefits discussed earlier, and also makes monitoring logs easier and less time-intensive for administrators. CCE-80198-5 The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 7. The rsyslog service can be enabled with the following command: $ sudo systemctl enable rsyslog.service NT28(R5) NT28(R46) 4.2.1.1 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 CCI-001311 CCI-001312 CCI-001557 CCI-001851 164.312(a)(2)(ii) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 A.17.2.1 AU-4(1) AU-12 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.DS-4 PR.PT-1 The rsyslog service must be running in order to provide logging services, which are essential to system administration. CCE-80188-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'rsyslog.service' "$SYSTEMCTL_EXEC" enable 'rsyslog.service' - name: Enable service rsyslog service: name: rsyslog enabled: "yes" state: "started" tags: - service_rsyslog_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80188-6 - NIST-800-53-AU-4(1) - NIST-800-53-AU-12 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ sudo yum install rsyslog NT28(R5) NT28(R46) 4.2.3 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-001311 CCI-001312 164.312(a)(2)(ii) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9(2) PR.PT-1 The rsyslog package provides the rsyslog daemon, which provides system logging services. CCE-80187-8 _{package_install rsyslog} - name: Ensure rsyslog is installed package: name: rsyslog state: present tags: - package_rsyslog_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80187-8 - NIST-800-53-AU-9(2) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_rsyslog class install_rsyslog { package { 'rsyslog': ensure => 'installed', } } package --add=rsyslog Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking which must be made when configuring a system. This section also discusses firewalls, network access controls, and other network security frameworks, which allow system-level rules to be written that can limit an attackers' ability to connect to your system. These rules can specify that network traffic should be allowed or denied from certain IP addresses, hosts, and networks. The rules can also specify which of the system's network services are available to particular hosts or networks. The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important feature is its support for automatic configuration of many network settings. A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from the network. From a security perspective, manually configuring important configuration information is preferable to accepting it from the network in an unauthenticated fashion. Disable the system's acceptance of router advertisements and redirects by adding or correcting the following line in /etc/sysconfig/network (note that this does not disable sending router solicitations): IPV6_AUTOCONF=no Toggle ICMP Redirect Acceptance 0 0 1 Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. 0 0 1 Accept default router advertisements by default? 0 0 1 Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. 0 0 1 Toggle ICMP Redirect Acceptance By Default 0 0 1 Accept all router advertisements? 0 0 1 Toggle global IPv6 auto-configuration (only, if global forwarding is disabled) no no yes Toggle IPv6 Forwarding 0 0 1 To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0 1 12 13 14 15 16 18 4 6 8 9 APO01.06 APO13.01 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.PT-4 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-80335-1 sysctl_net_ipv6_conf_default_accept_source_route_value="_{" # # Set runtime for net.ipv6.conf.default.accept_source_route # /sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route=$sysctl_net_ipv6_conf_default_accept_source_route_value # # If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_source_route' "$sysctl_net_ipv6_conf_default_accept_source_route_value" 'CCE-80335-1'} - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_source_route_value # promote to variable set_fact: sysctl_net_ipv6_conf_default_accept_source_route_value: !!str _{tags: - always - name: Ensure sysctl net.ipv6.conf.default.accept_source_route is set sysctl: name: net.ipv6.conf.default.accept_source_route value: "{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_default_accept_source_route - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80335-1 - NIST-800-53-AC-4 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0 RHEL-07-040830 SV-86943r2_rule 1 12 13 14 15 16 18 4 6 8 9 APO01.06 APO13.01 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.PT-4 SRG-OS-000480-GPOS-00227 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-80179-5 sysctl_net_ipv6_conf_all_accept_source_route_value="_{" # # Set runtime for net.ipv6.conf.all.accept_source_route # /sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route=$sysctl_net_ipv6_conf_all_accept_source_route_value # # If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_source_route' "$sysctl_net_ipv6_conf_all_accept_source_route_value" 'CCE-80179-5'} - name: XCCDF Value sysctl_net_ipv6_conf_all_accept_source_route_value # promote to variable set_fact: sysctl_net_ipv6_conf_all_accept_source_route_value: !!str _{tags: - always - name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set sysctl: name: net.ipv6.conf.all.accept_source_route value: "{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_all_accept_source_route - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80179-5 - NIST-800-53-AC-4 - NIST-800-171-3.1.20 - DISA-STIG-RHEL-07-040830 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0 1 11 12 13 14 15 16 2 3 7 8 9 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.9.1.2 CM-7 SC-5 DE.CM-1 PR.DS-4 PR.IP-1 PR.PT-3 IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. CCE-80356-9 sysctl_net_ipv6_conf_all_forwarding_value="_{" # # Set runtime for net.ipv6.conf.all.forwarding # /sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding=$sysctl_net_ipv6_conf_all_forwarding_value # # If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.forwarding = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.forwarding' "$sysctl_net_ipv6_conf_all_forwarding_value" 'CCE-80356-9'} - name: XCCDF Value sysctl_net_ipv6_conf_all_forwarding_value # promote to variable set_fact: sysctl_net_ipv6_conf_all_forwarding_value: !!str _{tags: - always - name: Ensure sysctl net.ipv6.conf.all.forwarding is set sysctl: name: net.ipv6.conf.all.forwarding value: "{{ sysctl_net_ipv6_conf_all_forwarding_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_all_forwarding - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80356-9 - NIST-800-53-CM-7 - NIST-800-53-SC-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0 3.3.2 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An illicit ICMP redirect message could result in a man-in-the-middle attack. CCE-80182-9 sysctl_net_ipv6_conf_all_accept_redirects_value="_{" # # Set runtime for net.ipv6.conf.all.accept_redirects # /sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects=$sysctl_net_ipv6_conf_all_accept_redirects_value # # If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_redirects' "$sysctl_net_ipv6_conf_all_accept_redirects_value" 'CCE-80182-9'} - name: XCCDF Value sysctl_net_ipv6_conf_all_accept_redirects_value # promote to variable set_fact: sysctl_net_ipv6_conf_all_accept_redirects_value: !!str _{tags: - always - name: Ensure sysctl net.ipv6.conf.all.accept_redirects is set sysctl: name: net.ipv6.conf.all.accept_redirects value: "{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_all_accept_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80182-9 - NIST-800-53-CM-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0 3.3.1 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An illicit router advertisement message could result in a man-in-the-middle attack. CCE-80181-1 sysctl_net_ipv6_conf_default_accept_ra_value="_{" # # Set runtime for net.ipv6.conf.default.accept_ra # /sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra=$sysctl_net_ipv6_conf_default_accept_ra_value # # If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_ra' "$sysctl_net_ipv6_conf_default_accept_ra_value" 'CCE-80181-1'} - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_value # promote to variable set_fact: sysctl_net_ipv6_conf_default_accept_ra_value: !!str _{tags: - always - name: Ensure sysctl net.ipv6.conf.default.accept_ra is set sysctl: name: net.ipv6.conf.default.accept_ra value: "{{ sysctl_net_ipv6_conf_default_accept_ra_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_default_accept_ra - unknown_severity - disable_strategy - low_complexity - medium_disruption - CCE-80181-1 - NIST-800-53-CM-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0 3.3.1 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An illicit router advertisement message could result in a man-in-the-middle attack. CCE-80180-3 sysctl_net_ipv6_conf_all_accept_ra_value="_{" # # Set runtime for net.ipv6.conf.all.accept_ra # /sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra=$sysctl_net_ipv6_conf_all_accept_ra_value # # If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_ra' "$sysctl_net_ipv6_conf_all_accept_ra_value" 'CCE-80180-3'} - name: XCCDF Value sysctl_net_ipv6_conf_all_accept_ra_value # promote to variable set_fact: sysctl_net_ipv6_conf_all_accept_ra_value: !!str _{tags: - always - name: Ensure sysctl net.ipv6.conf.all.accept_ra is set sysctl: name: net.ipv6.conf.all.accept_ra value: "{{ sysctl_net_ipv6_conf_all_accept_ra_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_all_accept_ra - unknown_severity - disable_strategy - low_complexity - medium_disruption - CCE-80180-3 - NIST-800-53-CM-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 3.3.2 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An illicit ICMP redirect message could result in a man-in-the-middle attack. CCE-80183-7 sysctl_net_ipv6_conf_default_accept_redirects_value="_{" # # Set runtime for net.ipv6.conf.default.accept_redirects # /sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects=$sysctl_net_ipv6_conf_default_accept_redirects_value # # If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_redirects' "$sysctl_net_ipv6_conf_default_accept_redirects_value" 'CCE-80183-7'} - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_redirects_value # promote to variable set_fact: sysctl_net_ipv6_conf_default_accept_redirects_value: !!str _{tags: - always - name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set sysctl: name: net.ipv6.conf.default.accept_redirects value: "{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_default_accept_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80183-7 - NIST-800-53-CM-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To limit the configuration information requested from other systems and accepted from the network on a system that uses statically-configured IPv6 addresses, add the following lines to /etc/sysctl.conf: net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1 The router_solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are statically assigned, there is no need to send any solicitations. The accept_ra_pinfo setting controls whether the system will accept prefix info from the router. The accept_ra_defrtr setting controls whether the system will accept Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from changing your default IPv6 Hop Limit for outgoing packets. The autoconf setting controls whether router advertisements can cause the system to assign a global unicast address to an interface. The dad_transmits setting determines how many neighbor solicitations to send out per address (global and link-local) when bringing up an interface to ensure the desired address is unique on the network. The max_addresses setting determines how many global unicast IPv6 addresses can be assigned to each interface. The default is 16, but it should be set to exactly the number of statically configured global addresses required. Edit the file /etc/sysconfig/network-scripts/ifcfg-interface, and add or correct the following line (substituting your gateway IP as appropriate): IPV6_DEFAULTGW=2001:0DB8::0001 Router addresses should be manually set and not accepted via any auto-configuration or router advertisement. CCI-000366 CCE-80186-0 To introduce randomness into the automatic generation of IPv6 addresses, add or correct the following line in /etc/sysconfig/network-scripts/ifcfg-interface: IPV6_PRIVACY=rfc3041 Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. Ethernet) address, and so it becomes possible to track a piece of hardware over its lifetime using its traffic. If it is important for a system's IP address to not trivially reveal its hardware address, this setting should be applied. 3.1.20 CCI-000366 CCE-80185-2 # enable randomness in ipv6 address generation for interface in /etc/sysconfig/network-scripts/ifcfg-* do echo "IPV6_PRIVACY=rfc3041" >> $interface done To manually assign an IP address for an interface, edit the file /etc/sysconfig/network-scripts/ifcfg-interface. Add or correct the following line (substituting the correct IPv6 address): IPV6ADDR=2001:0DB8::ABCD/64 Manually assigning an IP address is preferable to accepting one from routers or from the network otherwise. The example address here is an IPv6 address reserved for documentation purposes, as defined by RFC3849. CCI-000366 CCE-80184-5 Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 address is assigned. The only way to effectively prevent execution of the IPv6 networking stack is to instruct the system not to activate the IPv6 kernel module. To disable interface usage of IPv6, add or correct the following lines in /etc/sysconfig/network: NETWORKING_IPV6=no IPV6INIT=no CCE-80176-1 To disable support for (ipv6) add the following line to /etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d): net.ipv6.conf.all.disable_ipv6 = 1 This disables IPv6 on all network interfaces as other services and system functionality require the IPv6 stack loaded to work. 3.3.3 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. CCE-80175-3 # # Set runtime for net.ipv6.conf.all.disable_ipv6 # /sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6=1 # # If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to "1" # else, add "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf # _{replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.disable_ipv6' "1" 'CCE-80175-3'} - name: Ensure sysctl net.ipv6.conf.all.disable_ipv6 is set to 1 sysctl: name: net.ipv6.conf.all.disable_ipv6 value: 1 state: present reload: yes tags: - sysctl_net_ipv6_conf_all_disable_ipv6 - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80175-3 - NIST-800-53-CM-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To prevent the IPv6 kernel module (ipv6) from binding to the IPv6 networking stack, add the following line to /etc/modprobe.d/disabled.conf (or another file in /etc/modprobe.d): options ipv6 disable=1 This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. # Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf # Since according to: https://access.redhat.com/solutions/72733 # "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from # loading, instruct also sysctl configuration to disable IPv6 according to: # https://access.redhat.com/solutions/8709#rhel6disable declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6") for setting in ${IPV6_SETTINGS[@]} do # Set runtime =1 for setting /sbin/sysctl -q -n -w "$setting=1" # If setting is present in /etc/sysctl.conf, change value to "1" # else, add "$setting = 1" to /etc/sysctl.conf if grep -q ^"$setting" /etc/sysctl.conf ; then sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf else echo "" >> /etc/sysctl.conf echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf echo "$setting = 1" >> /etc/sysctl.conf fi done RPC services for NFSv4 try to load transport modules for udp6 and tcp6 by default, even if IPv6 has been disabled in /etc/modprobe.d. To prevent RPC services such as rpc.mountd from attempting to start IPv6 network listeners, remove or comment out the following two lines in /etc/netconfig: udp6 tpi_clts v inet6 udp - - tcp6 tpi_cots_ord v inet6 tcp - - 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 CCE-80177-9 # Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC # services for NFSv4 from attempting to start IPv6 network listeners declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6") for rpc_entry in ${IPV6_RPC_ENTRIES[@]} do sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig done Support for Internet Protocol Security (IPsec) is provided in Red Hat Enterprise Linux 7 with Libreswan. Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (conn) configured in /etc/ipsec.conf and /etc/ipsec.d exists is an approved organizational connection. RHEL-07-040820 SV-86941r2_rule 1 12 13 14 15 16 18 4 6 8 9 APO01.06 APO13.01 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.07 DSS06.02 CCI-000336 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.PT-4 SRG-OS-000480-GPOS-00227 IP tunneling mechanisms can be used to bypass network filtering. CCE-80171-2 The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The libreswan package can be installed with the following command: $ sudo yum install libreswan 12 15 3 5 8 APO13.01 DSS01.04 DSS05.02 DSS05.03 DSS05.04 CCI-001130 CCI-001131 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.15.1.1 A.15.2.1 A.6.2.1 A.6.2.2 AC-17 MA-4 SC-9 PR.AC-3 PR.MA-2 PR.PT-4 Req-4.1 Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. CCE-80170-4 _{package_install libreswan} - name: Ensure libreswan is installed package: name: libreswan state: present tags: - package_libreswan_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80170-4 - NIST-800-53-AC-17 - NIST-800-53-MA-4 - NIST-800-53-SC-9 - PCI-DSS-Req-4.1 include install_libreswan class install_libreswan { package { 'libreswan': ensure => 'installed', } } package --add=libreswan A host-based firewall called netfilter is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program iptables, and the entire capability is frequently referred to by this name. An analogous program called ip6tables handles filtering for IPv6. Unlike TCP Wrappers, which depends on the network server program to support and respect the rules written, netfilter filtering occurs at the kernel level, before a program can even process the data from the network packet. As such, any program on the system is affected by the rules written. This section provides basic information about strengthening the iptables and ip6tables configurations included with the system. For more complete information that may allow the construction of a sophisticated ruleset tailored to your environment, please consult the references at the end of this section. View the currently-enforced iptables rules by running the command: $ sudo iptables -nL --line-numbers The command is analogous for ip6tables. If the firewall does not appear to be active (i.e., no rules appear), activate it and ensure that it starts at boot by issuing the following commands (and analogously for ip6tables): $ sudo service iptables restart The default iptables rules are: Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination The ip6tables default rules are essentially the same. The ip6tables service can be enabled with the following command: $ sudo systemctl enable ip6tables.service 1 11 12 13 14 15 16 18 3 4 6 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CA-3(c) CM-7 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6. The iptables service can be enabled with the following command: $ sudo systemctl enable iptables.service 1 11 12 13 14 15 16 18 3 4 6 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CA-3(c) CM-7 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP. To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/ip6tables: :INPUT DROP [0:0] If changes were required, reload the ip6tables rules: $ sudo service ip6tables reload 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 In ip6tables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files iptables and ip6tables in the directory /etc/sysconfig. Many of the lines in these files are similar to the command line arguments that would be provided to the programs /sbin/iptables or /sbin/ip6tables - but some are quite different. The following recommendations describe how to strengthen the default ruleset configuration file. An alternative to editing this configuration file is to create a shell script that makes calls to the iptables program to load in rules, and then invokes service iptables save to write those loaded rules to /etc/sysconfig/iptables. The following alterations can be made directly to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Instructions apply to both unless otherwise noted. Language and address conventions for regular iptables are used throughout this section; configuration for ip6tables will be either analogous or explicitly covered. The program system-config-securitylevel allows additional services to penetrate the default firewall rules and automatically adjusts /etc/sysconfig/iptables. This program is only useful if the default ruleset meets your security requirements. Otherwise, this program should not be used to make changes to the firewall configuration because it re-writes the saved configuration file. In /etc/sysconfig/iptables, the accepted ICMP messages types can be restricted. To accept only ICMP echo reply, destination unreachable, and time exceeded messages, remove the line: -A INPUT -p icmp --icmp-type any -j ACCEPT and insert the lines: -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT To allow the system to respond to pings, also insert the following line: -A INPUT -p icmp --icmp-type echo-request -j ACCEPT Ping responses can also be limited to certain networks or hosts by using the -s option in the previous rule. Because IPv6 depends so heavily on ICMPv6, it is preferable to deny the ICMPv6 packets you know you don't need (e.g. ping requests) in /etc/sysconfig/ip6tables, while letting everything else through: -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP If you are going to statically configure the system's address, it should ignore Router Advertisements which could add another IPv6 address to the interface or alter important network settings: -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP Restricting ICMPv6 message types in /etc/sysconfig/ip6tables is not recommended because the operation of IPv6 depends heavily on ICMPv6. Thus, great care must be taken if any other ICMPv6 types are blocked. Packets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the modified policy will reject non-matching packets, you only need to add these rules if you are interested in also logging these spoofing or suspicious attempts before they are dropped. If you do choose to log various suspicious traffic, add identical rules with a target of DROP after each LOG. To log and then drop these IPv4 packets, insert the following rules in /etc/sysconfig/iptables (excepting any that are intentionally used): -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: " -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " -A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: " -A INPUT -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " -A INPUT -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: " Similarly, you might wish to log packets containing some IPv6 reserved addresses if they are not expected on your network: -A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: " -A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " If you are not expecting to see site-local multicast or auto-tunneled traffic, you can log those: -A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: " -A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: " If you wish to block multicasts to all link-local nodes (e.g. if you are not using router auto-configuration and do not plan to have any services that multicast to the entire local network), you can block the link-local all-nodes multicast address (before accepting incoming ICMPv6): -A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: " However, if you're going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should then consider logging the non-routable IPv4-compatible addresses: -A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: " -A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: " -A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: " -A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: " If you are not expecting to see any IPv4 (or IPv4-compatible) traffic on your network, consider logging it before it gets dropped: -A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: " -A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: " The following rule will log all traffic originating from a site-local address, which is deprecated address space: -A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: " To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in /etc/sysconfig/iptables: :FORWARD DROP [0:0] 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 In iptables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables: :INPUT DROP [0:0] 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. The dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly. A graphical configuration tool, firewall-config, is used to configure firewalld, which in turn uses iptables tool to communicate with Netfilter in the kernel which implements packet filtering. The firewall service provided by firewalld is dynamic rather than static because changes to the configuration can be made at anytime and are immediately implemented. There is no need to save or apply the changes. No unintended disruption of existing network connections occurs as no part of the firewall has to be reloaded. The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in configuration files under the /etc/firewalld/services and /etc/firewalld/zones directories. The following recommendations describe how to strengthen the default ruleset configuration file. An alternative to editing this configuration file is to create a shell script that makes calls to the firewall-cmd program to load in rules under the /etc/firewalld/services and /etc/firewalld/zones directories. Instructions apply to both unless otherwise noted. Language and address conventions for regular firewalld rules are used throughout this section. The program firewall-config allows additional services to penetrate the default firewall rules and automatically adjusts the firewalld ruleset(s). To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in /etc/firewalld/firewalld.conf to be: DefaultZone=drop To prevent denying any access to the system, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. RHEL-07-040810 SV-86939r3_rule 11 14 3 9 5.10.1 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.3 3.4.7 3.13.6 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-6(b) CM-7 PR.IP-1 PR.PT-3 FMT_MOF_EXT.1 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. CCE-27349-0 Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command: $ sudo firewall-cmd --permanent --add-port=port_number/tcp or $ sudo firewall-cmd --permanent --add-port=service_name Run the command list above for each of the ports listed below: To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=ssh RHEL-07-040100 SV-86843r2_rule 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000382 CCI-002314 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 CM-7 CM-7.1(iii) CM-7(b) AC-17(1) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000096-GPOS-00050 SRG-OS-000297-GPOS-00115 SRG-OS-000480-VMM-002000 In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. CCE-80447-6 _{package_install firewalld firewalld_sshd_zone="" # This assumes that firewalld_sshd_zone is one of the pre-defined zones if [ ! -f /etc/firewalld/zones/${firewalld_sshd_zone}.xml ]; then cp /usr/lib/firewalld/zones/${firewalld_sshd_zone}.xml /etc/firewalld/zones/${firewalld_sshd_zone}.xml fi if ! grep -q 'service name="ssh"' /etc/firewalld/zones/${firewalld_sshd_zone}.xml; then sed -i '/<\/description>/a \ <service name="ssh"/>' /etc/firewalld/zones/${firewalld_sshd_zone}.xml fi # Check if any eth interface is bounded to the zone with SSH service enabled nic_bound=false eth_interface_list=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') for interface in $eth_interface_list; do if grep -q "ZONE=$firewalld_sshd_zone" /etc/sysconfig/network-scripts/ifcfg-$interface; then nic_bound=true break; fi done if [ $nic_bound = false ];then # Add first NIC to SSH enabled zone if ! firewall-cmd --state -q; then replace_or_append "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" '^ZONE=' "$firewalld_sshd_zone" 'CCE-80447-6' '%s=%s' else # If firewalld service is running, we need to do this step with firewall-cmd # Otherwise firewalld will comunicate with NetworkManage and will revert assigned zone # of NetworkManager managed interfaces upon reload firewall-cmd --zone=$firewalld_sshd_zone --add-interface=${eth_interface_list[0]} firewall-cmd --reload fi fi} Create a direct firewall rule to protect against DoS attacks with the following command: $ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT CCI-002385 SRG-OS-000420-GPOS-00186 RHEL-07-040510 SV-86895r3_rule DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. CCE-80542-4 Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface's assigned zone can be changed by NetworkManager or via the firewall-config tool. The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. These are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted: dropAny incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.blockAny incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.publicFor use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.externalFor use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.dmzFor computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.workFor use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.homeFor use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.internalFor use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.trustedAll network connections are accepted. It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone. To find out all the settings of a zone, for example the public zone, enter the following command as root: # firewall-cmd --zone=public --list-all Example output of this command might look like the following: # firewall-cmd --zone=public --list-all public interfaces: services: mdns dhcpv6-client ssh ports: forward-ports: icmp-blocks: source-quench To view the network zones currently active, enter the following command as root: # firewall-cmd --get-service The following listing displays the result of this command on common Red Hat Enterprise Linux 7 system: # firewall-cmd --get-service amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https Finally to view the network zones that will be active after the next firewalld service reload, enter the following command as root: # firewall-cmd --get-service --permanent The firewalld service can be enabled with the following command: $ sudo systemctl enable firewalld.service RHEL-07-040520 SV-86897r2_rule 4.7 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.3 3.4.7 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 FMT_MOF_EXT.1 SRG-OS-000480-GPOS-00227 Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. CCE-80998-8 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'firewalld.service' "$SYSTEMCTL_EXEC" enable 'firewalld.service' - name: Enable service firewalld service: name: firewalld enabled: "yes" state: "started" tags: - service_firewalld_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80998-8 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.3 - NIST-800-171-3.4.7 - DISA-STIG-RHEL-07-040520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The firewalld package can be installed with the following command: $ sudo yum install firewalld The firewalld package should be installed to provide access control methods. _{package_install firewalld} - name: Ensure firewalld is installed package: name: firewalld state: present tags: - package_firewalld_installed - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_firewalld class install_firewalld { package { 'firewalld': ensure => 'installed', } } package --add=firewalld The sysctl utility is used to set parameters which affect the operation of the Linux kernel. Kernel parameters which affect networking and have security implications are described here. Certain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against certain types of IPv4 protocol attacks. Disable IP source routing? 0 0 1 Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets 1 0 1 Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packages by default. 0 0 1 Enable to prevent unnecessary logging 1 0 1 Disable ICMP Redirect Acceptance? 0 0 1 Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets 1 0 1 Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces. 0 0 1 Enables source route verification 1 0 1 Enable to turn on TCP SYN Cookie Protection 1 0 1 Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast 1 0 1 Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. 0 0 1 Disable ICMP Redirect Acceptance 0 0 1 Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived. 1 0 1 To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 RHEL-07-040620 SV-86909r2_rule 3.2.1 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 CCI-001551 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router. CCE-80162-1 sysctl_net_ipv4_conf_default_accept_source_route_value="_{" # # Set runtime for net.ipv4.conf.default.accept_source_route # /sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route=$sysctl_net_ipv4_conf_default_accept_source_route_value # # If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.accept_source_route' "$sysctl_net_ipv4_conf_default_accept_source_route_value" 'CCE-80162-1'} - name: XCCDF Value sysctl_net_ipv4_conf_default_accept_source_route_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_accept_source_route_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set sysctl: name: net.ipv4.conf.default.accept_source_route value: "{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_default_accept_source_route - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80162-1 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040620 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1 RHEL-07-040630 SV-86911r2_rule 3.2.5 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. CCE-80165-4 sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value="_{" # # Set runtime for net.ipv4.icmp_echo_ignore_broadcasts # /sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value # # If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.icmp_echo_ignore_broadcasts' "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" 'CCE-80165-4'} - name: XCCDF Value sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value # promote to variable set_fact: sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: "{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}" state: present reload: yes tags: - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80165-4 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040630 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.log_martians = 1 3.2.4 1 11 12 13 14 15 16 2 3 7 8 9 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.04 DSS03.05 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.06 3.1.20 CCI-000126 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.11.2.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(7) CM-7 SC-5(3) DE.CM-1 PR.AC-3 PR.DS-4 PR.IP-1 PR.PT-3 PR.PT-4 The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. CCE-80161-3 sysctl_net_ipv4_conf_default_log_martians_value="_{" # # Set runtime for net.ipv4.conf.default.log_martians # /sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians=$sysctl_net_ipv4_conf_default_log_martians_value # # If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.log_martians' "$sysctl_net_ipv4_conf_default_log_martians_value" 'CCE-80161-3'} - name: XCCDF Value sysctl_net_ipv4_conf_default_log_martians_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_log_martians_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.default.log_martians is set sysctl: name: net.ipv4.conf.default.log_martians value: "{{ sysctl_net_ipv4_conf_default_log_martians_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_default_log_martians - unknown_severity - disable_strategy - low_complexity - medium_disruption - CCE-80161-3 - NIST-800-53-AC-17(7) - NIST-800-53-CM-7 - NIST-800-53-SC-5(3) - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1 3.2.7 1 12 13 14 15 16 18 2 4 6 7 8 9 APO01.06 APO13.01 BAI04.04 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.PT-4 Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. CCE-80168-8 sysctl_net_ipv4_conf_default_rp_filter_value="_{" # # Set runtime for net.ipv4.conf.default.rp_filter # /sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter=$sysctl_net_ipv4_conf_default_rp_filter_value # # If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.rp_filter' "$sysctl_net_ipv4_conf_default_rp_filter_value" 'CCE-80168-8'} - name: XCCDF Value sysctl_net_ipv4_conf_default_rp_filter_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_rp_filter_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.default.rp_filter is set sysctl: name: net.ipv4.conf.default.rp_filter value: "{{ sysctl_net_ipv4_conf_default_rp_filter_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_default_rp_filter - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80168-8 - NIST-800-53-AC-4 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0 3.2.3 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-001503 CCI-001551 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. CCE-80159-7 sysctl_net_ipv4_conf_all_secure_redirects_value="_{" # # Set runtime for net.ipv4.conf.all.secure_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects=$sysctl_net_ipv4_conf_all_secure_redirects_value # # If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.secure_redirects' "$sysctl_net_ipv4_conf_all_secure_redirects_value" 'CCE-80159-7'} - name: XCCDF Value sysctl_net_ipv4_conf_all_secure_redirects_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_secure_redirects_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.all.secure_redirects is set sysctl: name: net.ipv4.conf.all.secure_redirects value: "{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_all_secure_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80159-7 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 3.2.8 1 12 13 14 15 16 18 2 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 SC-5(1)(2) SC-5(2) SC-5(3) DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.PT-4 SRG-OS-000480-GPOS-00227 A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. CCE-27495-1 sysctl_net_ipv4_tcp_syncookies_value="_{" # # Set runtime for net.ipv4.tcp_syncookies # /sbin/sysctl -q -n -w net.ipv4.tcp_syncookies=$sysctl_net_ipv4_tcp_syncookies_value # # If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.tcp_syncookies' "$sysctl_net_ipv4_tcp_syncookies_value" 'CCE-27495-1'} - name: XCCDF Value sysctl_net_ipv4_tcp_syncookies_value # promote to variable set_fact: sysctl_net_ipv4_tcp_syncookies_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.tcp_syncookies is set sysctl: name: net.ipv4.tcp_syncookies value: "{{ sysctl_net_ipv4_tcp_syncookies_value }}" state: present reload: yes tags: - sysctl_net_ipv4_tcp_syncookies - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27495-1 - NIST-800-53-AC-4 - NIST-800-53-SC-5(1)(2) - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3) - NIST-800-171-3.1.20 - CJIS-5.10.1.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 RHEL-07-040641 SV-87827r4_rule 3.2.2 1 11 12 13 14 15 16 2 3 7 8 9 5.10.1.1 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 DSS06.06 3.1.20 CCI-000366 CCI-001503 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.9.1.2 CM-6(d) CM-7 SC-5 DE.CM-1 PR.DS-4 PR.IP-1 PR.PT-3 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required." CCE-80158-9 sysctl_net_ipv4_conf_all_accept_redirects_value="_{" # # Set runtime for net.ipv4.conf.all.accept_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects=$sysctl_net_ipv4_conf_all_accept_redirects_value # # If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.accept_redirects' "$sysctl_net_ipv4_conf_all_accept_redirects_value" 'CCE-80158-9'} - name: XCCDF Value sysctl_net_ipv4_conf_all_accept_redirects_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_accept_redirects_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set sysctl: name: net.ipv4.conf.all.accept_redirects value: "{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_all_accept_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80158-9 - NIST-800-53-CM-6(d) - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040641 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.log_martians = 1 3.2.4 1 11 12 13 14 15 16 2 3 7 8 9 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.04 DSS03.05 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.06 3.1.20 CCI-000126 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.11.2.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(7) CM-7 SC-5(3) DE.CM-1 PR.AC-3 PR.DS-4 PR.IP-1 PR.PT-3 PR.PT-4 The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. CCE-80160-5 sysctl_net_ipv4_conf_all_log_martians_value="_{" # # Set runtime for net.ipv4.conf.all.log_martians # /sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians=$sysctl_net_ipv4_conf_all_log_martians_value # # If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.log_martians' "$sysctl_net_ipv4_conf_all_log_martians_value" 'CCE-80160-5'} - name: XCCDF Value sysctl_net_ipv4_conf_all_log_martians_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_log_martians_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.all.log_martians is set sysctl: name: net.ipv4.conf.all.log_martians value: "{{ sysctl_net_ipv4_conf_all_log_martians_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_all_log_martians - unknown_severity - disable_strategy - low_complexity - medium_disruption - CCE-80160-5 - NIST-800-53-AC-17(7) - NIST-800-53-CM-7 - NIST-800-53-SC-5(3) - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1 3.2.7 1 12 13 14 15 16 18 2 4 6 7 8 9 APO01.06 APO13.01 BAI04.04 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 CCI-001551 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.PT-4 Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. CCE-80167-0 sysctl_net_ipv4_conf_all_rp_filter_value="_{" # # Set runtime for net.ipv4.conf.all.rp_filter # /sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter=$sysctl_net_ipv4_conf_all_rp_filter_value # # If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.rp_filter' "$sysctl_net_ipv4_conf_all_rp_filter_value" 'CCE-80167-0'} - name: XCCDF Value sysctl_net_ipv4_conf_all_rp_filter_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_rp_filter_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.all.rp_filter is set sysctl: name: net.ipv4.conf.all.rp_filter value: "{{ sysctl_net_ipv4_conf_all_rp_filter_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_all_rp_filter - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80167-0 - NIST-800-53-AC-4 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1 3.2.6 1 11 12 13 14 15 16 2 3 7 8 9 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 DSS06.06 3.1.20 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.9.1.2 CM-7 SC-5 DE.CM-1 PR.DS-4 PR.IP-1 PR.PT-3 Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. CCE-80166-2 sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value="_{" # # Set runtime for net.ipv4.icmp_ignore_bogus_error_responses # /sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses=$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value # # If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.icmp_ignore_bogus_error_responses' "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" 'CCE-80166-2'} - name: XCCDF Value sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value # promote to variable set_fact: sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: "{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}" state: present reload: yes tags: - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity - disable_strategy - low_complexity - medium_disruption - CCE-80166-2 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.secure_redirects = 0 3.2.3 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-001551 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. CCE-80164-7 sysctl_net_ipv4_conf_default_secure_redirects_value="_{" # # Set runtime for net.ipv4.conf.default.secure_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects=$sysctl_net_ipv4_conf_default_secure_redirects_value # # If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.secure_redirects' "$sysctl_net_ipv4_conf_default_secure_redirects_value" 'CCE-80164-7'} - name: XCCDF Value sysctl_net_ipv4_conf_default_secure_redirects_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_secure_redirects_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.default.secure_redirects is set sysctl: name: net.ipv4.conf.default.secure_redirects value: "{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_default_secure_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80164-7 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 RHEL-07-040610 SV-86907r2_rule 3.2.1 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-27434-0 sysctl_net_ipv4_conf_all_accept_source_route_value="_{" # # Set runtime for net.ipv4.conf.all.accept_source_route # /sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route=$sysctl_net_ipv4_conf_all_accept_source_route_value # # If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.accept_source_route' "$sysctl_net_ipv4_conf_all_accept_source_route_value" 'CCE-27434-0'} - name: XCCDF Value sysctl_net_ipv4_conf_all_accept_source_route_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_accept_source_route_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set sysctl: name: net.ipv4.conf.all.accept_source_route value: "{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_all_accept_source_route - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27434-0 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 - DISA-STIG-RHEL-07-040610 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 RHEL-07-040640 SV-86913r3_rule 3.2.2 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-001551 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required. CCE-80163-9 sysctl_net_ipv4_conf_default_accept_redirects_value="_{" # # Set runtime for net.ipv4.conf.default.accept_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects=$sysctl_net_ipv4_conf_default_accept_redirects_value # # If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.accept_redirects' "$sysctl_net_ipv4_conf_default_accept_redirects_value" 'CCE-80163-9'} - name: XCCDF Value sysctl_net_ipv4_conf_default_accept_redirects_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_accept_redirects_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set sysctl: name: net.ipv4.conf.default.accept_redirects value: "{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_default_accept_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80163-9 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040640 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic. To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0 RHEL-07-040740 SV-86933r2_rule 3.1.1 1 11 12 13 14 15 16 2 3 7 8 9 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 DSS06.06 3.1.20 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.9.1.2 CM-7 SC-5 SC-32 DE.CM-1 PR.DS-4 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. CCE-80157-1 # # Set runtime for net.ipv4.ip_forward # /sbin/sysctl -q -n -w net.ipv4.ip_forward=0 # # If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf # _{replace_or_append '/etc/sysctl.conf' '^net.ipv4.ip_forward' "0" 'CCE-80157-1'} - name: Ensure sysctl net.ipv4.ip_forward is set to 0 sysctl: name: net.ipv4.ip_forward value: 0 state: present reload: yes tags: - sysctl_net_ipv4_ip_forward - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80157-1 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-32 - NIST-800-171-3.1.20 - DISA-STIG-RHEL-07-040740 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 RHEL-07-040660 SV-86917r3_rule 3.1.2 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5(1) DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers. CCE-80156-3 # # Set runtime for net.ipv4.conf.all.send_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects=0 # # If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf # _{replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.send_redirects' "0" 'CCE-80156-3'} - name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0 sysctl: name: net.ipv4.conf.all.send_redirects value: 0 state: present reload: yes tags: - sysctl_net_ipv4_conf_all_send_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80156-3 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5(1) - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040660 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 RHEL-07-040650 SV-86915r4_rule 3.1.2 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers. CCE-80999-6 # # Set runtime for net.ipv4.conf.default.send_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects=0 # # If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf # _{replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.send_redirects' "0" 'CCE-80999-6'} - name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0 sysctl: name: net.ipv4.conf.default.send_redirects value: 0 state: present reload: yes tags: - sysctl_net_ipv4_conf_default_send_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80999-6 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040650 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Support for Transport Layer Security (TLS), and its predecessor, the Secure Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package openssl). TLS provides encrypted and authenticated network communications, and many network services include support for it. TLS or SSL can be leveraged to avoid any plaintext transmission of sensitive data. For information on how to use OpenSSL, see http://www.openssl.org/docs/. Information on FIPS validation of OpenSSL is available at http://www.openssl.org/docs/fips.html and http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm. For information on how to use and implement OpenSSL on Red Hat Enterprise Linux, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_OpenSSL.html Network interfaces expand the attack surface of the system. Unused interfaces are not monitored or controlled, and should be disabled. If the system does not require network communications but still needs to use the loopback interface, remove all files of the form ifcfg-interface except for ifcfg-lo from /etc/sysconfig/network-scripts: $ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface If the system is a standalone machine with no need for network access or even communication over the loopback device, then disable this service. The network service can be disabled with the following command: $ sudo systemctl disable network.service The system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code are not frequently discovered, the consequences can be dramatic. Ensuring uncommon network protocols are disabled reduces the system's risk to attacks targeted at its implementation of those protocols. Although these protocols are not commonly used, avoid disruption in your network environment by ensuring they are not needed prior to disabling them. The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install dccp /bin/true 3.5.1 11 14 3 9 5.10.1 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 CCI-001958 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 RHEL-07-020101 SV-92517r2_rule Disabling DCCP protects the system against exploitation of any flaws in its implementation. CCE-26828-4 if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then sed -i 's/^install dccp.*/install dccp /bin/true/g' /etc/modprobe.d/dccp.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf fi - name: Ensure kernel module 'dccp' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/dccp.conf" regexp: 'dccp' line: "install dccp /bin/true" tags: - kernel_module_dccp_disabled - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-26828-4 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 - CJIS-5.10.1 - DISA-STIG-RHEL-07-020101 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the rds kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install rds /bin/true 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Disabling RDS protects the system against exploitation of any flaws in its implementation. The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install tipc /bin/true 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Disabling TIPC protects the system against exploitation of any flaws in its implementation. The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install sctp /bin/true 3.5.2 11 14 3 9 5.10.1 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Disabling SCTP protects the system against exploitation of any flaws in its implementation. CCE-27106-4 if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then sed -i 's/^install sctp.*/install sctp /bin/true/g' /etc/modprobe.d/sctp.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf fi - name: Ensure kernel module 'sctp' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/sctp.conf" regexp: 'sctp' line: "install sctp /bin/true" tags: - kernel_module_sctp_disabled - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27106-4 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 - CJIS-5.10.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Wireless networking, such as 802.11 (WiFi) and Bluetooth, can present a security risk to sensitive or classified systems and networks. Wireless networking hardware is much more likely to be included in laptop or portable systems than in desktops or servers. Removal of hardware provides the greatest assurance that the wireless capability remains disabled. Acquisition policies often include provisions to prevent the purchase of equipment that will be used in sensitive spaces and includes wireless capabilities. If it is impractical to remove the wireless hardware, and policy permits the device to enter sensitive spaces as long as wireless is disabled, efforts should instead focus on disabling wireless capability via software. If it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following methods can disable software support for wireless networking, but note that these methods do not prevent malicious software or careless users from re-activating the devices. The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module: install bluetooth /bin/true 11 12 14 15 3 8 9 5.13.1.3 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 3.1.16 CCI-000085 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) AC-18(a) AC-18(d) AC-18(3) CM-7 MP-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. CCE-27327-6 if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then sed -i 's/^install bluetooth.*/install bluetooth /bin/true/g' /etc/modprobe.d/bluetooth.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf fi - name: Ensure kernel module 'bluetooth' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/bluetooth.conf" regexp: 'bluetooth' line: "install bluetooth /bin/true" tags: - kernel_module_bluetooth_disabled - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27327-6 - NIST-800-53-AC-17(8) - NIST-800-53-AC-18(a) - NIST-800-53-AC-18(d) - NIST-800-53-AC-18(3) - NIST-800-53-CM-7 - NIST-800-53-MP-7 - NIST-800-171-3.1.16 - CJIS-5.13.1.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Some machines that include built-in wireless support offer the ability to disable the device through the BIOS. This is hardware-specific; consult your hardware manual or explore the BIOS setup during boot. 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000085 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) AC-18(a) AC-18(d) AC-18(3) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Disabling wireless support in the BIOS prevents easy activation of the wireless interface, generally requiring administrators to reboot the system first. CCE-27397-9 The bluetooth service can be disabled with the following command: $ sudo systemctl disable bluetooth.service $ sudo service bluetooth stop 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 3.1.16 CCI-000085 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) AC-18(a) AC-18(d) AC-18(3) CM-7 MP-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range. CCE-27328-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'bluetooth.service' "$SYSTEMCTL_EXEC" disable 'bluetooth.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^bluetooth.socket\>' && "$SYSTEMCTL_EXEC" disable 'bluetooth.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'bluetooth.service' - name: Disable service bluetooth service: name: bluetooth enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_bluetooth_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27328-4 - NIST-800-53-AC-17(8) - NIST-800-53-AC-18(a) - NIST-800-53-AC-18(d) - NIST-800-53-AC-18(3) - NIST-800-53-CM-7 - NIST-800-53-MP-7 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service bluetooth if applicable service: name: bluetooth.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_bluetooth_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27328-4 - NIST-800-53-AC-17(8) - NIST-800-53-AC-18(a) - NIST-800-53-AC-18(d) - NIST-800-53-AC-18(3) - NIST-800-53-CM-7 - NIST-800-53-MP-7 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Deactivating wireless network interfaces should prevent normal usage of the wireless capability. Configure the system to disable all wireless network interfaces with the following command: $ sudo nmcli radio wifi off 4.3.1 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 3.1.16 CCI-000085 CCI-002418 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) AC-18(a) AC-18(d) AC-18(3) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000424-GPOS-00188 RHEL-07-041010 SV-87829r2_rule The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. CCE-27358-1 Zeroconf networking allows the system to assign itself an IP address and engage in IP communication without a statically-assigned address or even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0 subnet, add or correct the following line in /etc/sysconfig/network: NOZEROCONF=yes 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Zeroconf addresses are in the network 169.254.0.0. The networking scripts add entries to the system's routing table for these addresses. Zeroconf address assignment commonly occurs when the system is configured to use DHCP but fails to receive an address assignment from the DHCP server. CCE-80173-8 echo "NOZEROCONF=yes" >> /etc/sysconfig/network The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: $ ip link | grep PROMISC RHEL-07-040670 SV-86919r2_rule 1 11 14 3 9 APO11.06 APO12.06 BAI03.10 BAI09.01 BAI09.02 BAI09.03 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS04.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.2.3.4 4.3.3.3.7 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 SR 7.8 A.11.1.2 A.11.2.4 A.11.2.5 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.16.1.6 A.8.1.1 A.8.1.2 A.9.1.2 CM-7 CM-7(2).1(i) MA-3 DE.DP-5 ID.AM-1 PR.IP-1 PR.MA-1 PR.PT-3 SRG-OS-000480-GPOS-00227 Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel. CCE-80174-6 Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver ip_address entry in /etc/resolv.conf for each DNS server where ip_address is the IP address of a valid DNS server. For example: search example.com nameserver 192.168.0.1 nameserver 192.168.0.2 RHEL-07-040600 SV-86905r2_rule 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-22 PR.PT-4 SRG-OS-000480-GPOS-00227 To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. CCE-80438-5 Dynamic DNS allows clients to dynamically update their own DNS records. The updates are transmitted by unencrypted means which can reveal information to a potential malicious user. If the system does not require Dynamic DNS, remove all DHCP_HOSTNAME references from the /etc/sysconfig/network-scripts/ifcfg-interface scripts. If dhclient is used, remove all send host-name hostname references from the /etc/dhclient.conf configuration file and/or any reference from the /etc/dhcp directory. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00227 Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed. CCE-80357-7 During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly on different partitions or media. The default Red Hat Enterprise Linux 7 boot loader for x86 systems is called GRUB2. Options it can pass to the kernel include single-user mode, which provides root access without any authentication, and the ability to disable SELinux. To prevent local users from modifying the boot parameters and endangering security, protect the boot loader configuration with a password and ensure its configuration file's permissions are set properly. The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account name and password and and modify the /etc/grub.d/01_users configuration file with the new account name. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: $ grub2-setpassword When prompted, enter the password that was selected. NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i s/root/bootuser/g /etc/grub.d/01_users To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running: grub2-mkconfig -o /boot/grub2/grub.cfg NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. RHEL-07-010480 SV-86585r5_rule 1.4.2 1 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 3.4.5 CCI-000213 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 IA-2 IA-2(1) IA-5(e) AC-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.PT-3 FIA_AFL.1 SRG-OS-000080-GPOS-00048 Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html. CCE-27309-4 File permissions for /boot/grub2/grub.cfg should be set to 600. To properly set the permissions of /boot/grub2/grub.cfg, run the command: $ sudo chmod 600 /boot/grub2/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Proper permissions ensure that only the root user can modify important boot parameters. CCE-27054-6 chmod 0600 /boot/grub2/grub.cfg - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg register: file_exists tags: - file_permissions_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27054-6 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure permission 0600 on /boot/grub2/grub.cfg file: path: /boot/grub2/grub.cfg mode: 0600 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_permissions_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27054-6 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/grub2/grub.cfg, run the command: $ sudo chown root /boot/grub2/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Req-7.1 Only root should be able to modify important boot parameters. CCE-26860-7 chown 0 /boot/grub2/grub.cfg - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg register: file_exists tags: - file_owner_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26860-7 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure owner 0 on /boot/grub2/grub.cfg file: path: /boot/grub2/grub.cfg owner: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_owner_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26860-7 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account name and password and and modify the /etc/grub.d/01_users configuration file with the new account name. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: $ grub2-setpassword When prompted, enter the password that was selected. NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i s/root/bootuser/g /etc/grub.d/01_users To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running: grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. RHEL-07-010490 SV-86587r4_rule 1.4.2 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.4.5 CCI-000213 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 FIA_AFL.1 SRG-OS-000080-GPOS-00048 Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html. CCE-80354-4 The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1' CCI-001814 SRG-OS-000364-GPOS-00151 RHEL-07-021700 SV-86699r2_rule Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. CCE-80517-6 The file /boot/efi/EFI/redhat/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command: $ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Req-7.1 The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. chgrp 0 /boot/efi/EFI/redhat/grub.cfg - name: Test for existence /boot/efi/EFI/redhat/grub.cfg stat: path: /boot/efi/EFI/redhat/grub.cfg register: file_exists tags: - file_groupowner_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure group owner 0 on /boot/efi/EFI/redhat/grub.cfg file: path: /boot/efi/EFI/redhat/grub.cfg group: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_groupowner_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. NT28(R11) On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by hardware devices. The file /boot/grub2/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub2/grub.cfg, run the command: $ sudo chgrp root /boot/grub2/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Req-7.1 The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. CCE-26812-8 chgrp 0 /boot/grub2/grub.cfg - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg register: file_exists tags: - file_groupowner_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26812-8 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure group owner 0 on /boot/grub2/grub.cfg file: path: /boot/grub2/grub.cfg group: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_groupowner_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26812-8 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1' CCI-001814 SRG-OS-000364-GPOS-00151 Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. CCE-80518-4 The file /boot/efi/EFI/redhat/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: $ sudo chown root /boot/efi/EFI/redhat/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Req-7.1 Only root should be able to modify important boot parameters. chown 0 /boot/efi/EFI/redhat/grub.cfg - name: Test for existence /boot/efi/EFI/redhat/grub.cfg stat: path: /boot/efi/EFI/redhat/grub.cfg register: file_exists tags: - file_owner_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure owner 0 on /boot/efi/EFI/redhat/grub.cfg file: path: /boot/efi/EFI/redhat/grub.cfg owner: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_owner_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700. To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: $ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Proper permissions ensure that only the root user can modify important boot parameters. chmod 700 /boot/efi/EFI/redhat/grub.cfg - name: Test for existence /boot/efi/EFI/redhat/grub.cfg stat: path: /boot/efi/EFI/redhat/grub.cfg register: file_exists tags: - file_permissions_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure permission 0700 on /boot/efi/EFI/redhat/grub.cfg file: path: /boot/efi/EFI/redhat/grub.cfg mode: 0700 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_permissions_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take. The default SELinux policy, as configured on Red Hat Enterprise Linux 7, has been sufficiently developed and debugged that it should be usable on almost any system with minimal configuration and a small amount of system administrator training. This policy prevents system services - including most of the common network-visible services such as mail servers, FTP servers, and DNS servers - from accessing files which those services have no valid reason to access. This action alone prevents a huge amount of possible damage from network attacks against services, from trojaned software, and so forth. This guide recommends that SELinux be enabled using the default (targeted) policy on every Red Hat Enterprise Linux 7 system, unless that system has unusual requirements which make a stronger policy appropriate. For more information on SELinux, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide. enforcing - SELinux security policy is enforced. permissive - SELinux prints warnings instead of enforcing. disabled - SELinux is fully disabled. enforcing disabled enforcing permissive Type of policy in use. Possible values are: targeted - Only targeted network daemons are protected. strict - Full SELinux protection. mls - Multiple levels of security targeted mls targeted Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy. default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false By default, the SELinux boolean openvpn_can_network_connect is enabled. This setting should be disabled. To disable the openvpn_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P openvpn_can_network_connect off var_openvpn_can_network_connect="_{" setsebool -P openvpn_can_network_connect $var_openvpn_can_network_connect} - name: XCCDF Value var_openvpn_can_network_connect # promote to variable set_fact: var_openvpn_can_network_connect: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_openvpn_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean openvpn_can_network_connect accordingly seboolean: name: openvpn_can_network_connect state: "{{ var_openvpn_can_network_connect }}" persistent: yes tags: - sebool_openvpn_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_use_gpg is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_gpg SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_gpg off var_httpd_use_gpg="_{" setsebool -P httpd_use_gpg $var_httpd_use_gpg} - name: XCCDF Value var_httpd_use_gpg # promote to variable set_fact: var_httpd_use_gpg: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_gpg - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_gpg accordingly seboolean: name: httpd_use_gpg state: "{{ var_httpd_use_gpg }}" persistent: yes tags: - sebool_httpd_use_gpg - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ssh_sysadm_login is disabled. If this setting is enabled, it should be disabled. To disable the ssh_sysadm_login SELinux boolean, run the following command: $ sudo setsebool -P ssh_sysadm_login off var_ssh_sysadm_login="_{" setsebool -P ssh_sysadm_login $var_ssh_sysadm_login} - name: XCCDF Value var_ssh_sysadm_login # promote to variable set_fact: var_ssh_sysadm_login: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ssh_sysadm_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ssh_sysadm_login accordingly seboolean: name: ssh_sysadm_login state: "{{ var_ssh_sysadm_login }}" persistent: yes tags: - sebool_ssh_sysadm_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_run_stickshift is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_stickshift SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_stickshift off var_httpd_run_stickshift="_{" setsebool -P httpd_run_stickshift $var_httpd_run_stickshift} - name: XCCDF Value var_httpd_run_stickshift # promote to variable set_fact: var_httpd_run_stickshift: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_run_stickshift - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_run_stickshift accordingly seboolean: name: httpd_run_stickshift state: "{{ var_httpd_run_stickshift }}" persistent: yes tags: - sebool_httpd_run_stickshift - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean polipo_connect_all_unreserved is disabled. If this setting is enabled, it should be disabled. To disable the polipo_connect_all_unreserved SELinux boolean, run the following command: $ sudo setsebool -P polipo_connect_all_unreserved off var_polipo_connect_all_unreserved="_{" setsebool -P polipo_connect_all_unreserved $var_polipo_connect_all_unreserved} - name: XCCDF Value var_polipo_connect_all_unreserved # promote to variable set_fact: var_polipo_connect_all_unreserved: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polipo_connect_all_unreserved - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polipo_connect_all_unreserved accordingly seboolean: name: polipo_connect_all_unreserved state: "{{ var_polipo_connect_all_unreserved }}" persistent: yes tags: - sebool_polipo_connect_all_unreserved - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_sys_script_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the httpd_sys_script_anon_write SELinux boolean, run the following command: $ sudo setsebool -P httpd_sys_script_anon_write off var_httpd_sys_script_anon_write="_{" setsebool -P httpd_sys_script_anon_write $var_httpd_sys_script_anon_write} - name: XCCDF Value var_httpd_sys_script_anon_write # promote to variable set_fact: var_httpd_sys_script_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_sys_script_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_sys_script_anon_write accordingly seboolean: name: httpd_sys_script_anon_write state: "{{ var_httpd_sys_script_anon_write }}" persistent: yes tags: - sebool_httpd_sys_script_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean pcp_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the pcp_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P pcp_bind_all_unreserved_ports off var_pcp_bind_all_unreserved_ports="_{" setsebool -P pcp_bind_all_unreserved_ports $var_pcp_bind_all_unreserved_ports} - name: XCCDF Value var_pcp_bind_all_unreserved_ports # promote to variable set_fact: var_pcp_bind_all_unreserved_ports: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_pcp_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean pcp_bind_all_unreserved_ports accordingly seboolean: name: pcp_bind_all_unreserved_ports state: "{{ var_pcp_bind_all_unreserved_ports }}" persistent: yes tags: - sebool_pcp_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean minidlna_read_generic_user_content is disabled. If this setting is enabled, it should be disabled. To disable the minidlna_read_generic_user_content SELinux boolean, run the following command: $ sudo setsebool -P minidlna_read_generic_user_content off var_minidlna_read_generic_user_content="_{" setsebool -P minidlna_read_generic_user_content $var_minidlna_read_generic_user_content} - name: XCCDF Value var_minidlna_read_generic_user_content # promote to variable set_fact: var_minidlna_read_generic_user_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_minidlna_read_generic_user_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean minidlna_read_generic_user_content accordingly seboolean: name: minidlna_read_generic_user_content state: "{{ var_minidlna_read_generic_user_content }}" persistent: yes tags: - sebool_minidlna_read_generic_user_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean auditadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the auditadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P auditadm_exec_content on 80424-5 CCE-80424-5 var_auditadm_exec_content="_{" setsebool -P auditadm_exec_content $var_auditadm_exec_content} - name: XCCDF Value var_auditadm_exec_content # promote to variable set_fact: var_auditadm_exec_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_auditadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80424-5 - NIST-800-171-80424-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean auditadm_exec_content accordingly seboolean: name: auditadm_exec_content state: "{{ var_auditadm_exec_content }}" persistent: yes tags: - sebool_auditadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80424-5 - NIST-800-171-80424-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean authlogin_radius is disabled. If this setting is enabled, it should be disabled. To disable the authlogin_radius SELinux boolean, run the following command: $ sudo setsebool -P authlogin_radius off 3.7.2 CCE-80426-0 var_authlogin_radius="_{" setsebool -P authlogin_radius $var_authlogin_radius} - name: XCCDF Value var_authlogin_radius # promote to variable set_fact: var_authlogin_radius: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_authlogin_radius - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80426-0 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean authlogin_radius accordingly seboolean: name: authlogin_radius state: "{{ var_authlogin_radius }}" persistent: yes tags: - sebool_authlogin_radius - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80426-0 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean logwatch_can_network_connect_mail is disabled. If this setting is enabled, it should be disabled. To disable the logwatch_can_network_connect_mail SELinux boolean, run the following command: $ sudo setsebool -P logwatch_can_network_connect_mail off var_logwatch_can_network_connect_mail="_{" setsebool -P logwatch_can_network_connect_mail $var_logwatch_can_network_connect_mail} - name: XCCDF Value var_logwatch_can_network_connect_mail # promote to variable set_fact: var_logwatch_can_network_connect_mail: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logwatch_can_network_connect_mail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logwatch_can_network_connect_mail accordingly seboolean: name: logwatch_can_network_connect_mail state: "{{ var_logwatch_can_network_connect_mail }}" persistent: yes tags: - sebool_logwatch_can_network_connect_mail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean logrotate_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the logrotate_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P logrotate_use_nfs off var_logrotate_use_nfs="_{" setsebool -P logrotate_use_nfs $var_logrotate_use_nfs} - name: XCCDF Value var_logrotate_use_nfs # promote to variable set_fact: var_logrotate_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logrotate_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logrotate_use_nfs accordingly seboolean: name: logrotate_use_nfs state: "{{ var_logrotate_use_nfs }}" persistent: yes tags: - sebool_logrotate_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean git_cgi_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the git_cgi_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_use_cifs off var_git_cgi_use_cifs="_{" setsebool -P git_cgi_use_cifs $var_git_cgi_use_cifs} - name: XCCDF Value var_git_cgi_use_cifs # promote to variable set_fact: var_git_cgi_use_cifs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_cgi_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_cgi_use_cifs accordingly seboolean: name: git_cgi_use_cifs state: "{{ var_git_cgi_use_cifs }}" persistent: yes tags: - sebool_git_cgi_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean postgresql_can_rsync is disabled. If this setting is enabled, it should be disabled. To disable the postgresql_can_rsync SELinux boolean, run the following command: $ sudo setsebool -P postgresql_can_rsync off var_postgresql_can_rsync="_{" setsebool -P postgresql_can_rsync $var_postgresql_can_rsync} - name: XCCDF Value var_postgresql_can_rsync # promote to variable set_fact: var_postgresql_can_rsync: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_postgresql_can_rsync - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean postgresql_can_rsync accordingly seboolean: name: postgresql_can_rsync state: "{{ var_postgresql_can_rsync }}" persistent: yes tags: - sebool_postgresql_can_rsync - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_execstack is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disable the selinuxuser_execstack SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_execstack off 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) var_selinuxuser_execstack="_{" setsebool -P selinuxuser_execstack $var_selinuxuser_execstack} - name: XCCDF Value var_selinuxuser_execstack # promote to variable set_fact: var_selinuxuser_execstack: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_execstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_execstack accordingly seboolean: name: selinuxuser_execstack state: "{{ var_selinuxuser_execstack }}" persistent: yes tags: - sebool_selinuxuser_execstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean entropyd_use_audio is enabled. This setting should be disabled as it uses audit input to generate entropy. To disable the entropyd_use_audio SELinux boolean, run the following command: $ sudo setsebool -P entropyd_use_audio off var_entropyd_use_audio="_{" setsebool -P entropyd_use_audio $var_entropyd_use_audio} - name: XCCDF Value var_entropyd_use_audio # promote to variable set_fact: var_entropyd_use_audio: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_entropyd_use_audio - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean entropyd_use_audio accordingly seboolean: name: entropyd_use_audio state: "{{ var_entropyd_use_audio }}" persistent: yes tags: - sebool_entropyd_use_audio - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_execmem is disabled. If this setting is enabled, it should be disabled. To disable the httpd_execmem SELinux boolean, run the following command: $ sudo setsebool -P httpd_execmem off var_httpd_execmem="_{" setsebool -P httpd_execmem $var_httpd_execmem} - name: XCCDF Value var_httpd_execmem # promote to variable set_fact: var_httpd_execmem: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_execmem accordingly seboolean: name: httpd_execmem state: "{{ var_httpd_execmem }}" persistent: yes tags: - sebool_httpd_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mount_anyfile is enabled. If this setting is disabled, it should be enabled to allow any file or directory to be mounted. To enable the mount_anyfile SELinux boolean, run the following command: $ sudo setsebool -P mount_anyfile on var_mount_anyfile="_{" setsebool -P mount_anyfile $var_mount_anyfile} - name: XCCDF Value var_mount_anyfile # promote to variable set_fact: var_mount_anyfile: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mount_anyfile - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mount_anyfile accordingly seboolean: name: mount_anyfile state: "{{ var_mount_anyfile }}" persistent: yes tags: - sebool_mount_anyfile - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean smartmon_3ware is disabled. If this setting is enabled, it should be disabled. To disable the smartmon_3ware SELinux boolean, run the following command: $ sudo setsebool -P smartmon_3ware off var_smartmon_3ware="_{" setsebool -P smartmon_3ware $var_smartmon_3ware} - name: XCCDF Value var_smartmon_3ware # promote to variable set_fact: var_smartmon_3ware: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_smartmon_3ware - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean smartmon_3ware accordingly seboolean: name: smartmon_3ware state: "{{ var_smartmon_3ware }}" persistent: yes tags: - sebool_smartmon_3ware - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean git_cgi_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the git_cgi_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_enable_homedirs off var_git_cgi_enable_homedirs="_{" setsebool -P git_cgi_enable_homedirs $var_git_cgi_enable_homedirs} - name: XCCDF Value var_git_cgi_enable_homedirs # promote to variable set_fact: var_git_cgi_enable_homedirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_cgi_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_cgi_enable_homedirs accordingly seboolean: name: git_cgi_enable_homedirs state: "{{ var_git_cgi_enable_homedirs }}" persistent: yes tags: - sebool_git_cgi_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mailman_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the mailman_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P mailman_use_fusefs off var_mailman_use_fusefs="_{" setsebool -P mailman_use_fusefs $var_mailman_use_fusefs} - name: XCCDF Value var_mailman_use_fusefs # promote to variable set_fact: var_mailman_use_fusefs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mailman_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mailman_use_fusefs accordingly seboolean: name: mailman_use_fusefs state: "{{ var_mailman_use_fusefs }}" persistent: yes tags: - sebool_mailman_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_can_check_spam is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_check_spam SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_check_spam off var_httpd_can_check_spam="_{" setsebool -P httpd_can_check_spam $var_httpd_can_check_spam} - name: XCCDF Value var_httpd_can_check_spam # promote to variable set_fact: var_httpd_can_check_spam: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_check_spam - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_check_spam accordingly seboolean: name: httpd_can_check_spam state: "{{ var_httpd_can_check_spam }}" persistent: yes tags: - sebool_httpd_can_check_spam - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean fenced_can_ssh is disabled. If this setting is enabled, it should be disabled. To disable the fenced_can_ssh SELinux boolean, run the following command: $ sudo setsebool -P fenced_can_ssh off var_fenced_can_ssh="_{" setsebool -P fenced_can_ssh $var_fenced_can_ssh} - name: XCCDF Value var_fenced_can_ssh # promote to variable set_fact: var_fenced_can_ssh: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_fenced_can_ssh - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean fenced_can_ssh accordingly seboolean: name: fenced_can_ssh state: "{{ var_fenced_can_ssh }}" persistent: yes tags: - sebool_fenced_can_ssh - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean nagios_run_pnp4nagios is disabled. If this setting is enabled, it should be disabled. To disable the nagios_run_pnp4nagios SELinux boolean, run the following command: $ sudo setsebool -P nagios_run_pnp4nagios off var_nagios_run_pnp4nagios="_{" setsebool -P nagios_run_pnp4nagios $var_nagios_run_pnp4nagios} - name: XCCDF Value var_nagios_run_pnp4nagios # promote to variable set_fact: var_nagios_run_pnp4nagios: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nagios_run_pnp4nagios - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nagios_run_pnp4nagios accordingly seboolean: name: nagios_run_pnp4nagios state: "{{ var_nagios_run_pnp4nagios }}" persistent: yes tags: - sebool_nagios_run_pnp4nagios - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect off var_httpd_can_network_connect="_{" setsebool -P httpd_can_network_connect $var_httpd_can_network_connect} - name: XCCDF Value var_httpd_can_network_connect # promote to variable set_fact: var_httpd_can_network_connect: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_network_connect accordingly seboolean: name: httpd_can_network_connect state: "{{ var_httpd_can_network_connect }}" persistent: yes tags: - sebool_httpd_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mozilla_plugin_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_can_network_connect off var_mozilla_plugin_can_network_connect="_{" setsebool -P mozilla_plugin_can_network_connect $var_mozilla_plugin_can_network_connect} - name: XCCDF Value var_mozilla_plugin_can_network_connect # promote to variable set_fact: var_mozilla_plugin_can_network_connect: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_plugin_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_plugin_can_network_connect accordingly seboolean: name: mozilla_plugin_can_network_connect state: "{{ var_mozilla_plugin_can_network_connect }}" persistent: yes tags: - sebool_mozilla_plugin_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean git_session_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the git_session_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P git_session_bind_all_unreserved_ports off var_git_session_bind_all_unreserved_ports="_{" setsebool -P git_session_bind_all_unreserved_ports $var_git_session_bind_all_unreserved_ports} - name: XCCDF Value var_git_session_bind_all_unreserved_ports # promote to variable set_fact: var_git_session_bind_all_unreserved_ports: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_session_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_session_bind_all_unreserved_ports accordingly seboolean: name: git_session_bind_all_unreserved_ports state: "{{ var_git_session_bind_all_unreserved_ports }}" persistent: yes tags: - sebool_git_session_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean tmpreaper_use_samba is disabled. If this setting is enabled, it should be disabled. To disable the tmpreaper_use_samba SELinux boolean, run the following command: $ sudo setsebool -P tmpreaper_use_samba off var_tmpreaper_use_samba="_{" setsebool -P tmpreaper_use_samba $var_tmpreaper_use_samba} - name: XCCDF Value var_tmpreaper_use_samba # promote to variable set_fact: var_tmpreaper_use_samba: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tmpreaper_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tmpreaper_use_samba accordingly seboolean: name: tmpreaper_use_samba state: "{{ var_tmpreaper_use_samba }}" persistent: yes tags: - sebool_tmpreaper_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_tcp_server is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_tcp_server SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_tcp_server off var_selinuxuser_tcp_server="_{" setsebool -P selinuxuser_tcp_server $var_selinuxuser_tcp_server} - name: XCCDF Value var_selinuxuser_tcp_server # promote to variable set_fact: var_selinuxuser_tcp_server: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_tcp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_tcp_server accordingly seboolean: name: selinuxuser_tcp_server state: "{{ var_selinuxuser_tcp_server }}" persistent: yes tags: - sebool_selinuxuser_tcp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the httpd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P httpd_anon_write off var_httpd_anon_write="_{" setsebool -P httpd_anon_write $var_httpd_anon_write} - name: XCCDF Value var_httpd_anon_write # promote to variable set_fact: var_httpd_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_anon_write accordingly seboolean: name: httpd_anon_write state: "{{ var_httpd_anon_write }}" persistent: yes tags: - sebool_httpd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_can_connect_ldap is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ldap SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_ldap off var_httpd_can_connect_ldap="_{" setsebool -P httpd_can_connect_ldap $var_httpd_can_connect_ldap} - name: XCCDF Value var_httpd_can_connect_ldap # promote to variable set_fact: var_httpd_can_connect_ldap: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_connect_ldap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_connect_ldap accordingly seboolean: name: httpd_can_connect_ldap state: "{{ var_httpd_can_connect_ldap }}" persistent: yes tags: - sebool_httpd_can_connect_ldap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xen_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the xen_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P xen_use_nfs off var_xen_use_nfs="_{" setsebool -P xen_use_nfs $var_xen_use_nfs} - name: XCCDF Value var_xen_use_nfs # promote to variable set_fact: var_xen_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xen_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xen_use_nfs accordingly seboolean: name: xen_use_nfs state: "{{ var_xen_use_nfs }}" persistent: yes tags: - sebool_xen_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean daemons_use_tcp_wrapper is disabled. If this setting is enabled, it should be disabled. To disable the daemons_use_tcp_wrapper SELinux boolean, run the following command: $ sudo setsebool -P daemons_use_tcp_wrapper off var_daemons_use_tcp_wrapper="_{" setsebool -P daemons_use_tcp_wrapper $var_daemons_use_tcp_wrapper} - name: XCCDF Value var_daemons_use_tcp_wrapper # promote to variable set_fact: var_daemons_use_tcp_wrapper: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_daemons_use_tcp_wrapper - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean daemons_use_tcp_wrapper accordingly seboolean: name: daemons_use_tcp_wrapper state: "{{ var_daemons_use_tcp_wrapper }}" persistent: yes tags: - sebool_daemons_use_tcp_wrapper - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ftpd_connect_db is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_connect_db SELinux boolean, run the following command: $ sudo setsebool -P ftpd_connect_db off var_ftpd_connect_db="_{" setsebool -P ftpd_connect_db $var_ftpd_connect_db} - name: XCCDF Value var_ftpd_connect_db # promote to variable set_fact: var_ftpd_connect_db: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_connect_db accordingly seboolean: name: ftpd_connect_db state: "{{ var_ftpd_connect_db }}" persistent: yes tags: - sebool_ftpd_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ftpd_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_nfs off var_ftpd_use_nfs="_{" setsebool -P ftpd_use_nfs $var_ftpd_use_nfs} - name: XCCDF Value var_ftpd_use_nfs # promote to variable set_fact: var_ftpd_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_use_nfs accordingly seboolean: name: ftpd_use_nfs state: "{{ var_ftpd_use_nfs }}" persistent: yes tags: - sebool_ftpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cron_can_relabel is disabled. If this setting is enabled, it should be disabled. To disable the cron_can_relabel SELinux boolean, run the following command: $ sudo setsebool -P cron_can_relabel off var_cron_can_relabel="_{" setsebool -P cron_can_relabel $var_cron_can_relabel} - name: XCCDF Value var_cron_can_relabel # promote to variable set_fact: var_cron_can_relabel: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cron_can_relabel - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cron_can_relabel accordingly seboolean: name: cron_can_relabel state: "{{ var_cron_can_relabel }}" persistent: yes tags: - sebool_cron_can_relabel - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean openvpn_run_unconfined is disabled. If this setting is enabled, it should be disabled. To disable the openvpn_run_unconfined SELinux boolean, run the following command: $ sudo setsebool -P openvpn_run_unconfined off var_openvpn_run_unconfined="_{" setsebool -P openvpn_run_unconfined $var_openvpn_run_unconfined} - name: XCCDF Value var_openvpn_run_unconfined # promote to variable set_fact: var_openvpn_run_unconfined: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_openvpn_run_unconfined - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean openvpn_run_unconfined accordingly seboolean: name: openvpn_run_unconfined state: "{{ var_openvpn_run_unconfined }}" persistent: yes tags: - sebool_openvpn_run_unconfined - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean zebra_write_config is disabled. If this setting is enabled, it should be disabled. To disable the zebra_write_config SELinux boolean, run the following command: $ sudo setsebool -P zebra_write_config off var_zebra_write_config="_{" setsebool -P zebra_write_config $var_zebra_write_config} - name: XCCDF Value var_zebra_write_config # promote to variable set_fact: var_zebra_write_config: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_zebra_write_config - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean zebra_write_config accordingly seboolean: name: zebra_write_config state: "{{ var_zebra_write_config }}" persistent: yes tags: - sebool_zebra_write_config - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_rw_qemu_ga_data is disabled. If this setting is enabled, it should be disabled. To disable the virt_rw_qemu_ga_data SELinux boolean, run the following command: $ sudo setsebool -P virt_rw_qemu_ga_data off var_virt_rw_qemu_ga_data="_{" setsebool -P virt_rw_qemu_ga_data $var_virt_rw_qemu_ga_data} - name: XCCDF Value var_virt_rw_qemu_ga_data # promote to variable set_fact: var_virt_rw_qemu_ga_data: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_rw_qemu_ga_data - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_rw_qemu_ga_data accordingly seboolean: name: virt_rw_qemu_ga_data state: "{{ var_virt_rw_qemu_ga_data }}" persistent: yes tags: - sebool_virt_rw_qemu_ga_data - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean condor_tcp_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the condor_tcp_network_connect SELinux boolean, run the following command: $ sudo setsebool -P condor_tcp_network_connect off var_condor_tcp_network_connect="_{" setsebool -P condor_tcp_network_connect $var_condor_tcp_network_connect} - name: XCCDF Value var_condor_tcp_network_connect # promote to variable set_fact: var_condor_tcp_network_connect: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_condor_tcp_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean condor_tcp_network_connect accordingly seboolean: name: condor_tcp_network_connect state: "{{ var_condor_tcp_network_connect }}" persistent: yes tags: - sebool_condor_tcp_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean fcron_crond is disabled. If this setting is enabled, it should be disabled. To disable the fcron_crond SELinux boolean, run the following command: $ sudo setsebool -P fcron_crond off var_fcron_crond="_{" setsebool -P fcron_crond $var_fcron_crond} - name: XCCDF Value var_fcron_crond # promote to variable set_fact: var_fcron_crond: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_fcron_crond - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean fcron_crond accordingly seboolean: name: fcron_crond state: "{{ var_fcron_crond }}" persistent: yes tags: - sebool_fcron_crond - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean nfsd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the nfsd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P nfsd_anon_write off var_nfsd_anon_write="_{" setsebool -P nfsd_anon_write $var_nfsd_anon_write} - name: XCCDF Value var_nfsd_anon_write # promote to variable set_fact: var_nfsd_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nfsd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nfsd_anon_write accordingly seboolean: name: nfsd_anon_write state: "{{ var_nfsd_anon_write }}" persistent: yes tags: - sebool_nfsd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean logadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the logadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P logadm_exec_content on var_logadm_exec_content="_{" setsebool -P logadm_exec_content $var_logadm_exec_content} - name: XCCDF Value var_logadm_exec_content # promote to variable set_fact: var_logadm_exec_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logadm_exec_content accordingly seboolean: name: logadm_exec_content state: "{{ var_logadm_exec_content }}" persistent: yes tags: - sebool_logadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_dbus_sssd is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dbus_sssd SELinux boolean, run the following command: $ sudo setsebool -P httpd_dbus_sssd off var_httpd_dbus_sssd="_{" setsebool -P httpd_dbus_sssd $var_httpd_dbus_sssd} - name: XCCDF Value var_httpd_dbus_sssd # promote to variable set_fact: var_httpd_dbus_sssd: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_dbus_sssd - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_dbus_sssd accordingly seboolean: name: httpd_dbus_sssd state: "{{ var_httpd_dbus_sssd }}" persistent: yes tags: - sebool_httpd_dbus_sssd - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_manage_ipa is disabled. If this setting is enabled, it should be disabled. To disable the httpd_manage_ipa SELinux boolean, run the following command: $ sudo setsebool -P httpd_manage_ipa off var_httpd_manage_ipa="_{" setsebool -P httpd_manage_ipa $var_httpd_manage_ipa} - name: XCCDF Value var_httpd_manage_ipa # promote to variable set_fact: var_httpd_manage_ipa: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_manage_ipa - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_manage_ipa accordingly seboolean: name: httpd_manage_ipa state: "{{ var_httpd_manage_ipa }}" persistent: yes tags: - sebool_httpd_manage_ipa - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean haproxy_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the haproxy_connect_any SELinux boolean, run the following command: $ sudo setsebool -P haproxy_connect_any off var_haproxy_connect_any="_{" setsebool -P haproxy_connect_any $var_haproxy_connect_any} - name: XCCDF Value var_haproxy_connect_any # promote to variable set_fact: var_haproxy_connect_any: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_haproxy_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean haproxy_connect_any accordingly seboolean: name: haproxy_connect_any state: "{{ var_haproxy_connect_any }}" persistent: yes tags: - sebool_haproxy_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_setrlimit is disabled. If this setting is enabled, it should be disabled. To disable the httpd_setrlimit SELinux boolean, run the following command: $ sudo setsebool -P httpd_setrlimit off var_httpd_setrlimit="_{" setsebool -P httpd_setrlimit $var_httpd_setrlimit} - name: XCCDF Value var_httpd_setrlimit # promote to variable set_fact: var_httpd_setrlimit: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_setrlimit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_setrlimit accordingly seboolean: name: httpd_setrlimit state: "{{ var_httpd_setrlimit }}" persistent: yes tags: - sebool_httpd_setrlimit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean antivirus_use_jit is disabled. If this setting is enabled, it should be disabled. To disable the antivirus_use_jit SELinux boolean, run the following command: $ sudo setsebool -P antivirus_use_jit off 3.7.2 CCE-80423-7 var_antivirus_use_jit="_{" setsebool -P antivirus_use_jit $var_antivirus_use_jit} - name: XCCDF Value var_antivirus_use_jit # promote to variable set_fact: var_antivirus_use_jit: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_antivirus_use_jit - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80423-7 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean antivirus_use_jit accordingly seboolean: name: antivirus_use_jit state: "{{ var_antivirus_use_jit }}" persistent: yes tags: - sebool_antivirus_use_jit - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80423-7 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean rsync_full_access is disabled. If this setting is enabled, it should be disabled. To disable the rsync_full_access SELinux boolean, run the following command: $ sudo setsebool -P rsync_full_access off var_rsync_full_access="_{" setsebool -P rsync_full_access $var_rsync_full_access} - name: XCCDF Value var_rsync_full_access # promote to variable set_fact: var_rsync_full_access: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_rsync_full_access - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean rsync_full_access accordingly seboolean: name: rsync_full_access state: "{{ var_rsync_full_access }}" persistent: yes tags: - sebool_rsync_full_access - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_run_ipa is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_ipa SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_ipa off var_httpd_run_ipa="_{" setsebool -P httpd_run_ipa $var_httpd_run_ipa} - name: XCCDF Value var_httpd_run_ipa # promote to variable set_fact: var_httpd_run_ipa: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_run_ipa - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_run_ipa accordingly seboolean: name: httpd_run_ipa state: "{{ var_httpd_run_ipa }}" persistent: yes tags: - sebool_httpd_run_ipa - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_builtin_scripting is enabled. This setting should be disabled if httpd is not running php or some similary scripting language. To disable the httpd_builtin_scripting SELinux boolean, run the following command: $ sudo setsebool -P httpd_builtin_scripting off var_httpd_builtin_scripting="_{" setsebool -P httpd_builtin_scripting $var_httpd_builtin_scripting} - name: XCCDF Value var_httpd_builtin_scripting # promote to variable set_fact: var_httpd_builtin_scripting: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_builtin_scripting - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_builtin_scripting accordingly seboolean: name: httpd_builtin_scripting state: "{{ var_httpd_builtin_scripting }}" persistent: yes tags: - sebool_httpd_builtin_scripting - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean staff_use_svirt is disabled. If this setting is enabled, it should be disabled. To disable the staff_use_svirt SELinux boolean, run the following command: $ sudo setsebool -P staff_use_svirt off var_staff_use_svirt="_{" setsebool -P staff_use_svirt $var_staff_use_svirt} - name: XCCDF Value var_staff_use_svirt # promote to variable set_fact: var_staff_use_svirt: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_staff_use_svirt - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean staff_use_svirt accordingly seboolean: name: staff_use_svirt state: "{{ var_staff_use_svirt }}" persistent: yes tags: - sebool_staff_use_svirt - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean user_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the user_exec_content SELinux boolean, run the following command: $ sudo setsebool -P user_exec_content on var_user_exec_content="_{" setsebool -P user_exec_content $var_user_exec_content} - name: XCCDF Value var_user_exec_content # promote to variable set_fact: var_user_exec_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_user_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean user_exec_content accordingly seboolean: name: user_exec_content state: "{{ var_user_exec_content }}" persistent: yes tags: - sebool_user_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean samba_run_unconfined is disabled. If this setting is enabled, it should be disabled. To disable the samba_run_unconfined SELinux boolean, run the following command: $ sudo setsebool -P samba_run_unconfined off var_samba_run_unconfined="_{" setsebool -P samba_run_unconfined $var_samba_run_unconfined} - name: XCCDF Value var_samba_run_unconfined # promote to variable set_fact: var_samba_run_unconfined: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_run_unconfined - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_run_unconfined accordingly seboolean: name: samba_run_unconfined state: "{{ var_samba_run_unconfined }}" persistent: yes tags: - sebool_samba_run_unconfined - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mozilla_plugin_use_spice is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_spice SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_spice off var_mozilla_plugin_use_spice="_{" setsebool -P mozilla_plugin_use_spice $var_mozilla_plugin_use_spice} - name: XCCDF Value var_mozilla_plugin_use_spice # promote to variable set_fact: var_mozilla_plugin_use_spice: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_plugin_use_spice - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_plugin_use_spice accordingly seboolean: name: mozilla_plugin_use_spice state: "{{ var_mozilla_plugin_use_spice }}" persistent: yes tags: - sebool_mozilla_plugin_use_spice - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mpd_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the mpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P mpd_use_nfs off var_mpd_use_nfs="_{" setsebool -P mpd_use_nfs $var_mpd_use_nfs} - name: XCCDF Value var_mpd_use_nfs # promote to variable set_fact: var_mpd_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mpd_use_nfs accordingly seboolean: name: mpd_use_nfs state: "{{ var_mpd_use_nfs }}" persistent: yes tags: - sebool_mpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_read_user_content is disabled. If this setting is enabled, it should be disabled. To disable the httpd_read_user_content SELinux boolean, run the following command: $ sudo setsebool -P httpd_read_user_content off var_httpd_read_user_content="_{" setsebool -P httpd_read_user_content $var_httpd_read_user_content} - name: XCCDF Value var_httpd_read_user_content # promote to variable set_fact: var_httpd_read_user_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_read_user_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_read_user_content accordingly seboolean: name: httpd_read_user_content state: "{{ var_httpd_read_user_content }}" persistent: yes tags: - sebool_httpd_read_user_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean rsync_client is disabled. If this setting is enabled, it should be disabled. To disable the rsync_client SELinux boolean, run the following command: $ sudo setsebool -P rsync_client off var_rsync_client="_{" setsebool -P rsync_client $var_rsync_client} - name: XCCDF Value var_rsync_client # promote to variable set_fact: var_rsync_client: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_rsync_client - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean rsync_client accordingly seboolean: name: rsync_client state: "{{ var_rsync_client }}" persistent: yes tags: - sebool_rsync_client - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean dbadm_read_user_files is disabled. If this setting is enabled, it should be disabled. To disable the dbadm_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P dbadm_read_user_files off var_dbadm_read_user_files="_{" setsebool -P dbadm_read_user_files $var_dbadm_read_user_files} - name: XCCDF Value var_dbadm_read_user_files # promote to variable set_fact: var_dbadm_read_user_files: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_dbadm_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean dbadm_read_user_files accordingly seboolean: name: dbadm_read_user_files state: "{{ var_dbadm_read_user_files }}" persistent: yes tags: - sebool_dbadm_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean deny_ptrace is disabled. If this setting is enabled, it should be disabled. To disable the deny_ptrace SELinux boolean, run the following command: $ sudo setsebool -P deny_ptrace off var_deny_ptrace="_{" setsebool -P deny_ptrace $var_deny_ptrace} - name: XCCDF Value var_deny_ptrace # promote to variable set_fact: var_deny_ptrace: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_deny_ptrace - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean deny_ptrace accordingly seboolean: name: deny_ptrace state: "{{ var_deny_ptrace }}" persistent: yes tags: - sebool_deny_ptrace - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean nfs_export_all_rw is enabled. If this setting is disabled, it should be enabled as it allows NFS to export read/write mounts. To enable the nfs_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P nfs_export_all_rw on var_nfs_export_all_rw="_{" setsebool -P nfs_export_all_rw $var_nfs_export_all_rw} - name: XCCDF Value var_nfs_export_all_rw # promote to variable set_fact: var_nfs_export_all_rw: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nfs_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nfs_export_all_rw accordingly seboolean: name: nfs_export_all_rw state: "{{ var_nfs_export_all_rw }}" persistent: yes tags: - sebool_nfs_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean rsync_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the rsync_anon_write SELinux boolean, run the following command: $ sudo setsebool -P rsync_anon_write off var_rsync_anon_write="_{" setsebool -P rsync_anon_write $var_rsync_anon_write} - name: XCCDF Value var_rsync_anon_write # promote to variable set_fact: var_rsync_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_rsync_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean rsync_anon_write accordingly seboolean: name: rsync_anon_write state: "{{ var_rsync_anon_write }}" persistent: yes tags: - sebool_rsync_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_can_network_memcache is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_memcache SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_memcache off var_httpd_can_network_memcache="_{" setsebool -P httpd_can_network_memcache $var_httpd_can_network_memcache} - name: XCCDF Value var_httpd_can_network_memcache # promote to variable set_fact: var_httpd_can_network_memcache: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_network_memcache - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_network_memcache accordingly seboolean: name: httpd_can_network_memcache state: "{{ var_httpd_can_network_memcache }}" persistent: yes tags: - sebool_httpd_can_network_memcache - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_sandbox_use_audit is enabled. If this setting is disabled, it should be enabled to allow sandboxed containers to send audit messages. To enable the virt_sandbox_use_audit SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_audit on var_virt_sandbox_use_audit="_{" setsebool -P virt_sandbox_use_audit $var_virt_sandbox_use_audit} - name: XCCDF Value var_virt_sandbox_use_audit # promote to variable set_fact: var_virt_sandbox_use_audit: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_sandbox_use_audit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_sandbox_use_audit accordingly seboolean: name: virt_sandbox_use_audit state: "{{ var_virt_sandbox_use_audit }}" persistent: yes tags: - sebool_virt_sandbox_use_audit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mozilla_read_content is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_read_content SELinux boolean, run the following command: $ sudo setsebool -P mozilla_read_content off var_mozilla_read_content="_{" setsebool -P mozilla_read_content $var_mozilla_read_content} - name: XCCDF Value var_mozilla_read_content # promote to variable set_fact: var_mozilla_read_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_read_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_read_content accordingly seboolean: name: mozilla_read_content state: "{{ var_mozilla_read_content }}" persistent: yes tags: - sebool_mozilla_read_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xserver_object_manager is disabled. If this setting is enabled, it should be disabled. To disable the xserver_object_manager SELinux boolean, run the following command: $ sudo setsebool -P xserver_object_manager off var_xserver_object_manager="_{" setsebool -P xserver_object_manager $var_xserver_object_manager} - name: XCCDF Value var_xserver_object_manager # promote to variable set_fact: var_xserver_object_manager: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xserver_object_manager - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xserver_object_manager accordingly seboolean: name: xserver_object_manager state: "{{ var_xserver_object_manager }}" persistent: yes tags: - sebool_xserver_object_manager - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_tty_comm is disabled. If this setting is enabled, it should be disabled. To disable the httpd_tty_comm SELinux boolean, run the following command: $ sudo setsebool -P httpd_tty_comm off var_httpd_tty_comm="_{" setsebool -P httpd_tty_comm $var_httpd_tty_comm} - name: XCCDF Value var_httpd_tty_comm # promote to variable set_fact: var_httpd_tty_comm: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_tty_comm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_tty_comm accordingly seboolean: name: httpd_tty_comm state: "{{ var_httpd_tty_comm }}" persistent: yes tags: - sebool_httpd_tty_comm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean collectd_tcp_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the collectd_tcp_network_connect SELinux boolean, run the following command: $ sudo setsebool -P collectd_tcp_network_connect off var_collectd_tcp_network_connect="_{" setsebool -P collectd_tcp_network_connect $var_collectd_tcp_network_connect} - name: XCCDF Value var_collectd_tcp_network_connect # promote to variable set_fact: var_collectd_tcp_network_connect: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_collectd_tcp_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean collectd_tcp_network_connect accordingly seboolean: name: collectd_tcp_network_connect state: "{{ var_collectd_tcp_network_connect }}" persistent: yes tags: - sebool_collectd_tcp_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xdm_sysadm_login is disabled. If this setting is enabled, it should be disabled. To disable the xdm_sysadm_login SELinux boolean, run the following command: $ sudo setsebool -P xdm_sysadm_login off var_xdm_sysadm_login="_{" setsebool -P xdm_sysadm_login $var_xdm_sysadm_login} - name: XCCDF Value var_xdm_sysadm_login # promote to variable set_fact: var_xdm_sysadm_login: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xdm_sysadm_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xdm_sysadm_login accordingly seboolean: name: xdm_sysadm_login state: "{{ var_xdm_sysadm_login }}" persistent: yes tags: - sebool_xdm_sysadm_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean pcp_read_generic_logs is disabled. If this setting is enabled, it should be disabled. To disable the pcp_read_generic_logs SELinux boolean, run the following command: $ sudo setsebool -P pcp_read_generic_logs off var_pcp_read_generic_logs="_{" setsebool -P pcp_read_generic_logs $var_pcp_read_generic_logs} - name: XCCDF Value var_pcp_read_generic_logs # promote to variable set_fact: var_pcp_read_generic_logs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_pcp_read_generic_logs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean pcp_read_generic_logs accordingly seboolean: name: pcp_read_generic_logs state: "{{ var_pcp_read_generic_logs }}" persistent: yes tags: - sebool_pcp_read_generic_logs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean spamd_enable_home_dirs is enabled. If this setting is disabled, it should be enabled. To enable the spamd_enable_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P spamd_enable_home_dirs on var_spamd_enable_home_dirs="_{" setsebool -P spamd_enable_home_dirs $var_spamd_enable_home_dirs} - name: XCCDF Value var_spamd_enable_home_dirs # promote to variable set_fact: var_spamd_enable_home_dirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_spamd_enable_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean spamd_enable_home_dirs accordingly seboolean: name: spamd_enable_home_dirs state: "{{ var_spamd_enable_home_dirs }}" persistent: yes tags: - sebool_spamd_enable_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xguest_mount_media is enabled. This setting should be disabled as guest users should not be able to mount any media. To disable the xguest_mount_media SELinux boolean, run the following command: $ sudo setsebool -P xguest_mount_media off var_xguest_mount_media="_{" setsebool -P xguest_mount_media $var_xguest_mount_media} - name: XCCDF Value var_xguest_mount_media # promote to variable set_fact: var_xguest_mount_media: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xguest_mount_media - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xguest_mount_media accordingly seboolean: name: xguest_mount_media state: "{{ var_xguest_mount_media }}" persistent: yes tags: - sebool_xguest_mount_media - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean polipo_session_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the polipo_session_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P polipo_session_bind_all_unreserved_ports off var_polipo_session_bind_all_unreserved_ports="_{" setsebool -P polipo_session_bind_all_unreserved_ports $var_polipo_session_bind_all_unreserved_ports} - name: XCCDF Value var_polipo_session_bind_all_unreserved_ports # promote to variable set_fact: var_polipo_session_bind_all_unreserved_ports: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polipo_session_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polipo_session_bind_all_unreserved_ports accordingly seboolean: name: polipo_session_bind_all_unreserved_ports state: "{{ var_polipo_session_bind_all_unreserved_ports }}" persistent: yes tags: - sebool_polipo_session_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean container_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the container_connect_any SELinux boolean, run the following command: $ sudo setsebool -P container_connect_any off var_container_connect_any="_{" setsebool -P container_connect_any $var_container_connect_any} - name: XCCDF Value var_container_connect_any # promote to variable set_fact: var_container_connect_any: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_container_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean container_connect_any accordingly seboolean: name: container_connect_any state: "{{ var_container_connect_any }}" persistent: yes tags: - sebool_container_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean tftp_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the tftp_anon_write SELinux boolean, run the following command: $ sudo setsebool -P tftp_anon_write off var_tftp_anon_write="_{" setsebool -P tftp_anon_write $var_tftp_anon_write} - name: XCCDF Value var_tftp_anon_write # promote to variable set_fact: var_tftp_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tftp_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tftp_anon_write accordingly seboolean: name: tftp_anon_write state: "{{ var_tftp_anon_write }}" persistent: yes tags: - sebool_tftp_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean git_system_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the git_system_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P git_system_use_nfs off var_git_system_use_nfs="_{" setsebool -P git_system_use_nfs $var_git_system_use_nfs} - name: XCCDF Value var_git_system_use_nfs # promote to variable set_fact: var_git_system_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_system_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_system_use_nfs accordingly seboolean: name: git_system_use_nfs state: "{{ var_git_system_use_nfs }}" persistent: yes tags: - sebool_git_system_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_use_usb is enabled. This setting should be disabled. To disable the virt_use_usb SELinux boolean, run the following command: $ sudo setsebool -P virt_use_usb off var_virt_use_usb="_{" setsebool -P virt_use_usb $var_virt_use_usb} - name: XCCDF Value var_virt_use_usb # promote to variable set_fact: var_virt_use_usb: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_usb - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_usb accordingly seboolean: name: virt_use_usb state: "{{ var_virt_use_usb }}" persistent: yes tags: - sebool_virt_use_usb - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean nis_enabled is disabled. If this setting is enabled, it should be disabled. To disable the nis_enabled SELinux boolean, run the following command: $ sudo setsebool -P nis_enabled off var_nis_enabled="_{" setsebool -P nis_enabled $var_nis_enabled} - name: XCCDF Value var_nis_enabled # promote to variable set_fact: var_nis_enabled: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nis_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nis_enabled accordingly seboolean: name: nis_enabled state: "{{ var_nis_enabled }}" persistent: yes tags: - sebool_nis_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_mysql_connect_enabled is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_mysql_connect_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_mysql_connect_enabled off var_selinuxuser_mysql_connect_enabled="_{" setsebool -P selinuxuser_mysql_connect_enabled $var_selinuxuser_mysql_connect_enabled} - name: XCCDF Value var_selinuxuser_mysql_connect_enabled # promote to variable set_fact: var_selinuxuser_mysql_connect_enabled: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_mysql_connect_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_mysql_connect_enabled accordingly seboolean: name: selinuxuser_mysql_connect_enabled state: "{{ var_selinuxuser_mysql_connect_enabled }}" persistent: yes tags: - sebool_selinuxuser_mysql_connect_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean samba_share_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the samba_share_fusefs SELinux boolean, run the following command: $ sudo setsebool -P samba_share_fusefs off var_samba_share_fusefs="_{" setsebool -P samba_share_fusefs $var_samba_share_fusefs} - name: XCCDF Value var_samba_share_fusefs # promote to variable set_fact: var_samba_share_fusefs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_share_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_share_fusefs accordingly seboolean: name: samba_share_fusefs state: "{{ var_samba_share_fusefs }}" persistent: yes tags: - sebool_samba_share_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_enable_ftp_server is disabled. If this setting is enabled, it should be disabled. To disable the httpd_enable_ftp_server SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_ftp_server off var_httpd_enable_ftp_server="_{" setsebool -P httpd_enable_ftp_server $var_httpd_enable_ftp_server} - name: XCCDF Value var_httpd_enable_ftp_server # promote to variable set_fact: var_httpd_enable_ftp_server: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_enable_ftp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_enable_ftp_server accordingly seboolean: name: httpd_enable_ftp_server state: "{{ var_httpd_enable_ftp_server }}" persistent: yes tags: - sebool_httpd_enable_ftp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean pppd_for_user is disabled. If this setting is enabled, it should be disabled. To disable the pppd_for_user SELinux boolean, run the following command: $ sudo setsebool -P pppd_for_user off var_pppd_for_user="_{" setsebool -P pppd_for_user $var_pppd_for_user} - name: XCCDF Value var_pppd_for_user # promote to variable set_fact: var_pppd_for_user: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_pppd_for_user - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean pppd_for_user accordingly seboolean: name: pppd_for_user state: "{{ var_pppd_for_user }}" persistent: yes tags: - sebool_pppd_for_user - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_sandbox_use_all_caps is enabled. This setting is disabled as containers should not run with privileges. To disable the virt_sandbox_use_all_caps SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_all_caps off var_virt_sandbox_use_all_caps="_{" setsebool -P virt_sandbox_use_all_caps $var_virt_sandbox_use_all_caps} - name: XCCDF Value var_virt_sandbox_use_all_caps # promote to variable set_fact: var_virt_sandbox_use_all_caps: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_sandbox_use_all_caps - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_sandbox_use_all_caps accordingly seboolean: name: virt_sandbox_use_all_caps state: "{{ var_virt_sandbox_use_all_caps }}" persistent: yes tags: - sebool_virt_sandbox_use_all_caps - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mozilla_plugin_use_gps is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_gps SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_gps off var_mozilla_plugin_use_gps="_{" setsebool -P mozilla_plugin_use_gps $var_mozilla_plugin_use_gps} - name: XCCDF Value var_mozilla_plugin_use_gps # promote to variable set_fact: var_mozilla_plugin_use_gps: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_plugin_use_gps - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_plugin_use_gps accordingly seboolean: name: mozilla_plugin_use_gps state: "{{ var_mozilla_plugin_use_gps }}" persistent: yes tags: - sebool_mozilla_plugin_use_gps - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean samba_domain_controller is disabled. If this setting is enabled, it should be disabled. To disable the samba_domain_controller SELinux boolean, run the following command: $ sudo setsebool -P samba_domain_controller off var_samba_domain_controller="_{" setsebool -P samba_domain_controller $var_samba_domain_controller} - name: XCCDF Value var_samba_domain_controller # promote to variable set_fact: var_samba_domain_controller: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_domain_controller - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_domain_controller accordingly seboolean: name: samba_domain_controller state: "{{ var_samba_domain_controller }}" persistent: yes tags: - sebool_samba_domain_controller - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean boinc_execmem is enabled. This setting should be disabled. To disable the boinc_execmem SELinux boolean, run the following command: $ sudo setsebool -P boinc_execmem off 3.7.2 CCE-80429-4 var_boinc_execmem="_{" setsebool -P boinc_execmem $var_boinc_execmem} - name: XCCDF Value var_boinc_execmem # promote to variable set_fact: var_boinc_execmem: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_boinc_execmem - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80429-4 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean boinc_execmem accordingly seboolean: name: boinc_execmem state: "{{ var_boinc_execmem }}" persistent: yes tags: - sebool_boinc_execmem - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80429-4 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean use_fusefs_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_fusefs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_fusefs_home_dirs off var_use_fusefs_home_dirs="_{" setsebool -P use_fusefs_home_dirs $var_use_fusefs_home_dirs} - name: XCCDF Value var_use_fusefs_home_dirs # promote to variable set_fact: var_use_fusefs_home_dirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_use_fusefs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean use_fusefs_home_dirs accordingly seboolean: name: use_fusefs_home_dirs state: "{{ var_use_fusefs_home_dirs }}" persistent: yes tags: - sebool_use_fusefs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean tmpreaper_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the tmpreaper_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P tmpreaper_use_nfs off var_tmpreaper_use_nfs="_{" setsebool -P tmpreaper_use_nfs $var_tmpreaper_use_nfs} - name: XCCDF Value var_tmpreaper_use_nfs # promote to variable set_fact: var_tmpreaper_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tmpreaper_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tmpreaper_use_nfs accordingly seboolean: name: tmpreaper_use_nfs state: "{{ var_tmpreaper_use_nfs }}" persistent: yes tags: - sebool_tmpreaper_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean sanlock_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the sanlock_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_fusefs off var_sanlock_use_fusefs="_{" setsebool -P sanlock_use_fusefs $var_sanlock_use_fusefs} - name: XCCDF Value var_sanlock_use_fusefs # promote to variable set_fact: var_sanlock_use_fusefs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sanlock_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sanlock_use_fusefs accordingly seboolean: name: sanlock_use_fusefs state: "{{ var_sanlock_use_fusefs }}" persistent: yes tags: - sebool_sanlock_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ssh_keysign is disabled. If this setting is enabled, it should be disabled. To disable the ssh_keysign SELinux boolean, run the following command: $ sudo setsebool -P ssh_keysign off var_ssh_keysign="_{" setsebool -P ssh_keysign $var_ssh_keysign} - name: XCCDF Value var_ssh_keysign # promote to variable set_fact: var_ssh_keysign: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ssh_keysign - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ssh_keysign accordingly seboolean: name: ssh_keysign state: "{{ var_ssh_keysign }}" persistent: yes tags: - sebool_ssh_keysign - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_tmp_exec is disabled. If this setting is enabled, it should be disabled. To disable the httpd_tmp_exec SELinux boolean, run the following command: $ sudo setsebool -P httpd_tmp_exec off var_httpd_tmp_exec="_{" setsebool -P httpd_tmp_exec $var_httpd_tmp_exec} - name: XCCDF Value var_httpd_tmp_exec # promote to variable set_fact: var_httpd_tmp_exec: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_tmp_exec - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_tmp_exec accordingly seboolean: name: httpd_tmp_exec state: "{{ var_httpd_tmp_exec }}" persistent: yes tags: - sebool_httpd_tmp_exec - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_fusefs off var_httpd_use_fusefs="_{" setsebool -P httpd_use_fusefs $var_httpd_use_fusefs} - name: XCCDF Value var_httpd_use_fusefs # promote to variable set_fact: var_httpd_use_fusefs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_fusefs accordingly seboolean: name: httpd_use_fusefs state: "{{ var_httpd_use_fusefs }}" persistent: yes tags: - sebool_httpd_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean staff_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the staff_exec_content SELinux boolean, run the following command: $ sudo setsebool -P staff_exec_content on var_staff_exec_content="_{" setsebool -P staff_exec_content $var_staff_exec_content} - name: XCCDF Value var_staff_exec_content # promote to variable set_fact: var_staff_exec_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_staff_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean staff_exec_content accordingly seboolean: name: staff_exec_content state: "{{ var_staff_exec_content }}" persistent: yes tags: - sebool_staff_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean nscd_use_shm is enabled. If this setting is disabled, it should be enabled to allow nscd to use shared memory. To enable the nscd_use_shm SELinux boolean, run the following command: $ sudo setsebool -P nscd_use_shm on var_nscd_use_shm="_{" setsebool -P nscd_use_shm $var_nscd_use_shm} - name: XCCDF Value var_nscd_use_shm # promote to variable set_fact: var_nscd_use_shm: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nscd_use_shm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nscd_use_shm accordingly seboolean: name: nscd_use_shm state: "{{ var_nscd_use_shm }}" persistent: yes tags: - sebool_nscd_use_shm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean global_ssp is disabled. If this setting is enabled, it should be disabled. To disable the global_ssp SELinux boolean, run the following command: $ sudo setsebool -P global_ssp off var_global_ssp="_{" setsebool -P global_ssp $var_global_ssp} - name: XCCDF Value var_global_ssp # promote to variable set_fact: var_global_ssp: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_global_ssp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean global_ssp accordingly seboolean: name: global_ssp state: "{{ var_global_ssp }}" persistent: yes tags: - sebool_global_ssp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P virt_use_fusefs off var_virt_use_fusefs="_{" setsebool -P virt_use_fusefs $var_virt_use_fusefs} - name: XCCDF Value var_virt_use_fusefs # promote to variable set_fact: var_virt_use_fusefs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_fusefs accordingly seboolean: name: virt_use_fusefs state: "{{ var_virt_use_fusefs }}" persistent: yes tags: - sebool_virt_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean gluster_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the gluster_anon_write SELinux boolean, run the following command: $ sudo setsebool -P gluster_anon_write off var_gluster_anon_write="_{" setsebool -P gluster_anon_write $var_gluster_anon_write} - name: XCCDF Value var_gluster_anon_write # promote to variable set_fact: var_gluster_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gluster_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gluster_anon_write accordingly seboolean: name: gluster_anon_write state: "{{ var_gluster_anon_write }}" persistent: yes tags: - sebool_gluster_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean wine_mmap_zero_ignore is disabled. If this setting is enabled, it should be disabled. To disable the wine_mmap_zero_ignore SELinux boolean, run the following command: $ sudo setsebool -P wine_mmap_zero_ignore off var_wine_mmap_zero_ignore="_{" setsebool -P wine_mmap_zero_ignore $var_wine_mmap_zero_ignore} - name: XCCDF Value var_wine_mmap_zero_ignore # promote to variable set_fact: var_wine_mmap_zero_ignore: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_wine_mmap_zero_ignore - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean wine_mmap_zero_ignore accordingly seboolean: name: wine_mmap_zero_ignore state: "{{ var_wine_mmap_zero_ignore }}" persistent: yes tags: - sebool_wine_mmap_zero_ignore - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean fenced_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the fenced_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P fenced_can_network_connect off var_fenced_can_network_connect="_{" setsebool -P fenced_can_network_connect $var_fenced_can_network_connect} - name: XCCDF Value var_fenced_can_network_connect # promote to variable set_fact: var_fenced_can_network_connect: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_fenced_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean fenced_can_network_connect accordingly seboolean: name: fenced_can_network_connect state: "{{ var_fenced_can_network_connect }}" persistent: yes tags: - sebool_fenced_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean zabbix_can_network is disabled. If this setting is enabled, it should be disabled. To disable the zabbix_can_network SELinux boolean, run the following command: $ sudo setsebool -P zabbix_can_network off var_zabbix_can_network="_{" setsebool -P zabbix_can_network $var_zabbix_can_network} - name: XCCDF Value var_zabbix_can_network # promote to variable set_fact: var_zabbix_can_network: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_zabbix_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean zabbix_can_network accordingly seboolean: name: zabbix_can_network state: "{{ var_zabbix_can_network }}" persistent: yes tags: - sebool_zabbix_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P virt_use_nfs off var_virt_use_nfs="_{" setsebool -P virt_use_nfs $var_virt_use_nfs} - name: XCCDF Value var_virt_use_nfs # promote to variable set_fact: var_virt_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_nfs accordingly seboolean: name: virt_use_nfs state: "{{ var_virt_use_nfs }}" persistent: yes tags: - sebool_virt_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean prosody_bind_http_port is disabled. If this setting is enabled, it should be disabled. To disable the prosody_bind_http_port SELinux boolean, run the following command: $ sudo setsebool -P prosody_bind_http_port off var_prosody_bind_http_port="_{" setsebool -P prosody_bind_http_port $var_prosody_bind_http_port} - name: XCCDF Value var_prosody_bind_http_port # promote to variable set_fact: var_prosody_bind_http_port: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_prosody_bind_http_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean prosody_bind_http_port accordingly seboolean: name: prosody_bind_http_port state: "{{ var_prosody_bind_http_port }}" persistent: yes tags: - sebool_prosody_bind_http_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean use_samba_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_samba_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_samba_home_dirs off var_use_samba_home_dirs="_{" setsebool -P use_samba_home_dirs $var_use_samba_home_dirs} - name: XCCDF Value var_use_samba_home_dirs # promote to variable set_fact: var_use_samba_home_dirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_use_samba_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean use_samba_home_dirs accordingly seboolean: name: use_samba_home_dirs state: "{{ var_use_samba_home_dirs }}" persistent: yes tags: - sebool_use_samba_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cron_userdomain_transition is enabled. This setting should be enabled as end user cron jobs run in their default associated user domain(s) instead of the general cronjob domain. To enable the cron_userdomain_transition SELinux boolean, run the following command: $ sudo setsebool -P cron_userdomain_transition on var_cron_userdomain_transition="_{" setsebool -P cron_userdomain_transition $var_cron_userdomain_transition} - name: XCCDF Value var_cron_userdomain_transition # promote to variable set_fact: var_cron_userdomain_transition: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cron_userdomain_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cron_userdomain_transition accordingly seboolean: name: cron_userdomain_transition state: "{{ var_cron_userdomain_transition }}" persistent: yes tags: - sebool_cron_userdomain_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean spamassassin_can_network is disabled. If this setting is enabled, it should be disabled. To disable the spamassassin_can_network SELinux boolean, run the following command: $ sudo setsebool -P spamassassin_can_network off var_spamassassin_can_network="_{" setsebool -P spamassassin_can_network $var_spamassassin_can_network} - name: XCCDF Value var_spamassassin_can_network # promote to variable set_fact: var_spamassassin_can_network: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_spamassassin_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean spamassassin_can_network accordingly seboolean: name: spamassassin_can_network state: "{{ var_spamassassin_can_network }}" persistent: yes tags: - sebool_spamassassin_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean git_cgi_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the git_cgi_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_use_nfs off var_git_cgi_use_nfs="_{" setsebool -P git_cgi_use_nfs $var_git_cgi_use_nfs} - name: XCCDF Value var_git_cgi_use_nfs # promote to variable set_fact: var_git_cgi_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_cgi_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_cgi_use_nfs accordingly seboolean: name: git_cgi_use_nfs state: "{{ var_git_cgi_use_nfs }}" persistent: yes tags: - sebool_git_cgi_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean secure_mode_insmod is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode_insmod SELinux boolean, run the following command: $ sudo setsebool -P secure_mode_insmod off var_secure_mode_insmod="_{" setsebool -P secure_mode_insmod $var_secure_mode_insmod} - name: XCCDF Value var_secure_mode_insmod # promote to variable set_fact: var_secure_mode_insmod: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_secure_mode_insmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean secure_mode_insmod accordingly seboolean: name: secure_mode_insmod state: "{{ var_secure_mode_insmod }}" persistent: yes tags: - sebool_secure_mode_insmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mysql_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the mysql_connect_any SELinux boolean, run the following command: $ sudo setsebool -P mysql_connect_any off var_mysql_connect_any="_{" setsebool -P mysql_connect_any $var_mysql_connect_any} - name: XCCDF Value var_mysql_connect_any # promote to variable set_fact: var_mysql_connect_any: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mysql_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mysql_connect_any accordingly seboolean: name: mysql_connect_any state: "{{ var_mysql_connect_any }}" persistent: yes tags: - sebool_mysql_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean samba_load_libgfapi is disabled. If this setting is enabled, it should be disabled. To disable the samba_load_libgfapi SELinux boolean, run the following command: $ sudo setsebool -P samba_load_libgfapi off var_samba_load_libgfapi="_{" setsebool -P samba_load_libgfapi $var_samba_load_libgfapi} - name: XCCDF Value var_samba_load_libgfapi # promote to variable set_fact: var_samba_load_libgfapi: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_load_libgfapi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_load_libgfapi accordingly seboolean: name: samba_load_libgfapi state: "{{ var_samba_load_libgfapi }}" persistent: yes tags: - sebool_samba_load_libgfapi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean samba_portmapper is disabled. If this setting is enabled, it should be disabled. To disable the samba_portmapper SELinux boolean, run the following command: $ sudo setsebool -P samba_portmapper off var_samba_portmapper="_{" setsebool -P samba_portmapper $var_samba_portmapper} - name: XCCDF Value var_samba_portmapper # promote to variable set_fact: var_samba_portmapper: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_portmapper - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_portmapper accordingly seboolean: name: samba_portmapper state: "{{ var_samba_portmapper }}" persistent: yes tags: - sebool_samba_portmapper - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_run_preupgrade is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_preupgrade SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_preupgrade off var_httpd_run_preupgrade="_{" setsebool -P httpd_run_preupgrade $var_httpd_run_preupgrade} - name: XCCDF Value var_httpd_run_preupgrade # promote to variable set_fact: var_httpd_run_preupgrade: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_run_preupgrade - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_run_preupgrade accordingly seboolean: name: httpd_run_preupgrade state: "{{ var_httpd_run_preupgrade }}" persistent: yes tags: - sebool_httpd_run_preupgrade - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_use_xserver is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_xserver SELinux boolean, run the following command: $ sudo setsebool -P virt_use_xserver off var_virt_use_xserver="_{" setsebool -P virt_use_xserver $var_virt_use_xserver} - name: XCCDF Value var_virt_use_xserver # promote to variable set_fact: var_virt_use_xserver: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_xserver - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_xserver accordingly seboolean: name: virt_use_xserver state: "{{ var_virt_use_xserver }}" persistent: yes tags: - sebool_virt_use_xserver - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mplayer_execstack is disabled. If this setting is enabled, it should be disabled. To disable the mplayer_execstack SELinux boolean, run the following command: $ sudo setsebool -P mplayer_execstack off var_mplayer_execstack="_{" setsebool -P mplayer_execstack $var_mplayer_execstack} - name: XCCDF Value var_mplayer_execstack # promote to variable set_fact: var_mplayer_execstack: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mplayer_execstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mplayer_execstack accordingly seboolean: name: mplayer_execstack state: "{{ var_mplayer_execstack }}" persistent: yes tags: - sebool_mplayer_execstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_rw_noexattrfile is enabled. This setting should be disabled as users should not be able to read/write files on filesystems that do not have extended attributes e.g. FAT, CDROM, FLOPPY, etc. To disable the selinuxuser_rw_noexattrfile SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_rw_noexattrfile off var_selinuxuser_rw_noexattrfile="_{" setsebool -P selinuxuser_rw_noexattrfile $var_selinuxuser_rw_noexattrfile} - name: XCCDF Value var_selinuxuser_rw_noexattrfile # promote to variable set_fact: var_selinuxuser_rw_noexattrfile: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_rw_noexattrfile - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_rw_noexattrfile accordingly seboolean: name: selinuxuser_rw_noexattrfile state: "{{ var_selinuxuser_rw_noexattrfile }}" persistent: yes tags: - sebool_selinuxuser_rw_noexattrfile - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean neutron_can_network is disabled. If this setting is enabled, it should be disabled. To disable the neutron_can_network SELinux boolean, run the following command: $ sudo setsebool -P neutron_can_network off var_neutron_can_network="_{" setsebool -P neutron_can_network $var_neutron_can_network} - name: XCCDF Value var_neutron_can_network # promote to variable set_fact: var_neutron_can_network: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_neutron_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean neutron_can_network accordingly seboolean: name: neutron_can_network state: "{{ var_neutron_can_network }}" persistent: yes tags: - sebool_neutron_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ftpd_full_access is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_full_access SELinux boolean, run the following command: $ sudo setsebool -P ftpd_full_access off var_ftpd_full_access="_{" setsebool -P ftpd_full_access $var_ftpd_full_access} - name: XCCDF Value var_ftpd_full_access # promote to variable set_fact: var_ftpd_full_access: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_full_access - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_full_access accordingly seboolean: name: ftpd_full_access state: "{{ var_ftpd_full_access }}" persistent: yes tags: - sebool_ftpd_full_access - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ftpd_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_fusefs off var_ftpd_use_fusefs="_{" setsebool -P ftpd_use_fusefs $var_ftpd_use_fusefs} - name: XCCDF Value var_ftpd_use_fusefs # promote to variable set_fact: var_ftpd_use_fusefs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_use_fusefs accordingly seboolean: name: ftpd_use_fusefs state: "{{ var_ftpd_use_fusefs }}" persistent: yes tags: - sebool_ftpd_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean deny_execmem is disabled. If this setting is enabled, it should be disabled. To disable the deny_execmem SELinux boolean, run the following command: $ sudo setsebool -P deny_execmem off var_deny_execmem="_{" setsebool -P deny_execmem $var_deny_execmem} - name: XCCDF Value var_deny_execmem # promote to variable set_fact: var_deny_execmem: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_deny_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean deny_execmem accordingly seboolean: name: deny_execmem state: "{{ var_deny_execmem }}" persistent: yes tags: - sebool_deny_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ssh_chroot_rw_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the ssh_chroot_rw_homedirs SELinux boolean, run the following command: $ sudo setsebool -P ssh_chroot_rw_homedirs off var_ssh_chroot_rw_homedirs="_{" setsebool -P ssh_chroot_rw_homedirs $var_ssh_chroot_rw_homedirs} - name: XCCDF Value var_ssh_chroot_rw_homedirs # promote to variable set_fact: var_ssh_chroot_rw_homedirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ssh_chroot_rw_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ssh_chroot_rw_homedirs accordingly seboolean: name: ssh_chroot_rw_homedirs state: "{{ var_ssh_chroot_rw_homedirs }}" persistent: yes tags: - sebool_ssh_chroot_rw_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_mod_auth_pam is disabled. If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_pam SELinux boolean, run the following command: $ sudo setsebool -P httpd_mod_auth_pam off var_httpd_mod_auth_pam="_{" setsebool -P httpd_mod_auth_pam $var_httpd_mod_auth_pam} - name: XCCDF Value var_httpd_mod_auth_pam # promote to variable set_fact: var_httpd_mod_auth_pam: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_mod_auth_pam - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_mod_auth_pam accordingly seboolean: name: httpd_mod_auth_pam state: "{{ var_httpd_mod_auth_pam }}" persistent: yes tags: - sebool_httpd_mod_auth_pam - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean authlogin_yubikey is disabled. If this setting is enabled, it should be disabled. To disable the authlogin_yubikey SELinux boolean, run the following command: $ sudo setsebool -P authlogin_yubikey off 3.7.2 CCE-80427-8 var_authlogin_yubikey="_{" setsebool -P authlogin_yubikey $var_authlogin_yubikey} - name: XCCDF Value var_authlogin_yubikey # promote to variable set_fact: var_authlogin_yubikey: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_authlogin_yubikey - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80427-8 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean authlogin_yubikey accordingly seboolean: name: authlogin_yubikey state: "{{ var_authlogin_yubikey }}" persistent: yes tags: - sebool_authlogin_yubikey - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80427-8 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_use_samba is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_samba SELinux boolean, run the following command: $ sudo setsebool -P virt_use_samba off var_virt_use_samba="_{" setsebool -P virt_use_samba $var_virt_use_samba} - name: XCCDF Value var_virt_use_samba # promote to variable set_fact: var_virt_use_samba: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_samba accordingly seboolean: name: virt_use_samba state: "{{ var_virt_use_samba }}" persistent: yes tags: - sebool_virt_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_can_connect_ftp is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ftp SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_ftp off var_httpd_can_connect_ftp="_{" setsebool -P httpd_can_connect_ftp $var_httpd_can_connect_ftp} - name: XCCDF Value var_httpd_can_connect_ftp # promote to variable set_fact: var_httpd_can_connect_ftp: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_connect_ftp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_connect_ftp accordingly seboolean: name: httpd_can_connect_ftp state: "{{ var_httpd_can_connect_ftp }}" persistent: yes tags: - sebool_httpd_can_connect_ftp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean abrt_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the abrt_anon_write SELinux boolean, run the following command: $ sudo setsebool -P abrt_anon_write off 3.7.2 CCE-80419-5 var_abrt_anon_write="_{" setsebool -P abrt_anon_write $var_abrt_anon_write} - name: XCCDF Value var_abrt_anon_write # promote to variable set_fact: var_abrt_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_abrt_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80419-5 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean abrt_anon_write accordingly seboolean: name: abrt_anon_write state: "{{ var_abrt_anon_write }}" persistent: yes tags: - sebool_abrt_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80419-5 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean named_tcp_bind_http_port is disabled. If this setting is enabled, it should be disabled. To disable the named_tcp_bind_http_port SELinux boolean, run the following command: $ sudo setsebool -P named_tcp_bind_http_port off var_named_tcp_bind_http_port="_{" setsebool -P named_tcp_bind_http_port $var_named_tcp_bind_http_port} - name: XCCDF Value var_named_tcp_bind_http_port # promote to variable set_fact: var_named_tcp_bind_http_port: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_named_tcp_bind_http_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean named_tcp_bind_http_port accordingly seboolean: name: named_tcp_bind_http_port state: "{{ var_named_tcp_bind_http_port }}" persistent: yes tags: - sebool_named_tcp_bind_http_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean squid_use_tproxy is disabled. If this setting is enabled, it should be disabled. To disable the squid_use_tproxy SELinux boolean, run the following command: $ sudo setsebool -P squid_use_tproxy off var_squid_use_tproxy="_{" setsebool -P squid_use_tproxy $var_squid_use_tproxy} - name: XCCDF Value var_squid_use_tproxy # promote to variable set_fact: var_squid_use_tproxy: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_squid_use_tproxy - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean squid_use_tproxy accordingly seboolean: name: squid_use_tproxy state: "{{ var_squid_use_tproxy }}" persistent: yes tags: - sebool_squid_use_tproxy - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean dhcpd_use_ldap is disabled. If this setting is enabled, it should be disabled. To disable the dhcpd_use_ldap SELinux boolean, run the following command: $ sudo setsebool -P dhcpd_use_ldap off var_dhcpd_use_ldap="_{" setsebool -P dhcpd_use_ldap $var_dhcpd_use_ldap} - name: XCCDF Value var_dhcpd_use_ldap # promote to variable set_fact: var_dhcpd_use_ldap: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_dhcpd_use_ldap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean dhcpd_use_ldap accordingly seboolean: name: dhcpd_use_ldap state: "{{ var_dhcpd_use_ldap }}" persistent: yes tags: - sebool_dhcpd_use_ldap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean tftp_home_dir is disabled. If this setting is enabled, it should be disabled. To disable the tftp_home_dir SELinux boolean, run the following command: $ sudo setsebool -P tftp_home_dir off var_tftp_home_dir="_{" setsebool -P tftp_home_dir $var_tftp_home_dir} - name: XCCDF Value var_tftp_home_dir # promote to variable set_fact: var_tftp_home_dir: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tftp_home_dir - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tftp_home_dir accordingly seboolean: name: tftp_home_dir state: "{{ var_tftp_home_dir }}" persistent: yes tags: - sebool_tftp_home_dir - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean awstats_purge_apache_log_files is disabled. If this setting is enabled, it should be disabled. To disable the awstats_purge_apache_log_files SELinux boolean, run the following command: $ sudo setsebool -P awstats_purge_apache_log_files off 3.7.2 CCE-80428-6 var_awstats_purge_apache_log_files="_{" setsebool -P awstats_purge_apache_log_files $var_awstats_purge_apache_log_files} - name: XCCDF Value var_awstats_purge_apache_log_files # promote to variable set_fact: var_awstats_purge_apache_log_files: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_awstats_purge_apache_log_files - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80428-6 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean awstats_purge_apache_log_files accordingly seboolean: name: awstats_purge_apache_log_files state: "{{ var_awstats_purge_apache_log_files }}" persistent: yes tags: - sebool_awstats_purge_apache_log_files - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80428-6 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean samba_share_nfs is disabled. If this setting is enabled, it should be disabled. To disable the samba_share_nfs SELinux boolean, run the following command: $ sudo setsebool -P samba_share_nfs off var_samba_share_nfs="_{" setsebool -P samba_share_nfs $var_samba_share_nfs} - name: XCCDF Value var_samba_share_nfs # promote to variable set_fact: var_samba_share_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_share_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_share_nfs accordingly seboolean: name: samba_share_nfs state: "{{ var_samba_share_nfs }}" persistent: yes tags: - sebool_samba_share_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean glance_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the glance_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P glance_use_fusefs off var_glance_use_fusefs="_{" setsebool -P glance_use_fusefs $var_glance_use_fusefs} - name: XCCDF Value var_glance_use_fusefs # promote to variable set_fact: var_glance_use_fusefs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_glance_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean glance_use_fusefs accordingly seboolean: name: glance_use_fusefs state: "{{ var_glance_use_fusefs }}" persistent: yes tags: - sebool_glance_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean sanlock_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the sanlock_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_nfs off var_sanlock_use_nfs="_{" setsebool -P sanlock_use_nfs $var_sanlock_use_nfs} - name: XCCDF Value var_sanlock_use_nfs # promote to variable set_fact: var_sanlock_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sanlock_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sanlock_use_nfs accordingly seboolean: name: sanlock_use_nfs state: "{{ var_sanlock_use_nfs }}" persistent: yes tags: - sebool_sanlock_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean gluster_export_all_rw is enabled. If GlusterFS is in use, this setting should be enabled. Otherwise, disable it. To disable the gluster_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P gluster_export_all_rw off var_gluster_export_all_rw="_{" setsebool -P gluster_export_all_rw $var_gluster_export_all_rw} - name: XCCDF Value var_gluster_export_all_rw # promote to variable set_fact: var_gluster_export_all_rw: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gluster_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gluster_export_all_rw accordingly seboolean: name: gluster_export_all_rw state: "{{ var_gluster_export_all_rw }}" persistent: yes tags: - sebool_gluster_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mozilla_plugin_bind_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_bind_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_bind_unreserved_ports off var_mozilla_plugin_bind_unreserved_ports="_{" setsebool -P mozilla_plugin_bind_unreserved_ports $var_mozilla_plugin_bind_unreserved_ports} - name: XCCDF Value var_mozilla_plugin_bind_unreserved_ports # promote to variable set_fact: var_mozilla_plugin_bind_unreserved_ports: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_plugin_bind_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_plugin_bind_unreserved_ports accordingly seboolean: name: mozilla_plugin_bind_unreserved_ports state: "{{ var_mozilla_plugin_bind_unreserved_ports }}" persistent: yes tags: - sebool_mozilla_plugin_bind_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean logging_syslogd_use_tty is enabled. If this setting is disabled, it should be enabled as it allows syslog the ability to read/write to terminal. To enable the logging_syslogd_use_tty SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_use_tty on var_logging_syslogd_use_tty="_{" setsebool -P logging_syslogd_use_tty $var_logging_syslogd_use_tty} - name: XCCDF Value var_logging_syslogd_use_tty # promote to variable set_fact: var_logging_syslogd_use_tty: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logging_syslogd_use_tty - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logging_syslogd_use_tty accordingly seboolean: name: logging_syslogd_use_tty state: "{{ var_logging_syslogd_use_tty }}" persistent: yes tags: - sebool_logging_syslogd_use_tty - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean login_console_enabled is enabled. If this setting is disabled, it should be enabled as it allows login from /dev/console to a console session. To enable the login_console_enabled SELinux boolean, run the following command: $ sudo setsebool -P login_console_enabled on var_login_console_enabled="_{" setsebool -P login_console_enabled $var_login_console_enabled} - name: XCCDF Value var_login_console_enabled # promote to variable set_fact: var_login_console_enabled: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_login_console_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean login_console_enabled accordingly seboolean: name: login_console_enabled state: "{{ var_login_console_enabled }}" persistent: yes tags: - sebool_login_console_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean glance_api_can_network is disabled. If this setting is enabled, it should be disabled. To disable the glance_api_can_network SELinux boolean, run the following command: $ sudo setsebool -P glance_api_can_network off var_glance_api_can_network="_{" setsebool -P glance_api_can_network $var_glance_api_can_network} - name: XCCDF Value var_glance_api_can_network # promote to variable set_fact: var_glance_api_can_network: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_glance_api_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean glance_api_can_network accordingly seboolean: name: glance_api_can_network state: "{{ var_glance_api_can_network }}" persistent: yes tags: - sebool_glance_api_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean abrt_handle_event is disabled. If this setting is enabled, it should be disabled. To disable the abrt_handle_event SELinux boolean, run the following command: $ sudo setsebool -P abrt_handle_event off 3.7.2 CCE-80420-3 var_abrt_handle_event="_{" setsebool -P abrt_handle_event $var_abrt_handle_event} - name: XCCDF Value var_abrt_handle_event # promote to variable set_fact: var_abrt_handle_event: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_abrt_handle_event - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80420-3 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean abrt_handle_event accordingly seboolean: name: abrt_handle_event state: "{{ var_abrt_handle_event }}" persistent: yes tags: - sebool_abrt_handle_event - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80420-3 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean gluster_export_all_ro is disabled. If this setting is enabled, it should be disabled. To disable the gluster_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P gluster_export_all_ro off var_gluster_export_all_ro="_{" setsebool -P gluster_export_all_ro $var_gluster_export_all_ro} - name: XCCDF Value var_gluster_export_all_ro # promote to variable set_fact: var_gluster_export_all_ro: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gluster_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gluster_export_all_ro accordingly seboolean: name: gluster_export_all_ro state: "{{ var_gluster_export_all_ro }}" persistent: yes tags: - sebool_gluster_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ksmtuned_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the ksmtuned_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P ksmtuned_use_nfs off var_ksmtuned_use_nfs="_{" setsebool -P ksmtuned_use_nfs $var_ksmtuned_use_nfs} - name: XCCDF Value var_ksmtuned_use_nfs # promote to variable set_fact: var_ksmtuned_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ksmtuned_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ksmtuned_use_nfs accordingly seboolean: name: ksmtuned_use_nfs state: "{{ var_ksmtuned_use_nfs }}" persistent: yes tags: - sebool_ksmtuned_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean puppetagent_manage_all_files is disabled. If this setting is enabled, it should be disabled. To disable the puppetagent_manage_all_files SELinux boolean, run the following command: $ sudo setsebool -P puppetagent_manage_all_files off var_puppetagent_manage_all_files="_{" setsebool -P puppetagent_manage_all_files $var_puppetagent_manage_all_files} - name: XCCDF Value var_puppetagent_manage_all_files # promote to variable set_fact: var_puppetagent_manage_all_files: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_puppetagent_manage_all_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean puppetagent_manage_all_files accordingly seboolean: name: puppetagent_manage_all_files state: "{{ var_puppetagent_manage_all_files }}" persistent: yes tags: - sebool_puppetagent_manage_all_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_dontaudit_search_dirs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dontaudit_search_dirs SELinux boolean, run the following command: $ sudo setsebool -P httpd_dontaudit_search_dirs off var_httpd_dontaudit_search_dirs="_{" setsebool -P httpd_dontaudit_search_dirs $var_httpd_dontaudit_search_dirs} - name: XCCDF Value var_httpd_dontaudit_search_dirs # promote to variable set_fact: var_httpd_dontaudit_search_dirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_dontaudit_search_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_dontaudit_search_dirs accordingly seboolean: name: httpd_dontaudit_search_dirs state: "{{ var_httpd_dontaudit_search_dirs }}" persistent: yes tags: - sebool_httpd_dontaudit_search_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean smbd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the smbd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P smbd_anon_write off var_smbd_anon_write="_{" setsebool -P smbd_anon_write $var_smbd_anon_write} - name: XCCDF Value var_smbd_anon_write # promote to variable set_fact: var_smbd_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_smbd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean smbd_anon_write accordingly seboolean: name: smbd_anon_write state: "{{ var_smbd_anon_write }}" persistent: yes tags: - sebool_smbd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cron_system_cronjob_use_shares is disabled. If this setting is enabled, it should be disabled. To disable the cron_system_cronjob_use_shares SELinux boolean, run the following command: $ sudo setsebool -P cron_system_cronjob_use_shares off var_cron_system_cronjob_use_shares="_{" setsebool -P cron_system_cronjob_use_shares $var_cron_system_cronjob_use_shares} - name: XCCDF Value var_cron_system_cronjob_use_shares # promote to variable set_fact: var_cron_system_cronjob_use_shares: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cron_system_cronjob_use_shares - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cron_system_cronjob_use_shares accordingly seboolean: name: cron_system_cronjob_use_shares state: "{{ var_cron_system_cronjob_use_shares }}" persistent: yes tags: - sebool_cron_system_cronjob_use_shares - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mozilla_plugin_use_bluejeans is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_bluejeans SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_bluejeans off var_mozilla_plugin_use_bluejeans="_{" setsebool -P mozilla_plugin_use_bluejeans $var_mozilla_plugin_use_bluejeans} - name: XCCDF Value var_mozilla_plugin_use_bluejeans # promote to variable set_fact: var_mozilla_plugin_use_bluejeans: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_plugin_use_bluejeans - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_plugin_use_bluejeans accordingly seboolean: name: mozilla_plugin_use_bluejeans state: "{{ var_mozilla_plugin_use_bluejeans }}" persistent: yes tags: - sebool_mozilla_plugin_use_bluejeans - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean openvpn_enable_homedirs is enabled. This setting should be disabled. To disable the openvpn_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P openvpn_enable_homedirs off var_openvpn_enable_homedirs="_{" setsebool -P openvpn_enable_homedirs $var_openvpn_enable_homedirs} - name: XCCDF Value var_openvpn_enable_homedirs # promote to variable set_fact: var_openvpn_enable_homedirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_openvpn_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean openvpn_enable_homedirs accordingly seboolean: name: openvpn_enable_homedirs state: "{{ var_openvpn_enable_homedirs }}" persistent: yes tags: - sebool_openvpn_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mcelog_server is disabled. If this setting is enabled, it should be disabled. To disable the mcelog_server SELinux boolean, run the following command: $ sudo setsebool -P mcelog_server off var_mcelog_server="_{" setsebool -P mcelog_server $var_mcelog_server} - name: XCCDF Value var_mcelog_server # promote to variable set_fact: var_mcelog_server: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mcelog_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mcelog_server accordingly seboolean: name: mcelog_server state: "{{ var_mcelog_server }}" persistent: yes tags: - sebool_mcelog_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mcelog_exec_scripts is enabled. If this setting is disabled, it should be enabled. To enable the mcelog_exec_scripts SELinux boolean, run the following command: $ sudo setsebool -P mcelog_exec_scripts on var_mcelog_exec_scripts="_{" setsebool -P mcelog_exec_scripts $var_mcelog_exec_scripts} - name: XCCDF Value var_mcelog_exec_scripts # promote to variable set_fact: var_mcelog_exec_scripts: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mcelog_exec_scripts - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mcelog_exec_scripts accordingly seboolean: name: mcelog_exec_scripts state: "{{ var_mcelog_exec_scripts }}" persistent: yes tags: - sebool_mcelog_exec_scripts - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean sge_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the sge_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P sge_use_nfs off var_sge_use_nfs="_{" setsebool -P sge_use_nfs $var_sge_use_nfs} - name: XCCDF Value var_sge_use_nfs # promote to variable set_fact: var_sge_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sge_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sge_use_nfs accordingly seboolean: name: sge_use_nfs state: "{{ var_sge_use_nfs }}" persistent: yes tags: - sebool_sge_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean webadm_read_user_files is disabled. If this setting is enabled, it should be disabled. To disable the webadm_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P webadm_read_user_files off var_webadm_read_user_files="_{" setsebool -P webadm_read_user_files $var_webadm_read_user_files} - name: XCCDF Value var_webadm_read_user_files # promote to variable set_fact: var_webadm_read_user_files: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_webadm_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean webadm_read_user_files accordingly seboolean: name: webadm_read_user_files state: "{{ var_webadm_read_user_files }}" persistent: yes tags: - sebool_webadm_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean piranha_lvs_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the piranha_lvs_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P piranha_lvs_can_network_connect off var_piranha_lvs_can_network_connect="_{" setsebool -P piranha_lvs_can_network_connect $var_piranha_lvs_can_network_connect} - name: XCCDF Value var_piranha_lvs_can_network_connect # promote to variable set_fact: var_piranha_lvs_can_network_connect: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_piranha_lvs_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean piranha_lvs_can_network_connect accordingly seboolean: name: piranha_lvs_can_network_connect state: "{{ var_piranha_lvs_can_network_connect }}" persistent: yes tags: - sebool_piranha_lvs_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean domain_kernel_load_modules is disabled. If this setting is enabled, it should be disabled. To disable the domain_kernel_load_modules SELinux boolean, run the following command: $ sudo setsebool -P domain_kernel_load_modules off var_domain_kernel_load_modules="_{" setsebool -P domain_kernel_load_modules $var_domain_kernel_load_modules} - name: XCCDF Value var_domain_kernel_load_modules # promote to variable set_fact: var_domain_kernel_load_modules: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_domain_kernel_load_modules - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean domain_kernel_load_modules accordingly seboolean: name: domain_kernel_load_modules state: "{{ var_domain_kernel_load_modules }}" persistent: yes tags: - sebool_domain_kernel_load_modules - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean exim_manage_user_files is disabled. If this setting is enabled, it should be disabled. To disable the exim_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P exim_manage_user_files off var_exim_manage_user_files="_{" setsebool -P exim_manage_user_files $var_exim_manage_user_files} - name: XCCDF Value var_exim_manage_user_files # promote to variable set_fact: var_exim_manage_user_files: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_exim_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean exim_manage_user_files accordingly seboolean: name: exim_manage_user_files state: "{{ var_exim_manage_user_files }}" persistent: yes tags: - sebool_exim_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_sandbox_use_netlink is disabled. If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_netlink SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_netlink off var_virt_sandbox_use_netlink="_{" setsebool -P virt_sandbox_use_netlink $var_virt_sandbox_use_netlink} - name: XCCDF Value var_virt_sandbox_use_netlink # promote to variable set_fact: var_virt_sandbox_use_netlink: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_sandbox_use_netlink - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_sandbox_use_netlink accordingly seboolean: name: virt_sandbox_use_netlink state: "{{ var_virt_sandbox_use_netlink }}" persistent: yes tags: - sebool_virt_sandbox_use_netlink - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean unconfined_chrome_sandbox_transition is enabled. If this setting is disabled, it should be enabled. To enable the unconfined_chrome_sandbox_transition SELinux boolean, run the following command: $ sudo setsebool -P unconfined_chrome_sandbox_transition on var_unconfined_chrome_sandbox_transition="_{" setsebool -P unconfined_chrome_sandbox_transition $var_unconfined_chrome_sandbox_transition} - name: XCCDF Value var_unconfined_chrome_sandbox_transition # promote to variable set_fact: var_unconfined_chrome_sandbox_transition: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_unconfined_chrome_sandbox_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean unconfined_chrome_sandbox_transition accordingly seboolean: name: unconfined_chrome_sandbox_transition state: "{{ var_unconfined_chrome_sandbox_transition }}" persistent: yes tags: - sebool_unconfined_chrome_sandbox_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_verify_dns is disabled. If this setting is enabled, it should be disabled. To disable the httpd_verify_dns SELinux boolean, run the following command: $ sudo setsebool -P httpd_verify_dns off var_httpd_verify_dns="_{" setsebool -P httpd_verify_dns $var_httpd_verify_dns} - name: XCCDF Value var_httpd_verify_dns # promote to variable set_fact: var_httpd_verify_dns: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_verify_dns - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_verify_dns accordingly seboolean: name: httpd_verify_dns state: "{{ var_httpd_verify_dns }}" persistent: yes tags: - sebool_httpd_verify_dns - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_read_qemu_ga_data is disabled. If this setting is enabled, it should be disabled. To disable the virt_read_qemu_ga_data SELinux boolean, run the following command: $ sudo setsebool -P virt_read_qemu_ga_data off var_virt_read_qemu_ga_data="_{" setsebool -P virt_read_qemu_ga_data $var_virt_read_qemu_ga_data} - name: XCCDF Value var_virt_read_qemu_ga_data # promote to variable set_fact: var_virt_read_qemu_ga_data: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_read_qemu_ga_data - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_read_qemu_ga_data accordingly seboolean: name: virt_read_qemu_ga_data state: "{{ var_virt_read_qemu_ga_data }}" persistent: yes tags: - sebool_virt_read_qemu_ga_data - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean glance_use_execmem is disabled. If this setting is enabled, it should be disabled. To disable the glance_use_execmem SELinux boolean, run the following command: $ sudo setsebool -P glance_use_execmem off var_glance_use_execmem="_{" setsebool -P glance_use_execmem $var_glance_use_execmem} - name: XCCDF Value var_glance_use_execmem # promote to variable set_fact: var_glance_use_execmem: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_glance_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean glance_use_execmem accordingly seboolean: name: glance_use_execmem state: "{{ var_glance_use_execmem }}" persistent: yes tags: - sebool_glance_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_sendmail off var_httpd_can_sendmail="_{" setsebool -P httpd_can_sendmail $var_httpd_can_sendmail} - name: XCCDF Value var_httpd_can_sendmail # promote to variable set_fact: var_httpd_can_sendmail: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_sendmail accordingly seboolean: name: httpd_can_sendmail state: "{{ var_httpd_can_sendmail }}" persistent: yes tags: - sebool_httpd_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_homedirs off var_httpd_enable_homedirs="_{" setsebool -P httpd_enable_homedirs $var_httpd_enable_homedirs} - name: XCCDF Value var_httpd_enable_homedirs # promote to variable set_fact: var_httpd_enable_homedirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_enable_homedirs accordingly seboolean: name: httpd_enable_homedirs state: "{{ var_httpd_enable_homedirs }}" persistent: yes tags: - sebool_httpd_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cdrecord_read_content is disabled. If this setting is enabled, it should be disabled. To disable the cdrecord_read_content SELinux boolean, run the following command: $ sudo setsebool -P cdrecord_read_content off var_cdrecord_read_content="_{" setsebool -P cdrecord_read_content $var_cdrecord_read_content} - name: XCCDF Value var_cdrecord_read_content # promote to variable set_fact: var_cdrecord_read_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cdrecord_read_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cdrecord_read_content accordingly seboolean: name: cdrecord_read_content state: "{{ var_cdrecord_read_content }}" persistent: yes tags: - sebool_cdrecord_read_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean unconfined_login is enabled. If this setting is disabled, it should be enabled. To enable the unconfined_login SELinux boolean, run the following command: $ sudo setsebool -P unconfined_login on var_unconfined_login="_{" setsebool -P unconfined_login $var_unconfined_login} - name: XCCDF Value var_unconfined_login # promote to variable set_fact: var_unconfined_login: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_unconfined_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean unconfined_login accordingly seboolean: name: unconfined_login state: "{{ var_unconfined_login }}" persistent: yes tags: - sebool_unconfined_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean logging_syslogd_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the logging_syslogd_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_can_sendmail off var_logging_syslogd_can_sendmail="_{" setsebool -P logging_syslogd_can_sendmail $var_logging_syslogd_can_sendmail} - name: XCCDF Value var_logging_syslogd_can_sendmail # promote to variable set_fact: var_logging_syslogd_can_sendmail: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logging_syslogd_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logging_syslogd_can_sendmail accordingly seboolean: name: logging_syslogd_can_sendmail state: "{{ var_logging_syslogd_can_sendmail }}" persistent: yes tags: - sebool_logging_syslogd_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean gitosis_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the gitosis_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P gitosis_can_sendmail off var_gitosis_can_sendmail="_{" setsebool -P gitosis_can_sendmail $var_gitosis_can_sendmail} - name: XCCDF Value var_gitosis_can_sendmail # promote to variable set_fact: var_gitosis_can_sendmail: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gitosis_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gitosis_can_sendmail accordingly seboolean: name: gitosis_can_sendmail state: "{{ var_gitosis_can_sendmail }}" persistent: yes tags: - sebool_gitosis_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_use_sasl is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_sasl SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_sasl off var_httpd_use_sasl="_{" setsebool -P httpd_use_sasl $var_httpd_use_sasl} - name: XCCDF Value var_httpd_use_sasl # promote to variable set_fact: var_httpd_use_sasl: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_sasl - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_sasl accordingly seboolean: name: httpd_use_sasl state: "{{ var_httpd_use_sasl }}" persistent: yes tags: - sebool_httpd_use_sasl - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean git_system_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the git_system_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P git_system_use_cifs off var_git_system_use_cifs="_{" setsebool -P git_system_use_cifs $var_git_system_use_cifs} - name: XCCDF Value var_git_system_use_cifs # promote to variable set_fact: var_git_system_use_cifs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_system_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_system_use_cifs accordingly seboolean: name: git_system_use_cifs state: "{{ var_git_system_use_cifs }}" persistent: yes tags: - sebool_git_system_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_use_comm is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_comm SELinux boolean, run the following command: $ sudo setsebool -P virt_use_comm off var_virt_use_comm="_{" setsebool -P virt_use_comm $var_virt_use_comm} - name: XCCDF Value var_virt_use_comm # promote to variable set_fact: var_virt_use_comm: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_comm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_comm accordingly seboolean: name: virt_use_comm state: "{{ var_virt_use_comm }}" persistent: yes tags: - sebool_virt_use_comm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_postgresql_connect_enabled is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_postgresql_connect_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_postgresql_connect_enabled off var_selinuxuser_postgresql_connect_enabled="_{" setsebool -P selinuxuser_postgresql_connect_enabled $var_selinuxuser_postgresql_connect_enabled} - name: XCCDF Value var_selinuxuser_postgresql_connect_enabled # promote to variable set_fact: var_selinuxuser_postgresql_connect_enabled: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_postgresql_connect_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_postgresql_connect_enabled accordingly seboolean: name: selinuxuser_postgresql_connect_enabled state: "{{ var_selinuxuser_postgresql_connect_enabled }}" persistent: yes tags: - sebool_selinuxuser_postgresql_connect_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean dbadm_manage_user_files is disabled. If this setting is enabled, it should be disabled. To disable the dbadm_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P dbadm_manage_user_files off var_dbadm_manage_user_files="_{" setsebool -P dbadm_manage_user_files $var_dbadm_manage_user_files} - name: XCCDF Value var_dbadm_manage_user_files # promote to variable set_fact: var_dbadm_manage_user_files: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_dbadm_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean dbadm_manage_user_files accordingly seboolean: name: dbadm_manage_user_files state: "{{ var_dbadm_manage_user_files }}" persistent: yes tags: - sebool_dbadm_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_can_network_connect_db is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_db SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect_db off var_httpd_can_network_connect_db="_{" setsebool -P httpd_can_network_connect_db $var_httpd_can_network_connect_db} - name: XCCDF Value var_httpd_can_network_connect_db # promote to variable set_fact: var_httpd_can_network_connect_db: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_network_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_network_connect_db accordingly seboolean: name: httpd_can_network_connect_db state: "{{ var_httpd_can_network_connect_db }}" persistent: yes tags: - sebool_httpd_can_network_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_enable_cgi is enabled. This setting should be disabled unless httpd is used with CGI scripting. To disable the httpd_enable_cgi SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_cgi off var_httpd_enable_cgi="_{" setsebool -P httpd_enable_cgi $var_httpd_enable_cgi} - name: XCCDF Value var_httpd_enable_cgi # promote to variable set_fact: var_httpd_enable_cgi: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_enable_cgi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_enable_cgi accordingly seboolean: name: httpd_enable_cgi state: "{{ var_httpd_enable_cgi }}" persistent: yes tags: - sebool_httpd_enable_cgi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean antivirus_can_scan_system is disabled. This setting should be enabled as it allows antivirus programs to read non-security files on a system. To enable the antivirus_can_scan_system SELinux boolean, run the following command: $ sudo setsebool -P antivirus_can_scan_system on 3.7.2 CCE-80422-9 var_antivirus_can_scan_system="_{" setsebool -P antivirus_can_scan_system $var_antivirus_can_scan_system} - name: XCCDF Value var_antivirus_can_scan_system # promote to variable set_fact: var_antivirus_can_scan_system: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_antivirus_can_scan_system - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80422-9 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean antivirus_can_scan_system accordingly seboolean: name: antivirus_can_scan_system state: "{{ var_antivirus_can_scan_system }}" persistent: yes tags: - sebool_antivirus_can_scan_system - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80422-9 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean zarafa_setrlimit is disabled. If this setting is enabled, it should be disabled. To disable the zarafa_setrlimit SELinux boolean, run the following command: $ sudo setsebool -P zarafa_setrlimit off var_zarafa_setrlimit="_{" setsebool -P zarafa_setrlimit $var_zarafa_setrlimit} - name: XCCDF Value var_zarafa_setrlimit # promote to variable set_fact: var_zarafa_setrlimit: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_zarafa_setrlimit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean zarafa_setrlimit accordingly seboolean: name: zarafa_setrlimit state: "{{ var_zarafa_setrlimit }}" persistent: yes tags: - sebool_zarafa_setrlimit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean samba_export_all_ro is disabled. If this setting is enabled, it should be disabled. To disable the samba_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P samba_export_all_ro off var_samba_export_all_ro="_{" setsebool -P samba_export_all_ro $var_samba_export_all_ro} - name: XCCDF Value var_samba_export_all_ro # promote to variable set_fact: var_samba_export_all_ro: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_export_all_ro accordingly seboolean: name: samba_export_all_ro state: "{{ var_samba_export_all_ro }}" persistent: yes tags: - sebool_samba_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean zoneminder_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the zoneminder_anon_write SELinux boolean, run the following command: $ sudo setsebool -P zoneminder_anon_write off var_zoneminder_anon_write="_{" setsebool -P zoneminder_anon_write $var_zoneminder_anon_write} - name: XCCDF Value var_zoneminder_anon_write # promote to variable set_fact: var_zoneminder_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_zoneminder_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean zoneminder_anon_write accordingly seboolean: name: zoneminder_anon_write state: "{{ var_zoneminder_anon_write }}" persistent: yes tags: - sebool_zoneminder_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean daemons_enable_cluster_mode is disabled. If this setting is enabled, it should be disabled. To disable the daemons_enable_cluster_mode SELinux boolean, run the following command: $ sudo setsebool -P daemons_enable_cluster_mode off var_daemons_enable_cluster_mode="_{" setsebool -P daemons_enable_cluster_mode $var_daemons_enable_cluster_mode} - name: XCCDF Value var_daemons_enable_cluster_mode # promote to variable set_fact: var_daemons_enable_cluster_mode: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_daemons_enable_cluster_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean daemons_enable_cluster_mode accordingly seboolean: name: daemons_enable_cluster_mode state: "{{ var_daemons_enable_cluster_mode }}" persistent: yes tags: - sebool_daemons_enable_cluster_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_can_connect_mythtv is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_mythtv SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_mythtv off var_httpd_can_connect_mythtv="_{" setsebool -P httpd_can_connect_mythtv $var_httpd_can_connect_mythtv} - name: XCCDF Value var_httpd_can_connect_mythtv # promote to variable set_fact: var_httpd_can_connect_mythtv: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_connect_mythtv - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_connect_mythtv accordingly seboolean: name: httpd_can_connect_mythtv state: "{{ var_httpd_can_connect_mythtv }}" persistent: yes tags: - sebool_httpd_can_connect_mythtv - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean squid_connect_any is enabled. This setting should be disabled as squid should only connect on specified ports. To disable the squid_connect_any SELinux boolean, run the following command: $ sudo setsebool -P squid_connect_any off var_squid_connect_any="_{" setsebool -P squid_connect_any $var_squid_connect_any} - name: XCCDF Value var_squid_connect_any # promote to variable set_fact: var_squid_connect_any: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_squid_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean squid_connect_any accordingly seboolean: name: squid_connect_any state: "{{ var_squid_connect_any }}" persistent: yes tags: - sebool_squid_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean varnishd_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the varnishd_connect_any SELinux boolean, run the following command: $ sudo setsebool -P varnishd_connect_any off var_varnishd_connect_any="_{" setsebool -P varnishd_connect_any $var_varnishd_connect_any} - name: XCCDF Value var_varnishd_connect_any # promote to variable set_fact: var_varnishd_connect_any: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_varnishd_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean varnishd_connect_any accordingly seboolean: name: varnishd_connect_any state: "{{ var_varnishd_connect_any }}" persistent: yes tags: - sebool_varnishd_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean privoxy_connect_any is enabled. This setting should be disabled. To disable the privoxy_connect_any SELinux boolean, run the following command: $ sudo setsebool -P privoxy_connect_any off var_privoxy_connect_any="_{" setsebool -P privoxy_connect_any $var_privoxy_connect_any} - name: XCCDF Value var_privoxy_connect_any # promote to variable set_fact: var_privoxy_connect_any: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_privoxy_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean privoxy_connect_any accordingly seboolean: name: privoxy_connect_any state: "{{ var_privoxy_connect_any }}" persistent: yes tags: - sebool_privoxy_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xend_run_qemu is enabled. If this setting is disabled, it should be enabled. To enable the xend_run_qemu SELinux boolean, run the following command: $ sudo setsebool -P xend_run_qemu on var_xend_run_qemu="_{" setsebool -P xend_run_qemu $var_xend_run_qemu} - name: XCCDF Value var_xend_run_qemu # promote to variable set_fact: var_xend_run_qemu: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xend_run_qemu - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xend_run_qemu accordingly seboolean: name: xend_run_qemu state: "{{ var_xend_run_qemu }}" persistent: yes tags: - sebool_xend_run_qemu - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean abrt_upload_watch_anon_write is enabled. This setting should be disabled as it allows the Automatic Bug Report Tool (ABRT) to modify public files used for public file transfer services. To disable the abrt_upload_watch_anon_write SELinux boolean, run the following command: $ sudo setsebool -P abrt_upload_watch_anon_write off 3.7.2 CCE-80421-1 var_abrt_upload_watch_anon_write="_{" setsebool -P abrt_upload_watch_anon_write $var_abrt_upload_watch_anon_write} - name: XCCDF Value var_abrt_upload_watch_anon_write # promote to variable set_fact: var_abrt_upload_watch_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_abrt_upload_watch_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80421-1 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean abrt_upload_watch_anon_write accordingly seboolean: name: abrt_upload_watch_anon_write state: "{{ var_abrt_upload_watch_anon_write }}" persistent: yes tags: - sebool_abrt_upload_watch_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80421-1 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean openshift_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the openshift_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P openshift_use_nfs off var_openshift_use_nfs="_{" setsebool -P openshift_use_nfs $var_openshift_use_nfs} - name: XCCDF Value var_openshift_use_nfs # promote to variable set_fact: var_openshift_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_openshift_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean openshift_use_nfs accordingly seboolean: name: openshift_use_nfs state: "{{ var_openshift_use_nfs }}" persistent: yes tags: - sebool_openshift_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean unconfined_mozilla_plugin_transition is enabled. If this setting is disabled, it should be enabled. To enable the unconfined_mozilla_plugin_transition SELinux boolean, run the following command: $ sudo setsebool -P unconfined_mozilla_plugin_transition on var_unconfined_mozilla_plugin_transition="_{" setsebool -P unconfined_mozilla_plugin_transition $var_unconfined_mozilla_plugin_transition} - name: XCCDF Value var_unconfined_mozilla_plugin_transition # promote to variable set_fact: var_unconfined_mozilla_plugin_transition: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_unconfined_mozilla_plugin_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean unconfined_mozilla_plugin_transition accordingly seboolean: name: unconfined_mozilla_plugin_transition state: "{{ var_unconfined_mozilla_plugin_transition }}" persistent: yes tags: - sebool_unconfined_mozilla_plugin_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean conman_can_network is disabled. If this setting is enabled, it should be disabled. To disable the conman_can_network SELinux boolean, run the following command: $ sudo setsebool -P conman_can_network off var_conman_can_network="_{" setsebool -P conman_can_network $var_conman_can_network} - name: XCCDF Value var_conman_can_network # promote to variable set_fact: var_conman_can_network: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_conman_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean conman_can_network accordingly seboolean: name: conman_can_network state: "{{ var_conman_can_network }}" persistent: yes tags: - sebool_conman_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cobbler_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P cobbler_can_network_connect off var_cobbler_can_network_connect="_{" setsebool -P cobbler_can_network_connect $var_cobbler_can_network_connect} - name: XCCDF Value var_cobbler_can_network_connect # promote to variable set_fact: var_cobbler_can_network_connect: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cobbler_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cobbler_can_network_connect accordingly seboolean: name: cobbler_can_network_connect state: "{{ var_cobbler_can_network_connect }}" persistent: yes tags: - sebool_cobbler_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean daemons_use_tty is disabled. If this setting is enabled, it should be disabled. To disable the daemons_use_tty SELinux boolean, run the following command: $ sudo setsebool -P daemons_use_tty off var_daemons_use_tty="_{" setsebool -P daemons_use_tty $var_daemons_use_tty} - name: XCCDF Value var_daemons_use_tty # promote to variable set_fact: var_daemons_use_tty: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_daemons_use_tty - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean daemons_use_tty accordingly seboolean: name: daemons_use_tty state: "{{ var_daemons_use_tty }}" persistent: yes tags: - sebool_daemons_use_tty - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean zoneminder_run_sudo is disabled. If this setting is enabled, it should be disabled. To disable the zoneminder_run_sudo SELinux boolean, run the following command: $ sudo setsebool -P zoneminder_run_sudo off var_zoneminder_run_sudo="_{" setsebool -P zoneminder_run_sudo $var_zoneminder_run_sudo} - name: XCCDF Value var_zoneminder_run_sudo # promote to variable set_fact: var_zoneminder_run_sudo: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_zoneminder_run_sudo - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean zoneminder_run_sudo accordingly seboolean: name: zoneminder_run_sudo state: "{{ var_zoneminder_run_sudo }}" persistent: yes tags: - sebool_zoneminder_run_sudo - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean postgresql_selinux_unconfined_dbadm is enabled. If this setting is disabled, it should be enabled as it allows Database Administrators to execute Data Manipulation Language (DML) statements. To enable the postgresql_selinux_unconfined_dbadm SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_unconfined_dbadm on var_postgresql_selinux_unconfined_dbadm="_{" setsebool -P postgresql_selinux_unconfined_dbadm $var_postgresql_selinux_unconfined_dbadm} - name: XCCDF Value var_postgresql_selinux_unconfined_dbadm # promote to variable set_fact: var_postgresql_selinux_unconfined_dbadm: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_postgresql_selinux_unconfined_dbadm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean postgresql_selinux_unconfined_dbadm accordingly seboolean: name: postgresql_selinux_unconfined_dbadm state: "{{ var_postgresql_selinux_unconfined_dbadm }}" persistent: yes tags: - sebool_postgresql_selinux_unconfined_dbadm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean samba_export_all_rw is disabled. If this setting is enabled, it should be disabled. To disable the samba_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P samba_export_all_rw off var_samba_export_all_rw="_{" setsebool -P samba_export_all_rw $var_samba_export_all_rw} - name: XCCDF Value var_samba_export_all_rw # promote to variable set_fact: var_samba_export_all_rw: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_export_all_rw accordingly seboolean: name: samba_export_all_rw state: "{{ var_samba_export_all_rw }}" persistent: yes tags: - sebool_samba_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_graceful_shutdown is enabled. If this setting is disabled, it should be enabled. To enable the httpd_graceful_shutdown SELinux boolean, run the following command: $ sudo setsebool -P httpd_graceful_shutdown on var_httpd_graceful_shutdown="_{" setsebool -P httpd_graceful_shutdown $var_httpd_graceful_shutdown} - name: XCCDF Value var_httpd_graceful_shutdown # promote to variable set_fact: var_httpd_graceful_shutdown: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_graceful_shutdown - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_graceful_shutdown accordingly seboolean: name: httpd_graceful_shutdown state: "{{ var_httpd_graceful_shutdown }}" persistent: yes tags: - sebool_httpd_graceful_shutdown - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean pppd_can_insmod is disabled. If this setting is enabled, it should be disabled. To disable the pppd_can_insmod SELinux boolean, run the following command: $ sudo setsebool -P pppd_can_insmod off var_pppd_can_insmod="_{" setsebool -P pppd_can_insmod $var_pppd_can_insmod} - name: XCCDF Value var_pppd_can_insmod # promote to variable set_fact: var_pppd_can_insmod: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_pppd_can_insmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean pppd_can_insmod accordingly seboolean: name: pppd_can_insmod state: "{{ var_pppd_can_insmod }}" persistent: yes tags: - sebool_pppd_can_insmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean webadm_manage_user_files is disabled. If this setting is enabled, it should be disabled. To disable the webadm_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P webadm_manage_user_files off var_webadm_manage_user_files="_{" setsebool -P webadm_manage_user_files $var_webadm_manage_user_files} - name: XCCDF Value var_webadm_manage_user_files # promote to variable set_fact: var_webadm_manage_user_files: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_webadm_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean webadm_manage_user_files accordingly seboolean: name: webadm_manage_user_files state: "{{ var_webadm_manage_user_files }}" persistent: yes tags: - sebool_webadm_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean secure_mode is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode SELinux boolean, run the following command: $ sudo setsebool -P secure_mode off var_secure_mode="_{" setsebool -P secure_mode $var_secure_mode} - name: XCCDF Value var_secure_mode # promote to variable set_fact: var_secure_mode: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_secure_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean secure_mode accordingly seboolean: name: secure_mode state: "{{ var_secure_mode }}" persistent: yes tags: - sebool_secure_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cluster_use_execmem is disabled. If this setting is enabled, it should be disabled. To disable the cluster_use_execmem SELinux boolean, run the following command: $ sudo setsebool -P cluster_use_execmem off var_cluster_use_execmem="_{" setsebool -P cluster_use_execmem $var_cluster_use_execmem} - name: XCCDF Value var_cluster_use_execmem # promote to variable set_fact: var_cluster_use_execmem: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cluster_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cluster_use_execmem accordingly seboolean: name: cluster_use_execmem state: "{{ var_cluster_use_execmem }}" persistent: yes tags: - sebool_cluster_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_serve_cobbler_files is disabled. If this setting is enabled, it should be disabled. To disable the httpd_serve_cobbler_files SELinux boolean, run the following command: $ sudo setsebool -P httpd_serve_cobbler_files off var_httpd_serve_cobbler_files="_{" setsebool -P httpd_serve_cobbler_files $var_httpd_serve_cobbler_files} - name: XCCDF Value var_httpd_serve_cobbler_files # promote to variable set_fact: var_httpd_serve_cobbler_files: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_serve_cobbler_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_serve_cobbler_files accordingly seboolean: name: httpd_serve_cobbler_files state: "{{ var_httpd_serve_cobbler_files }}" persistent: yes tags: - sebool_httpd_serve_cobbler_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean irssi_use_full_network is disabled. If this setting is enabled, it should be disabled. To disable the irssi_use_full_network SELinux boolean, run the following command: $ sudo setsebool -P irssi_use_full_network off var_irssi_use_full_network="_{" setsebool -P irssi_use_full_network $var_irssi_use_full_network} - name: XCCDF Value var_irssi_use_full_network # promote to variable set_fact: var_irssi_use_full_network: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_irssi_use_full_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean irssi_use_full_network accordingly seboolean: name: irssi_use_full_network state: "{{ var_irssi_use_full_network }}" persistent: yes tags: - sebool_irssi_use_full_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xdm_bind_vnc_tcp_port is disabled. If this setting is enabled, it should be disabled. To disable the xdm_bind_vnc_tcp_port SELinux boolean, run the following command: $ sudo setsebool -P xdm_bind_vnc_tcp_port off var_xdm_bind_vnc_tcp_port="_{" setsebool -P xdm_bind_vnc_tcp_port $var_xdm_bind_vnc_tcp_port} - name: XCCDF Value var_xdm_bind_vnc_tcp_port # promote to variable set_fact: var_xdm_bind_vnc_tcp_port: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xdm_bind_vnc_tcp_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xdm_bind_vnc_tcp_port accordingly seboolean: name: xdm_bind_vnc_tcp_port state: "{{ var_xdm_bind_vnc_tcp_port }}" persistent: yes tags: - sebool_xdm_bind_vnc_tcp_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_direct_dri_enabled is enabled. If XWindows is not installed or used on the system, this setting should be disabled. Otherwise, enable it. To disable the selinuxuser_direct_dri_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_direct_dri_enabled off var_selinuxuser_direct_dri_enabled="_{" setsebool -P selinuxuser_direct_dri_enabled $var_selinuxuser_direct_dri_enabled} - name: XCCDF Value var_selinuxuser_direct_dri_enabled # promote to variable set_fact: var_selinuxuser_direct_dri_enabled: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_direct_dri_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_direct_dri_enabled accordingly seboolean: name: selinuxuser_direct_dri_enabled state: "{{ var_selinuxuser_direct_dri_enabled }}" persistent: yes tags: - sebool_selinuxuser_direct_dri_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean swift_can_network is disabled. If this setting is enabled, it should be disabled. To disable the swift_can_network SELinux boolean, run the following command: $ sudo setsebool -P swift_can_network off var_swift_can_network="_{" setsebool -P swift_can_network $var_swift_can_network} - name: XCCDF Value var_swift_can_network # promote to variable set_fact: var_swift_can_network: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_swift_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean swift_can_network accordingly seboolean: name: swift_can_network state: "{{ var_swift_can_network }}" persistent: yes tags: - sebool_swift_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_can_connect_zabbix is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_zabbix SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_zabbix off var_httpd_can_connect_zabbix="_{" setsebool -P httpd_can_connect_zabbix $var_httpd_can_connect_zabbix} - name: XCCDF Value var_httpd_can_connect_zabbix # promote to variable set_fact: var_httpd_can_connect_zabbix: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_connect_zabbix - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_connect_zabbix accordingly seboolean: name: httpd_can_connect_zabbix state: "{{ var_httpd_can_connect_zabbix }}" persistent: yes tags: - sebool_httpd_can_connect_zabbix - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mcelog_foreground is disabled. If this setting is enabled, it should be disabled. To disable the mcelog_foreground SELinux boolean, run the following command: $ sudo setsebool -P mcelog_foreground off var_mcelog_foreground="_{" setsebool -P mcelog_foreground $var_mcelog_foreground} - name: XCCDF Value var_mcelog_foreground # promote to variable set_fact: var_mcelog_foreground: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mcelog_foreground - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mcelog_foreground accordingly seboolean: name: mcelog_foreground state: "{{ var_mcelog_foreground }}" persistent: yes tags: - sebool_mcelog_foreground - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cobbler_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P cobbler_use_cifs off var_cobbler_use_cifs="_{" setsebool -P cobbler_use_cifs $var_cobbler_use_cifs} - name: XCCDF Value var_cobbler_use_cifs # promote to variable set_fact: var_cobbler_use_cifs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cobbler_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cobbler_use_cifs accordingly seboolean: name: cobbler_use_cifs state: "{{ var_cobbler_use_cifs }}" persistent: yes tags: - sebool_cobbler_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_sandbox_use_sys_admin is disabled. If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_sys_admin SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_sys_admin off var_virt_sandbox_use_sys_admin="_{" setsebool -P virt_sandbox_use_sys_admin $var_virt_sandbox_use_sys_admin} - name: XCCDF Value var_virt_sandbox_use_sys_admin # promote to variable set_fact: var_virt_sandbox_use_sys_admin: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_sandbox_use_sys_admin - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_sandbox_use_sys_admin accordingly seboolean: name: virt_sandbox_use_sys_admin state: "{{ var_virt_sandbox_use_sys_admin }}" persistent: yes tags: - sebool_virt_sandbox_use_sys_admin - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_use_execmem is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_execmem SELinux boolean, run the following command: $ sudo setsebool -P virt_use_execmem off var_virt_use_execmem="_{" setsebool -P virt_use_execmem $var_virt_use_execmem} - name: XCCDF Value var_virt_use_execmem # promote to variable set_fact: var_virt_use_execmem: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_execmem accordingly seboolean: name: virt_use_execmem state: "{{ var_virt_use_execmem }}" persistent: yes tags: - sebool_virt_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean exim_can_connect_db is disabled. If this setting is enabled, it should be disabled. To disable the exim_can_connect_db SELinux boolean, run the following command: $ sudo setsebool -P exim_can_connect_db off var_exim_can_connect_db="_{" setsebool -P exim_can_connect_db $var_exim_can_connect_db} - name: XCCDF Value var_exim_can_connect_db # promote to variable set_fact: var_exim_can_connect_db: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_exim_can_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean exim_can_connect_db accordingly seboolean: name: exim_can_connect_db state: "{{ var_exim_can_connect_db }}" persistent: yes tags: - sebool_exim_can_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cluster_manage_all_files is disabled. If this setting is enabled, it should be disabled. To disable the cluster_manage_all_files SELinux boolean, run the following command: $ sudo setsebool -P cluster_manage_all_files off var_cluster_manage_all_files="_{" setsebool -P cluster_manage_all_files $var_cluster_manage_all_files} - name: XCCDF Value var_cluster_manage_all_files # promote to variable set_fact: var_cluster_manage_all_files: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cluster_manage_all_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cluster_manage_all_files accordingly seboolean: name: cluster_manage_all_files state: "{{ var_cluster_manage_all_files }}" persistent: yes tags: - sebool_cluster_manage_all_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xserver_execmem is disabled. If this setting is enabled, it should be disabled. To disable the xserver_execmem SELinux boolean, run the following command: $ sudo setsebool -P xserver_execmem off var_xserver_execmem="_{" setsebool -P xserver_execmem $var_xserver_execmem} - name: XCCDF Value var_xserver_execmem # promote to variable set_fact: var_xserver_execmem: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xserver_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xserver_execmem accordingly seboolean: name: xserver_execmem state: "{{ var_xserver_execmem }}" persistent: yes tags: - sebool_xserver_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cobbler_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P cobbler_use_nfs off var_cobbler_use_nfs="_{" setsebool -P cobbler_use_nfs $var_cobbler_use_nfs} - name: XCCDF Value var_cobbler_use_nfs # promote to variable set_fact: var_cobbler_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cobbler_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cobbler_use_nfs accordingly seboolean: name: cobbler_use_nfs state: "{{ var_cobbler_use_nfs }}" persistent: yes tags: - sebool_cobbler_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cups_execmem is disabled. If this setting is enabled, it should be disabled. To disable the cups_execmem SELinux boolean, run the following command: $ sudo setsebool -P cups_execmem off var_cups_execmem="_{" setsebool -P cups_execmem $var_cups_execmem} - name: XCCDF Value var_cups_execmem # promote to variable set_fact: var_cups_execmem: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cups_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cups_execmem accordingly seboolean: name: cups_execmem state: "{{ var_cups_execmem }}" persistent: yes tags: - sebool_cups_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean puppetmaster_use_db is disabled. If this setting is enabled, it should be disabled. To disable the puppetmaster_use_db SELinux boolean, run the following command: $ sudo setsebool -P puppetmaster_use_db off var_puppetmaster_use_db="_{" setsebool -P puppetmaster_use_db $var_puppetmaster_use_db} - name: XCCDF Value var_puppetmaster_use_db # promote to variable set_fact: var_puppetmaster_use_db: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_puppetmaster_use_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean puppetmaster_use_db accordingly seboolean: name: puppetmaster_use_db state: "{{ var_puppetmaster_use_db }}" persistent: yes tags: - sebool_puppetmaster_use_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xserver_clients_write_xshm is disabled. If this setting is enabled, it should be disabled. To disable the xserver_clients_write_xshm SELinux boolean, run the following command: $ sudo setsebool -P xserver_clients_write_xshm off var_xserver_clients_write_xshm="_{" setsebool -P xserver_clients_write_xshm $var_xserver_clients_write_xshm} - name: XCCDF Value var_xserver_clients_write_xshm # promote to variable set_fact: var_xserver_clients_write_xshm: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xserver_clients_write_xshm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xserver_clients_write_xshm accordingly seboolean: name: xserver_clients_write_xshm state: "{{ var_xserver_clients_write_xshm }}" persistent: yes tags: - sebool_xserver_clients_write_xshm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean use_ecryptfs_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_ecryptfs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_ecryptfs_home_dirs off var_use_ecryptfs_home_dirs="_{" setsebool -P use_ecryptfs_home_dirs $var_use_ecryptfs_home_dirs} - name: XCCDF Value var_use_ecryptfs_home_dirs # promote to variable set_fact: var_use_ecryptfs_home_dirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_use_ecryptfs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean use_ecryptfs_home_dirs accordingly seboolean: name: use_ecryptfs_home_dirs state: "{{ var_use_ecryptfs_home_dirs }}" persistent: yes tags: - sebool_use_ecryptfs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean dbadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the dbadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P dbadm_exec_content on var_dbadm_exec_content="_{" setsebool -P dbadm_exec_content $var_dbadm_exec_content} - name: XCCDF Value var_dbadm_exec_content # promote to variable set_fact: var_dbadm_exec_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_dbadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean dbadm_exec_content accordingly seboolean: name: dbadm_exec_content state: "{{ var_dbadm_exec_content }}" persistent: yes tags: - sebool_dbadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean use_nfs_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_nfs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_nfs_home_dirs off var_use_nfs_home_dirs="_{" setsebool -P use_nfs_home_dirs $var_use_nfs_home_dirs} - name: XCCDF Value var_use_nfs_home_dirs # promote to variable set_fact: var_use_nfs_home_dirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_use_nfs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean use_nfs_home_dirs accordingly seboolean: name: use_nfs_home_dirs state: "{{ var_use_nfs_home_dirs }}" persistent: yes tags: - sebool_use_nfs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean tor_can_network_relay is disabled. If this setting is enabled, it should be disabled. To disable the tor_can_network_relay SELinux boolean, run the following command: $ sudo setsebool -P tor_can_network_relay off var_tor_can_network_relay="_{" setsebool -P tor_can_network_relay $var_tor_can_network_relay} - name: XCCDF Value var_tor_can_network_relay # promote to variable set_fact: var_tor_can_network_relay: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tor_can_network_relay - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tor_can_network_relay accordingly seboolean: name: tor_can_network_relay state: "{{ var_tor_can_network_relay }}" persistent: yes tags: - sebool_tor_can_network_relay - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_unified is disabled. If this setting is enabled, it should be disabled. To disable the httpd_unified SELinux boolean, run the following command: $ sudo setsebool -P httpd_unified off var_httpd_unified="_{" setsebool -P httpd_unified $var_httpd_unified} - name: XCCDF Value var_httpd_unified # promote to variable set_fact: var_httpd_unified: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_unified - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_unified accordingly seboolean: name: httpd_unified state: "{{ var_httpd_unified }}" persistent: yes tags: - sebool_httpd_unified - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mock_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the mock_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P mock_enable_homedirs off var_mock_enable_homedirs="_{" setsebool -P mock_enable_homedirs $var_mock_enable_homedirs} - name: XCCDF Value var_mock_enable_homedirs # promote to variable set_fact: var_mock_enable_homedirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mock_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mock_enable_homedirs accordingly seboolean: name: mock_enable_homedirs state: "{{ var_mock_enable_homedirs }}" persistent: yes tags: - sebool_mock_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_can_network_relay is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_relay SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_relay off var_httpd_can_network_relay="_{" setsebool -P httpd_can_network_relay $var_httpd_can_network_relay} - name: XCCDF Value var_httpd_can_network_relay # promote to variable set_fact: var_httpd_can_network_relay: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_network_relay - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_network_relay accordingly seboolean: name: httpd_can_network_relay state: "{{ var_httpd_can_network_relay }}" persistent: yes tags: - sebool_httpd_can_network_relay - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xguest_exec_content is enabled. This setting should be disabled as guest users should not be able to run executables. To disable the xguest_exec_content SELinux boolean, run the following command: $ sudo setsebool -P xguest_exec_content off var_xguest_exec_content="_{" setsebool -P xguest_exec_content $var_xguest_exec_content} - name: XCCDF Value var_xguest_exec_content # promote to variable set_fact: var_xguest_exec_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xguest_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xguest_exec_content accordingly seboolean: name: xguest_exec_content state: "{{ var_xguest_exec_content }}" persistent: yes tags: - sebool_xguest_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean nagios_run_sudo is disabled. If this setting is enabled, it should be disabled. To disable the nagios_run_sudo SELinux boolean, run the following command: $ sudo setsebool -P nagios_run_sudo off var_nagios_run_sudo="_{" setsebool -P nagios_run_sudo $var_nagios_run_sudo} - name: XCCDF Value var_nagios_run_sudo # promote to variable set_fact: var_nagios_run_sudo: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nagios_run_sudo - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nagios_run_sudo accordingly seboolean: name: nagios_run_sudo state: "{{ var_nagios_run_sudo }}" persistent: yes tags: - sebool_nagios_run_sudo - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_transition_userdomain is disabled. If this setting is enabled, it should be disabled. To disable the virt_transition_userdomain SELinux boolean, run the following command: $ sudo setsebool -P virt_transition_userdomain off var_virt_transition_userdomain="_{" setsebool -P virt_transition_userdomain $var_virt_transition_userdomain} - name: XCCDF Value var_virt_transition_userdomain # promote to variable set_fact: var_virt_transition_userdomain: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_transition_userdomain - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_transition_userdomain accordingly seboolean: name: virt_transition_userdomain state: "{{ var_virt_transition_userdomain }}" persistent: yes tags: - sebool_virt_transition_userdomain - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_ssi_exec is disabled. If this setting is enabled, it should be disabled. To disable the httpd_ssi_exec SELinux boolean, run the following command: $ sudo setsebool -P httpd_ssi_exec off var_httpd_ssi_exec="_{" setsebool -P httpd_ssi_exec $var_httpd_ssi_exec} - name: XCCDF Value var_httpd_ssi_exec # promote to variable set_fact: var_httpd_ssi_exec: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_ssi_exec - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_ssi_exec accordingly seboolean: name: httpd_ssi_exec state: "{{ var_httpd_ssi_exec }}" persistent: yes tags: - sebool_httpd_ssi_exec - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ksmtuned_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the ksmtuned_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P ksmtuned_use_cifs off var_ksmtuned_use_cifs="_{" setsebool -P ksmtuned_use_cifs $var_ksmtuned_use_cifs} - name: XCCDF Value var_ksmtuned_use_cifs # promote to variable set_fact: var_ksmtuned_use_cifs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ksmtuned_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ksmtuned_use_cifs accordingly seboolean: name: ksmtuned_use_cifs state: "{{ var_ksmtuned_use_cifs }}" persistent: yes tags: - sebool_ksmtuned_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mpd_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the mpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P mpd_use_cifs off var_mpd_use_cifs="_{" setsebool -P mpd_use_cifs $var_mpd_use_cifs} - name: XCCDF Value var_mpd_use_cifs # promote to variable set_fact: var_mpd_use_cifs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mpd_use_cifs accordingly seboolean: name: mpd_use_cifs state: "{{ var_mpd_use_cifs }}" persistent: yes tags: - sebool_mpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean use_lpd_server is disabled. If this setting is enabled, it should be disabled. To disable the use_lpd_server SELinux boolean, run the following command: $ sudo setsebool -P use_lpd_server off var_use_lpd_server="_{" setsebool -P use_lpd_server $var_use_lpd_server} - name: XCCDF Value var_use_lpd_server # promote to variable set_fact: var_use_lpd_server: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_use_lpd_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean use_lpd_server accordingly seboolean: name: use_lpd_server state: "{{ var_use_lpd_server }}" persistent: yes tags: - sebool_use_lpd_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean polipo_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the polipo_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P polipo_use_nfs off var_polipo_use_nfs="_{" setsebool -P polipo_use_nfs $var_polipo_use_nfs} - name: XCCDF Value var_polipo_use_nfs # promote to variable set_fact: var_polipo_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polipo_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polipo_use_nfs accordingly seboolean: name: polipo_use_nfs state: "{{ var_polipo_use_nfs }}" persistent: yes tags: - sebool_polipo_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean lsmd_plugin_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the lsmd_plugin_connect_any SELinux boolean, run the following command: $ sudo setsebool -P lsmd_plugin_connect_any off var_lsmd_plugin_connect_any="_{" setsebool -P lsmd_plugin_connect_any $var_lsmd_plugin_connect_any} - name: XCCDF Value var_lsmd_plugin_connect_any # promote to variable set_fact: var_lsmd_plugin_connect_any: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_lsmd_plugin_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean lsmd_plugin_connect_any accordingly seboolean: name: lsmd_plugin_connect_any state: "{{ var_lsmd_plugin_connect_any }}" persistent: yes tags: - sebool_lsmd_plugin_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ftpd_connect_all_unreserved is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_connect_all_unreserved SELinux boolean, run the following command: $ sudo setsebool -P ftpd_connect_all_unreserved off var_ftpd_connect_all_unreserved="_{" setsebool -P ftpd_connect_all_unreserved $var_ftpd_connect_all_unreserved} - name: XCCDF Value var_ftpd_connect_all_unreserved # promote to variable set_fact: var_ftpd_connect_all_unreserved: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_connect_all_unreserved - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_connect_all_unreserved accordingly seboolean: name: ftpd_connect_all_unreserved state: "{{ var_ftpd_connect_all_unreserved }}" persistent: yes tags: - sebool_ftpd_connect_all_unreserved - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_use_rawip is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_rawip SELinux boolean, run the following command: $ sudo setsebool -P virt_use_rawip off var_virt_use_rawip="_{" setsebool -P virt_use_rawip $var_virt_use_rawip} - name: XCCDF Value var_virt_use_rawip # promote to variable set_fact: var_virt_use_rawip: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_rawip - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_rawip accordingly seboolean: name: virt_use_rawip state: "{{ var_virt_use_rawip }}" persistent: yes tags: - sebool_virt_use_rawip - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean gpg_web_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the gpg_web_anon_write SELinux boolean, run the following command: $ sudo setsebool -P gpg_web_anon_write off var_gpg_web_anon_write="_{" setsebool -P gpg_web_anon_write $var_gpg_web_anon_write} - name: XCCDF Value var_gpg_web_anon_write # promote to variable set_fact: var_gpg_web_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gpg_web_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gpg_web_anon_write accordingly seboolean: name: gpg_web_anon_write state: "{{ var_gpg_web_anon_write }}" persistent: yes tags: - sebool_gpg_web_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean telepathy_connect_all_ports is disabled. If this setting is enabled, it should be disabled. To disable the telepathy_connect_all_ports SELinux boolean, run the following command: $ sudo setsebool -P telepathy_connect_all_ports off var_telepathy_connect_all_ports="_{" setsebool -P telepathy_connect_all_ports $var_telepathy_connect_all_ports} - name: XCCDF Value var_telepathy_connect_all_ports # promote to variable set_fact: var_telepathy_connect_all_ports: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_telepathy_connect_all_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean telepathy_connect_all_ports accordingly seboolean: name: telepathy_connect_all_ports state: "{{ var_telepathy_connect_all_ports }}" persistent: yes tags: - sebool_telepathy_connect_all_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean tor_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the tor_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P tor_bind_all_unreserved_ports off var_tor_bind_all_unreserved_ports="_{" setsebool -P tor_bind_all_unreserved_ports $var_tor_bind_all_unreserved_ports} - name: XCCDF Value var_tor_bind_all_unreserved_ports # promote to variable set_fact: var_tor_bind_all_unreserved_ports: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tor_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tor_bind_all_unreserved_ports accordingly seboolean: name: tor_bind_all_unreserved_ports state: "{{ var_tor_bind_all_unreserved_ports }}" persistent: yes tags: - sebool_tor_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean dhcpc_exec_iptables is disabled. If this setting is enabled, it should be disabled. To disable the dhcpc_exec_iptables SELinux boolean, run the following command: $ sudo setsebool -P dhcpc_exec_iptables off var_dhcpc_exec_iptables="_{" setsebool -P dhcpc_exec_iptables $var_dhcpc_exec_iptables} - name: XCCDF Value var_dhcpc_exec_iptables # promote to variable set_fact: var_dhcpc_exec_iptables: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_dhcpc_exec_iptables - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean dhcpc_exec_iptables accordingly seboolean: name: dhcpc_exec_iptables state: "{{ var_dhcpc_exec_iptables }}" persistent: yes tags: - sebool_dhcpc_exec_iptables - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean domain_fd_use is enabled. If this setting is disabled, it should be enabled. To enable the domain_fd_use SELinux boolean, run the following command: $ sudo setsebool -P domain_fd_use on var_domain_fd_use="_{" setsebool -P domain_fd_use $var_domain_fd_use} - name: XCCDF Value var_domain_fd_use # promote to variable set_fact: var_domain_fd_use: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_domain_fd_use - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean domain_fd_use accordingly seboolean: name: domain_fd_use state: "{{ var_domain_fd_use }}" persistent: yes tags: - sebool_domain_fd_use - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean polipo_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the polipo_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P polipo_use_cifs off var_polipo_use_cifs="_{" setsebool -P polipo_use_cifs $var_polipo_use_cifs} - name: XCCDF Value var_polipo_use_cifs # promote to variable set_fact: var_polipo_use_cifs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polipo_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polipo_use_cifs accordingly seboolean: name: polipo_use_cifs state: "{{ var_polipo_use_cifs }}" persistent: yes tags: - sebool_polipo_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean samba_create_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the samba_create_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P samba_create_home_dirs off var_samba_create_home_dirs="_{" setsebool -P samba_create_home_dirs $var_samba_create_home_dirs} - name: XCCDF Value var_samba_create_home_dirs # promote to variable set_fact: var_samba_create_home_dirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_create_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_create_home_dirs accordingly seboolean: name: samba_create_home_dirs state: "{{ var_samba_create_home_dirs }}" persistent: yes tags: - sebool_samba_create_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mmap_low_allowed is disabled. If this setting is enabled, it should be disabled. To disable the mmap_low_allowed SELinux boolean, run the following command: $ sudo setsebool -P mmap_low_allowed off var_mmap_low_allowed="_{" setsebool -P mmap_low_allowed $var_mmap_low_allowed} - name: XCCDF Value var_mmap_low_allowed # promote to variable set_fact: var_mmap_low_allowed: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mmap_low_allowed - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mmap_low_allowed accordingly seboolean: name: mmap_low_allowed state: "{{ var_mmap_low_allowed }}" persistent: yes tags: - sebool_mmap_low_allowed - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_share_music is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_share_music SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_share_music off var_selinuxuser_share_music="_{" setsebool -P selinuxuser_share_music $var_selinuxuser_share_music} - name: XCCDF Value var_selinuxuser_share_music # promote to variable set_fact: var_selinuxuser_share_music: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_share_music - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_share_music accordingly seboolean: name: selinuxuser_share_music state: "{{ var_selinuxuser_share_music }}" persistent: yes tags: - sebool_selinuxuser_share_music - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ftpd_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_cifs off var_ftpd_use_cifs="_{" setsebool -P ftpd_use_cifs $var_ftpd_use_cifs} - name: XCCDF Value var_ftpd_use_cifs # promote to variable set_fact: var_ftpd_use_cifs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_use_cifs accordingly seboolean: name: ftpd_use_cifs state: "{{ var_ftpd_use_cifs }}" persistent: yes tags: - sebool_ftpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xend_run_blktap is enabled. If this setting is disabled, it should be enabled. To enable the xend_run_blktap SELinux boolean, run the following command: $ sudo setsebool -P xend_run_blktap on var_xend_run_blktap="_{" setsebool -P xend_run_blktap $var_xend_run_blktap} - name: XCCDF Value var_xend_run_blktap # promote to variable set_fact: var_xend_run_blktap: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xend_run_blktap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xend_run_blktap accordingly seboolean: name: xend_run_blktap state: "{{ var_xend_run_blktap }}" persistent: yes tags: - sebool_xend_run_blktap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mcelog_client is disabled. If this setting is enabled, it should be disabled. To disable the mcelog_client SELinux boolean, run the following command: $ sudo setsebool -P mcelog_client off var_mcelog_client="_{" setsebool -P mcelog_client $var_mcelog_client} - name: XCCDF Value var_mcelog_client # promote to variable set_fact: var_mcelog_client: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mcelog_client - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mcelog_client accordingly seboolean: name: mcelog_client state: "{{ var_mcelog_client }}" persistent: yes tags: - sebool_mcelog_client - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cluster_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the cluster_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P cluster_can_network_connect off var_cluster_can_network_connect="_{" setsebool -P cluster_can_network_connect $var_cluster_can_network_connect} - name: XCCDF Value var_cluster_can_network_connect # promote to variable set_fact: var_cluster_can_network_connect: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cluster_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cluster_can_network_connect accordingly seboolean: name: cluster_can_network_connect state: "{{ var_cluster_can_network_connect }}" persistent: yes tags: - sebool_cluster_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_execmod is enabled. If this setting is disabled, it should be enabled. To enable the selinuxuser_execmod SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_execmod on 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) var_selinuxuser_execmod="_{" setsebool -P selinuxuser_execmod $var_selinuxuser_execmod} - name: XCCDF Value var_selinuxuser_execmod # promote to variable set_fact: var_selinuxuser_execmod: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_execmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_execmod accordingly seboolean: name: selinuxuser_execmod state: "{{ var_selinuxuser_execmod }}" persistent: yes tags: - sebool_selinuxuser_execmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_nfs off var_httpd_use_nfs="_{" setsebool -P httpd_use_nfs $var_httpd_use_nfs} - name: XCCDF Value var_httpd_use_nfs # promote to variable set_fact: var_httpd_use_nfs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_nfs accordingly seboolean: name: httpd_use_nfs state: "{{ var_httpd_use_nfs }}" persistent: yes tags: - sebool_httpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cobbler_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_anon_write SELinux boolean, run the following command: $ sudo setsebool -P cobbler_anon_write off var_cobbler_anon_write="_{" setsebool -P cobbler_anon_write $var_cobbler_anon_write} - name: XCCDF Value var_cobbler_anon_write # promote to variable set_fact: var_cobbler_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cobbler_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cobbler_anon_write accordingly seboolean: name: cobbler_anon_write state: "{{ var_cobbler_anon_write }}" persistent: yes tags: - sebool_cobbler_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_udp_server is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_udp_server SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_udp_server off var_selinuxuser_udp_server="_{" setsebool -P selinuxuser_udp_server $var_selinuxuser_udp_server} - name: XCCDF Value var_selinuxuser_udp_server # promote to variable set_fact: var_selinuxuser_udp_server: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_udp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_udp_server accordingly seboolean: name: selinuxuser_udp_server state: "{{ var_selinuxuser_udp_server }}" persistent: yes tags: - sebool_selinuxuser_udp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean gssd_read_tmp is enabled. This setting allows gssd processes to access Kerberos to read TGTs in the temp directory. If this setting is disabled, it should be enabled. To enable the gssd_read_tmp SELinux boolean, run the following command: $ sudo setsebool -P gssd_read_tmp on var_gssd_read_tmp="_{" setsebool -P gssd_read_tmp $var_gssd_read_tmp} - name: XCCDF Value var_gssd_read_tmp # promote to variable set_fact: var_gssd_read_tmp: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gssd_read_tmp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gssd_read_tmp accordingly seboolean: name: gssd_read_tmp state: "{{ var_gssd_read_tmp }}" persistent: yes tags: - sebool_gssd_read_tmp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean kdumpgui_run_bootloader is disabled. If this setting is enabled, it should be disabled. To disable the kdumpgui_run_bootloader SELinux boolean, run the following command: $ sudo setsebool -P kdumpgui_run_bootloader off var_kdumpgui_run_bootloader="_{" setsebool -P kdumpgui_run_bootloader $var_kdumpgui_run_bootloader} - name: XCCDF Value var_kdumpgui_run_bootloader # promote to variable set_fact: var_kdumpgui_run_bootloader: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_kdumpgui_run_bootloader - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean kdumpgui_run_bootloader accordingly seboolean: name: kdumpgui_run_bootloader state: "{{ var_kdumpgui_run_bootloader }}" persistent: yes tags: - sebool_kdumpgui_run_bootloader - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean telepathy_tcp_connect_generic_network_ports is enabled. This setting should be disabled as telepathy should not connect to any generic network ports. To disable the telepathy_tcp_connect_generic_network_ports SELinux boolean, run the following command: $ sudo setsebool -P telepathy_tcp_connect_generic_network_ports off var_telepathy_tcp_connect_generic_network_ports="_{" setsebool -P telepathy_tcp_connect_generic_network_ports $var_telepathy_tcp_connect_generic_network_ports} - name: XCCDF Value var_telepathy_tcp_connect_generic_network_ports # promote to variable set_fact: var_telepathy_tcp_connect_generic_network_ports: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_telepathy_tcp_connect_generic_network_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean telepathy_tcp_connect_generic_network_ports accordingly seboolean: name: telepathy_tcp_connect_generic_network_ports state: "{{ var_telepathy_tcp_connect_generic_network_ports }}" persistent: yes tags: - sebool_telepathy_tcp_connect_generic_network_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean rsync_export_all_ro is disabled. If this setting is enabled, it should be disabled. To disable the rsync_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P rsync_export_all_ro off var_rsync_export_all_ro="_{" setsebool -P rsync_export_all_ro $var_rsync_export_all_ro} - name: XCCDF Value var_rsync_export_all_ro # promote to variable set_fact: var_rsync_export_all_ro: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_rsync_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean rsync_export_all_ro accordingly seboolean: name: rsync_export_all_ro state: "{{ var_rsync_export_all_ro }}" persistent: yes tags: - sebool_rsync_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xguest_connect_network is enabled. This setting should be disabled as guest users should not be able to configure NetworkManager. To disable the xguest_connect_network SELinux boolean, run the following command: $ sudo setsebool -P xguest_connect_network off var_xguest_connect_network="_{" setsebool -P xguest_connect_network $var_xguest_connect_network} - name: XCCDF Value var_xguest_connect_network # promote to variable set_fact: var_xguest_connect_network: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xguest_connect_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xguest_connect_network accordingly seboolean: name: xguest_connect_network state: "{{ var_xguest_connect_network }}" persistent: yes tags: - sebool_xguest_connect_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean samba_enable_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the samba_enable_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P samba_enable_home_dirs off var_samba_enable_home_dirs="_{" setsebool -P samba_enable_home_dirs $var_samba_enable_home_dirs} - name: XCCDF Value var_samba_enable_home_dirs # promote to variable set_fact: var_samba_enable_home_dirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_enable_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_enable_home_dirs accordingly seboolean: name: samba_enable_home_dirs state: "{{ var_samba_enable_home_dirs }}" persistent: yes tags: - sebool_samba_enable_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_use_sanlock is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_sanlock SELinux boolean, run the following command: $ sudo setsebool -P virt_use_sanlock off var_virt_use_sanlock="_{" setsebool -P virt_use_sanlock $var_virt_use_sanlock} - name: XCCDF Value var_virt_use_sanlock # promote to variable set_fact: var_virt_use_sanlock: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_sanlock - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_sanlock accordingly seboolean: name: virt_use_sanlock state: "{{ var_virt_use_sanlock }}" persistent: yes tags: - sebool_virt_use_sanlock - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean saslauthd_read_shadow is disabled. If this setting is enabled, it should be disabled. To disable the saslauthd_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P saslauthd_read_shadow off var_saslauthd_read_shadow="_{" setsebool -P saslauthd_read_shadow $var_saslauthd_read_shadow} - name: XCCDF Value var_saslauthd_read_shadow # promote to variable set_fact: var_saslauthd_read_shadow: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_saslauthd_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean saslauthd_read_shadow accordingly seboolean: name: saslauthd_read_shadow state: "{{ var_saslauthd_read_shadow }}" persistent: yes tags: - sebool_saslauthd_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xdm_write_home is disabled. If this setting is enabled, it should be disabled. To disable the xdm_write_home SELinux boolean, run the following command: $ sudo setsebool -P xdm_write_home off var_xdm_write_home="_{" setsebool -P xdm_write_home $var_xdm_write_home} - name: XCCDF Value var_xdm_write_home # promote to variable set_fact: var_xdm_write_home: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xdm_write_home - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xdm_write_home accordingly seboolean: name: xdm_write_home state: "{{ var_xdm_write_home }}" persistent: yes tags: - sebool_xdm_write_home - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean named_write_master_zones is disabled. If this setting is enabled, it should be disabled. To disable the named_write_master_zones SELinux boolean, run the following command: $ sudo setsebool -P named_write_master_zones off var_named_write_master_zones="_{" setsebool -P named_write_master_zones $var_named_write_master_zones} - name: XCCDF Value var_named_write_master_zones # promote to variable set_fact: var_named_write_master_zones: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_named_write_master_zones - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean named_write_master_zones accordingly seboolean: name: named_write_master_zones state: "{{ var_named_write_master_zones }}" persistent: yes tags: - sebool_named_write_master_zones - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean polipo_session_users is disabled. If this setting is enabled, it should be disabled. To disable the polipo_session_users SELinux boolean, run the following command: $ sudo setsebool -P polipo_session_users off var_polipo_session_users="_{" setsebool -P polipo_session_users $var_polipo_session_users} - name: XCCDF Value var_polipo_session_users # promote to variable set_fact: var_polipo_session_users: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polipo_session_users - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polipo_session_users accordingly seboolean: name: polipo_session_users state: "{{ var_polipo_session_users }}" persistent: yes tags: - sebool_polipo_session_users - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean sysadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the sysadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P sysadm_exec_content on var_sysadm_exec_content="_{" setsebool -P sysadm_exec_content $var_sysadm_exec_content} - name: XCCDF Value var_sysadm_exec_content # promote to variable set_fact: var_sysadm_exec_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sysadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sysadm_exec_content accordingly seboolean: name: sysadm_exec_content state: "{{ var_sysadm_exec_content }}" persistent: yes tags: - sebool_sysadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xguest_use_bluetooth is enabled. This setting should be disabled as guests users should not be able to access or use bluetooth. To disable the xguest_use_bluetooth SELinux boolean, run the following command: $ sudo setsebool -P xguest_use_bluetooth off var_xguest_use_bluetooth="_{" setsebool -P xguest_use_bluetooth $var_xguest_use_bluetooth} - name: XCCDF Value var_xguest_use_bluetooth # promote to variable set_fact: var_xguest_use_bluetooth: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xguest_use_bluetooth - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xguest_use_bluetooth accordingly seboolean: name: xguest_use_bluetooth state: "{{ var_xguest_use_bluetooth }}" persistent: yes tags: - sebool_xguest_use_bluetooth - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean unprivuser_use_svirt is disabled. If this setting is enabled, it should be disabled. To disable the unprivuser_use_svirt SELinux boolean, run the following command: $ sudo setsebool -P unprivuser_use_svirt off var_unprivuser_use_svirt="_{" setsebool -P unprivuser_use_svirt $var_unprivuser_use_svirt} - name: XCCDF Value var_unprivuser_use_svirt # promote to variable set_fact: var_unprivuser_use_svirt: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_unprivuser_use_svirt - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean unprivuser_use_svirt accordingly seboolean: name: unprivuser_use_svirt state: "{{ var_unprivuser_use_svirt }}" persistent: yes tags: - sebool_unprivuser_use_svirt - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean kerberos_enabled is enabled. If this setting is disabled, it should be enabled to allow confined applications to run with Kerberos. To enable the kerberos_enabled SELinux boolean, run the following command: $ sudo setsebool -P kerberos_enabled on var_kerberos_enabled="_{" setsebool -P kerberos_enabled $var_kerberos_enabled} - name: XCCDF Value var_kerberos_enabled # promote to variable set_fact: var_kerberos_enabled: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_kerberos_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean kerberos_enabled accordingly seboolean: name: kerberos_enabled state: "{{ var_kerberos_enabled }}" persistent: yes tags: - sebool_kerberos_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean sge_domain_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the sge_domain_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P sge_domain_can_network_connect off var_sge_domain_can_network_connect="_{" setsebool -P sge_domain_can_network_connect $var_sge_domain_can_network_connect} - name: XCCDF Value var_sge_domain_can_network_connect # promote to variable set_fact: var_sge_domain_can_network_connect: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sge_domain_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sge_domain_can_network_connect accordingly seboolean: name: sge_domain_can_network_connect state: "{{ var_sge_domain_can_network_connect }}" persistent: yes tags: - sebool_sge_domain_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean sanlock_use_samba is disabled. If this setting is enabled, it should be disabled. To disable the sanlock_use_samba SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_samba off var_sanlock_use_samba="_{" setsebool -P sanlock_use_samba $var_sanlock_use_samba} - name: XCCDF Value var_sanlock_use_samba # promote to variable set_fact: var_sanlock_use_samba: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sanlock_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sanlock_use_samba accordingly seboolean: name: sanlock_use_samba state: "{{ var_sanlock_use_samba }}" persistent: yes tags: - sebool_sanlock_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean irc_use_any_tcp_ports is disabled. If this setting is enabled, it should be disabled. To disable the irc_use_any_tcp_ports SELinux boolean, run the following command: $ sudo setsebool -P irc_use_any_tcp_ports off var_irc_use_any_tcp_ports="_{" setsebool -P irc_use_any_tcp_ports $var_irc_use_any_tcp_ports} - name: XCCDF Value var_irc_use_any_tcp_ports # promote to variable set_fact: var_irc_use_any_tcp_ports: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_irc_use_any_tcp_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean irc_use_any_tcp_ports accordingly seboolean: name: irc_use_any_tcp_ports state: "{{ var_irc_use_any_tcp_ports }}" persistent: yes tags: - sebool_irc_use_any_tcp_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ftpd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P ftpd_anon_write off var_ftpd_anon_write="_{" setsebool -P ftpd_anon_write $var_ftpd_anon_write} - name: XCCDF Value var_ftpd_anon_write # promote to variable set_fact: var_ftpd_anon_write: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_anon_write accordingly seboolean: name: ftpd_anon_write state: "{{ var_ftpd_anon_write }}" persistent: yes tags: - sebool_ftpd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean guest_exec_content is enabled. This setting should be disabled as no guest accounts should be used. To disable the guest_exec_content SELinux boolean, run the following command: $ sudo setsebool -P guest_exec_content off var_guest_exec_content="_{" setsebool -P guest_exec_content $var_guest_exec_content} - name: XCCDF Value var_guest_exec_content # promote to variable set_fact: var_guest_exec_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_guest_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean guest_exec_content accordingly seboolean: name: guest_exec_content state: "{{ var_guest_exec_content }}" persistent: yes tags: - sebool_guest_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_execheap is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_execheap SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_execheap off 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) var_selinuxuser_execheap="_{" setsebool -P selinuxuser_execheap $var_selinuxuser_execheap} - name: XCCDF Value var_selinuxuser_execheap # promote to variable set_fact: var_selinuxuser_execheap: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_execheap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_execheap accordingly seboolean: name: selinuxuser_execheap state: "{{ var_selinuxuser_execheap }}" persistent: yes tags: - sebool_selinuxuser_execheap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean secure_mode_policyload is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode_policyload SELinux boolean, run the following command: $ sudo setsebool -P secure_mode_policyload off var_secure_mode_policyload="_{" setsebool -P secure_mode_policyload $var_secure_mode_policyload} - name: XCCDF Value var_secure_mode_policyload # promote to variable set_fact: var_secure_mode_policyload: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_secure_mode_policyload - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean secure_mode_policyload accordingly seboolean: name: secure_mode_policyload state: "{{ var_secure_mode_policyload }}" persistent: yes tags: - sebool_secure_mode_policyload - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_mod_auth_ntlm_winbind is disabled. If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_ntlm_winbind SELinux boolean, run the following command: $ sudo setsebool -P httpd_mod_auth_ntlm_winbind off var_httpd_mod_auth_ntlm_winbind="_{" setsebool -P httpd_mod_auth_ntlm_winbind $var_httpd_mod_auth_ntlm_winbind} - name: XCCDF Value var_httpd_mod_auth_ntlm_winbind # promote to variable set_fact: var_httpd_mod_auth_ntlm_winbind: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_mod_auth_ntlm_winbind - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_mod_auth_ntlm_winbind accordingly seboolean: name: httpd_mod_auth_ntlm_winbind state: "{{ var_httpd_mod_auth_ntlm_winbind }}" persistent: yes tags: - sebool_httpd_mod_auth_ntlm_winbind - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_use_openstack is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_openstack SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_openstack off var_httpd_use_openstack="_{" setsebool -P httpd_use_openstack $var_httpd_use_openstack} - name: XCCDF Value var_httpd_use_openstack # promote to variable set_fact: var_httpd_use_openstack: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_openstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_openstack accordingly seboolean: name: httpd_use_openstack state: "{{ var_httpd_use_openstack }}" persistent: yes tags: - sebool_httpd_use_openstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_cifs off var_httpd_use_cifs="_{" setsebool -P httpd_use_cifs $var_httpd_use_cifs} - name: XCCDF Value var_httpd_use_cifs # promote to variable set_fact: var_httpd_use_cifs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_cifs accordingly seboolean: name: httpd_use_cifs state: "{{ var_httpd_use_cifs }}" persistent: yes tags: - sebool_httpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean postgresql_selinux_users_ddl is enabled. If this setting is disabled, it should be enabled as it allows Database Administrators to execute Data Definition Language (DDL) statements. To enable the postgresql_selinux_users_ddl SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_users_ddl on var_postgresql_selinux_users_ddl="_{" setsebool -P postgresql_selinux_users_ddl $var_postgresql_selinux_users_ddl} - name: XCCDF Value var_postgresql_selinux_users_ddl # promote to variable set_fact: var_postgresql_selinux_users_ddl: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_postgresql_selinux_users_ddl - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean postgresql_selinux_users_ddl accordingly seboolean: name: postgresql_selinux_users_ddl state: "{{ var_postgresql_selinux_users_ddl }}" persistent: yes tags: - sebool_postgresql_selinux_users_ddl - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean nfs_export_all_ro is enabled. If this setting is disabled, it should be enabled as it allows NFS to export read-only mounts. To enable the nfs_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P nfs_export_all_ro on var_nfs_export_all_ro="_{" setsebool -P nfs_export_all_ro $var_nfs_export_all_ro} - name: XCCDF Value var_nfs_export_all_ro # promote to variable set_fact: var_nfs_export_all_ro: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nfs_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nfs_export_all_ro accordingly seboolean: name: nfs_export_all_ro state: "{{ var_nfs_export_all_ro }}" persistent: yes tags: - sebool_nfs_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean daemons_dump_core is disabled. If this setting is enabled, it should be disabled. To disable the daemons_dump_core SELinux boolean, run the following command: $ sudo setsebool -P daemons_dump_core off var_daemons_dump_core="_{" setsebool -P daemons_dump_core $var_daemons_dump_core} - name: XCCDF Value var_daemons_dump_core # promote to variable set_fact: var_daemons_dump_core: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_daemons_dump_core - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean daemons_dump_core accordingly seboolean: name: daemons_dump_core state: "{{ var_daemons_dump_core }}" persistent: yes tags: - sebool_daemons_dump_core - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean postfix_local_write_mail_spool is enabled. If this setting is disabled, it should be enabled as it allows Postfix to write to the mail spool directories. To enable the postfix_local_write_mail_spool SELinux boolean, run the following command: $ sudo setsebool -P postfix_local_write_mail_spool on var_postfix_local_write_mail_spool="_{" setsebool -P postfix_local_write_mail_spool $var_postfix_local_write_mail_spool} - name: XCCDF Value var_postfix_local_write_mail_spool # promote to variable set_fact: var_postfix_local_write_mail_spool: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_postfix_local_write_mail_spool - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean postfix_local_write_mail_spool accordingly seboolean: name: postfix_local_write_mail_spool state: "{{ var_postfix_local_write_mail_spool }}" persistent: yes tags: - sebool_postfix_local_write_mail_spool - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean xdm_exec_bootloader is disabled. If this setting is enabled, it should be disabled. To disable the xdm_exec_bootloader SELinux boolean, run the following command: $ sudo setsebool -P xdm_exec_bootloader off var_xdm_exec_bootloader="_{" setsebool -P xdm_exec_bootloader $var_xdm_exec_bootloader} - name: XCCDF Value var_xdm_exec_bootloader # promote to variable set_fact: var_xdm_exec_bootloader: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xdm_exec_bootloader - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xdm_exec_bootloader accordingly seboolean: name: xdm_exec_bootloader state: "{{ var_xdm_exec_bootloader }}" persistent: yes tags: - sebool_xdm_exec_bootloader - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_dbus_avahi is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dbus_avahi SELinux boolean, run the following command: $ sudo setsebool -P httpd_dbus_avahi off var_httpd_dbus_avahi="_{" setsebool -P httpd_dbus_avahi $var_httpd_dbus_avahi} - name: XCCDF Value var_httpd_dbus_avahi # promote to variable set_fact: var_httpd_dbus_avahi: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_dbus_avahi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_dbus_avahi accordingly seboolean: name: httpd_dbus_avahi state: "{{ var_httpd_dbus_avahi }}" persistent: yes tags: - sebool_httpd_dbus_avahi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean exim_read_user_files is disabled. If this setting is enabled, it should be disabled. To disable the exim_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P exim_read_user_files off var_exim_read_user_files="_{" setsebool -P exim_read_user_files $var_exim_read_user_files} - name: XCCDF Value var_exim_read_user_files # promote to variable set_fact: var_exim_read_user_files: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_exim_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean exim_read_user_files accordingly seboolean: name: exim_read_user_files state: "{{ var_exim_read_user_files }}" persistent: yes tags: - sebool_exim_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean cvs_read_shadow is disabled. If this setting is enabled, it should be disabled. To disable the cvs_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P cvs_read_shadow off var_cvs_read_shadow="_{" setsebool -P cvs_read_shadow $var_cvs_read_shadow} - name: XCCDF Value var_cvs_read_shadow # promote to variable set_fact: var_cvs_read_shadow: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cvs_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cvs_read_shadow accordingly seboolean: name: cvs_read_shadow state: "{{ var_cvs_read_shadow }}" persistent: yes tags: - sebool_cvs_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean racoon_read_shadow is disabled. If this setting is enabled, it should be disabled. To disable the racoon_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P racoon_read_shadow off var_racoon_read_shadow="_{" setsebool -P racoon_read_shadow $var_racoon_read_shadow} - name: XCCDF Value var_racoon_read_shadow # promote to variable set_fact: var_racoon_read_shadow: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_racoon_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean racoon_read_shadow accordingly seboolean: name: racoon_read_shadow state: "{{ var_racoon_read_shadow }}" persistent: yes tags: - sebool_racoon_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean git_system_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the git_system_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P git_system_enable_homedirs off var_git_system_enable_homedirs="_{" setsebool -P git_system_enable_homedirs $var_git_system_enable_homedirs} - name: XCCDF Value var_git_system_enable_homedirs # promote to variable set_fact: var_git_system_enable_homedirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_system_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_system_enable_homedirs accordingly seboolean: name: git_system_enable_homedirs state: "{{ var_git_system_enable_homedirs }}" persistent: yes tags: - sebool_git_system_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean fips_mode is enabled. This allows all SELinux domains to execute in fips_mode. If this setting is disabled, it should be enabled. To enable the fips_mode SELinux boolean, run the following command: $ sudo setsebool -P fips_mode on 13 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.13.11 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-13 SC-39 PR.DS-5 CCE-80418-7 var_fips_mode="_{" setsebool -P fips_mode $var_fips_mode} - name: XCCDF Value var_fips_mode # promote to variable set_fact: var_fips_mode: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_fips_mode - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80418-7 - NIST-800-53-SC-13 - NIST-800-53-SC-39 - NIST-800-171-3.13.11 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean fips_mode accordingly seboolean: name: fips_mode state: "{{ var_fips_mode }}" persistent: yes tags: - sebool_fips_mode - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80418-7 - NIST-800-53-SC-13 - NIST-800-53-SC-39 - NIST-800-171-3.13.11 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean httpd_can_network_connect_cobbler is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_cobbler SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect_cobbler off var_httpd_can_network_connect_cobbler="_{" setsebool -P httpd_can_network_connect_cobbler $var_httpd_can_network_connect_cobbler} - name: XCCDF Value var_httpd_can_network_connect_cobbler # promote to variable set_fact: var_httpd_can_network_connect_cobbler: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_network_connect_cobbler - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_network_connect_cobbler accordingly seboolean: name: httpd_can_network_connect_cobbler state: "{{ var_httpd_can_network_connect_cobbler }}" persistent: yes tags: - sebool_httpd_can_network_connect_cobbler - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean polyinstantiation_enabled is disabled. If this setting is enabled, it should be disabled. To disable the polyinstantiation_enabled SELinux boolean, run the following command: $ sudo setsebool -P polyinstantiation_enabled off var_polyinstantiation_enabled="_{" setsebool -P polyinstantiation_enabled $var_polyinstantiation_enabled} - name: XCCDF Value var_polyinstantiation_enabled # promote to variable set_fact: var_polyinstantiation_enabled: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polyinstantiation_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polyinstantiation_enabled accordingly seboolean: name: polyinstantiation_enabled state: "{{ var_polyinstantiation_enabled }}" persistent: yes tags: - sebool_polyinstantiation_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean icecast_use_any_tcp_ports is disabled. If this setting is enabled, it should be disabled. To disable the icecast_use_any_tcp_ports SELinux boolean, run the following command: $ sudo setsebool -P icecast_use_any_tcp_ports off var_icecast_use_any_tcp_ports="_{" setsebool -P icecast_use_any_tcp_ports $var_icecast_use_any_tcp_ports} - name: XCCDF Value var_icecast_use_any_tcp_ports # promote to variable set_fact: var_icecast_use_any_tcp_ports: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_icecast_use_any_tcp_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean icecast_use_any_tcp_ports accordingly seboolean: name: icecast_use_any_tcp_ports state: "{{ var_icecast_use_any_tcp_ports }}" persistent: yes tags: - sebool_icecast_use_any_tcp_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_use_ssh_chroot is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_use_ssh_chroot SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_use_ssh_chroot off var_selinuxuser_use_ssh_chroot="_{" setsebool -P selinuxuser_use_ssh_chroot $var_selinuxuser_use_ssh_chroot} - name: XCCDF Value var_selinuxuser_use_ssh_chroot # promote to variable set_fact: var_selinuxuser_use_ssh_chroot: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_use_ssh_chroot - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_use_ssh_chroot accordingly seboolean: name: selinuxuser_use_ssh_chroot state: "{{ var_selinuxuser_use_ssh_chroot }}" persistent: yes tags: - sebool_selinuxuser_use_ssh_chroot - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean authlogin_nsswitch_use_ldap is disabled. If this setting is enabled, it should be disabled. To disable the authlogin_nsswitch_use_ldap SELinux boolean, run the following command: $ sudo setsebool -P authlogin_nsswitch_use_ldap off 3.7.2 CCE-80425-2 var_authlogin_nsswitch_use_ldap="_{" setsebool -P authlogin_nsswitch_use_ldap $var_authlogin_nsswitch_use_ldap} - name: XCCDF Value var_authlogin_nsswitch_use_ldap # promote to variable set_fact: var_authlogin_nsswitch_use_ldap: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_authlogin_nsswitch_use_ldap - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80425-2 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean authlogin_nsswitch_use_ldap accordingly seboolean: name: authlogin_nsswitch_use_ldap state: "{{ var_authlogin_nsswitch_use_ldap }}" persistent: yes tags: - sebool_authlogin_nsswitch_use_ldap - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80425-2 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean virt_sandbox_use_mknod is disabled. If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_mknod SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_mknod off var_virt_sandbox_use_mknod="_{" setsebool -P virt_sandbox_use_mknod $var_virt_sandbox_use_mknod} - name: XCCDF Value var_virt_sandbox_use_mknod # promote to variable set_fact: var_virt_sandbox_use_mknod: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_sandbox_use_mknod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_sandbox_use_mknod accordingly seboolean: name: virt_sandbox_use_mknod state: "{{ var_virt_sandbox_use_mknod }}" persistent: yes tags: - sebool_virt_sandbox_use_mknod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean selinuxuser_ping is enabled. If this setting is disabled, it should be enabled as it allows confined users to use ping and traceroute which is helpful for network troubleshooting. To enable the selinuxuser_ping SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_ping on var_selinuxuser_ping="_{" setsebool -P selinuxuser_ping $var_selinuxuser_ping} - name: XCCDF Value var_selinuxuser_ping # promote to variable set_fact: var_selinuxuser_ping: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_ping - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_ping accordingly seboolean: name: selinuxuser_ping state: "{{ var_selinuxuser_ping }}" persistent: yes tags: - sebool_selinuxuser_ping - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean logging_syslogd_run_nagios_plugins is disabled. If this setting is enabled, it should be disabled. To disable the logging_syslogd_run_nagios_plugins SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_run_nagios_plugins off var_logging_syslogd_run_nagios_plugins="_{" setsebool -P logging_syslogd_run_nagios_plugins $var_logging_syslogd_run_nagios_plugins} - name: XCCDF Value var_logging_syslogd_run_nagios_plugins # promote to variable set_fact: var_logging_syslogd_run_nagios_plugins: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logging_syslogd_run_nagios_plugins - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logging_syslogd_run_nagios_plugins accordingly seboolean: name: logging_syslogd_run_nagios_plugins state: "{{ var_logging_syslogd_run_nagios_plugins }}" persistent: yes tags: - sebool_logging_syslogd_run_nagios_plugins - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean mpd_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the mpd_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P mpd_enable_homedirs off var_mpd_enable_homedirs="_{" setsebool -P mpd_enable_homedirs $var_mpd_enable_homedirs} - name: XCCDF Value var_mpd_enable_homedirs # promote to variable set_fact: var_mpd_enable_homedirs: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mpd_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mpd_enable_homedirs accordingly seboolean: name: mpd_enable_homedirs state: "{{ var_mpd_enable_homedirs }}" persistent: yes tags: - sebool_mpd_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean ftpd_use_passive_mode is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_passive_mode SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_passive_mode off var_ftpd_use_passive_mode="_{" setsebool -P ftpd_use_passive_mode $var_ftpd_use_passive_mode} - name: XCCDF Value var_ftpd_use_passive_mode # promote to variable set_fact: var_ftpd_use_passive_mode: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_use_passive_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_use_passive_mode accordingly seboolean: name: ftpd_use_passive_mode state: "{{ var_ftpd_use_passive_mode }}" persistent: yes tags: - sebool_ftpd_use_passive_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean secadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the secadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P secadm_exec_content on var_secadm_exec_content="_{" setsebool -P secadm_exec_content $var_secadm_exec_content} - name: XCCDF Value var_secadm_exec_content # promote to variable set_fact: var_secadm_exec_content: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_secadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean secadm_exec_content accordingly seboolean: name: secadm_exec_content state: "{{ var_secadm_exec_content }}" persistent: yes tags: - sebool_secadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean postgresql_selinux_transmit_client_label is disabled. If this setting is enabled, it should be disabled. To disable the postgresql_selinux_transmit_client_label SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_transmit_client_label off var_postgresql_selinux_transmit_client_label="_{" setsebool -P postgresql_selinux_transmit_client_label $var_postgresql_selinux_transmit_client_label} - name: XCCDF Value var_postgresql_selinux_transmit_client_label # promote to variable set_fact: var_postgresql_selinux_transmit_client_label: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_postgresql_selinux_transmit_client_label - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean postgresql_selinux_transmit_client_label accordingly seboolean: name: postgresql_selinux_transmit_client_label state: "{{ var_postgresql_selinux_transmit_client_label }}" persistent: yes tags: - sebool_postgresql_selinux_transmit_client_label - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} By default, the SELinux boolean git_session_users is disabled. If this setting is enabled, it should be disabled. To disable the git_session_users SELinux boolean, run the following command: $ sudo setsebool -P git_session_users off var_git_session_users="_{" setsebool -P git_session_users $var_git_session_users} - name: XCCDF Value var_git_session_users # promote to variable set_fact: var_git_session_users: !!str _{tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_session_users - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_session_users accordingly seboolean: name: git_session_users state: "{{ var_git_session_users }}" persistent: yes tags: - sebool_git_session_users - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf. The mcstrans package can be removed with the following command: $ sudo yum erase mcstrans 1.6.1.5 Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system. NOTE: This rule was added in support of the CIS RHEL6 v1.2.0 benchmark. Please note that Red Hat does not feel this rule is security relevant. CCE-80445-0 _{package_remove mcstrans} - name: Ensure mcstrans is removed package: name: mcstrans state: absent tags: - package_mcstrans_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80445-0 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include remove_mcstrans class remove_mcstrans { package { 'mcstrans': ensure => 'purged', } } package --remove=mcstrans SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot. 1.6.1.1 1 11 12 13 14 15 16 18 3 4 5 6 8 9 APO01.06 APO11.04 APO13.01 BAI03.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 MEA02.01 3.1.2 3.7.2 CCI-000022 CCI-000032 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) 4.2.3.4 4.3.3.2.2 4.3.3.3.9 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-3(3) AC-3(4) AC-4 AC-6 AU-9 SI-6(a) DE.AE-1 ID.AM-3 PR.AC-4 PR.AC-5 PR.AC-6 PR.DS-5 PR.PT-1 PR.PT-3 PR.PT-4 Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. CCE-26961-3 sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* - name: Ensure SELinux Not Disabled in /etc/default/grub replace: dest: /etc/default/grub regexp: selinux=0 tags: - grub2_enable_selinux - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26961-3 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3) - NIST-800-53-AC-3(4) - NIST-800-53-AC-4 - NIST-800-53-AC-6 - NIST-800-53-AU-9 - NIST-800-53-SI-6(a) - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config: SELINUXTYPE= Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases. RHEL-07-020220 SV-86615r4_rule 1.6.1.3 1 11 12 13 14 15 16 18 3 4 5 6 8 9 APO01.06 APO11.04 APO13.01 BAI03.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 MEA02.01 3.1.2 3.7.2 CCI-002696 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) 4.2.3.4 4.3.3.2.2 4.3.3.3.9 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-3(3) AC-3(4) AC-4 AC-6 AU-9 SI-6(a) DE.AE-1 ID.AM-3 PR.AC-4 PR.AC-5 PR.AC-6 PR.DS-5 PR.PT-1 PR.PT-3 PR.PT-4 SRG-OS-000445-GPOS-00199 Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to . CCE-27279-9 var_selinux_policy_name="_{" replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name 'CCE-27279-9' '%s=%s'} - name: XCCDF Value var_selinux_policy_name # promote to variable set_fact: var_selinux_policy_name: !!str _{tags: - always - name: "Configure SELinux Policy" lineinfile: path: /etc/sysconfig/selinux regexp: '^SELINUXTYPE=' line: "SELINUXTYPE={{ var_selinux_policy_name }}" create: yes tags: - selinux_policytype - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-27279-9 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3) - NIST-800-53-AC-3(4) - NIST-800-53-AC-4 - NIST-800-53-AC-6 - NIST-800-53-AU-9 - NIST-800-53-SI-6(a) - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - DISA-STIG-RHEL-07-020220 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The setroubleshoot package can be removed with the following command: $ sudo yum erase setroubleshoot 1.6.1.4 The SETroubleshoot service is an unnecessary daemon to have running on a server CCE-80444-3 _{package_remove setroubleshoot} - name: Ensure setroubleshoot is removed package: name: setroubleshoot state: absent tags: - package_setroubleshoot_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80444-3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include remove_setroubleshoot class remove_setroubleshoot { package { 'setroubleshoot': ensure => 'purged', } } package --remove=setroubleshoot Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the initrc_t context. To check for unconfined daemons, run the following command: $ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' It should produce no output in a well-configured system. Automatic remediation of this control is not available. Remediation can be achieved by amending SELinux policy or stopping the unconfined daemons as outlined above. 1.6.1.6 1 11 12 13 14 15 16 18 3 5 6 9 APO01.06 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 MEA02.01 3.1.2 3.1.5 3.7.2 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-9 CM-7 SC-39 PR.AC-4 PR.DS-5 PR.IP-1 PR.PT-1 PR.PT-3 Daemons which run with the initrc_t context may cause AVC denials, or allow privileges that the daemon does not require. CCE-27288-0 Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files do not carry the SELinux type device_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it. To check for unlabeled device files, run the following command: $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" It should produce no output in a well-configured system. Automatic remediation of this control is not available. The remediation can be achieved by amending SELinux policy. RHEL-07-020900 SV-86663r2_rule 1 11 12 13 14 15 16 18 2 3 5 6 7 8 9 APO01.06 APO11.04 BAI01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 MEA02.01 3.1.2 3.1.5 3.7.2 CCI-000022 CCI-000032 CCI-000368 CCI-000318 CCI-001812 CCI-001813 CCI-001814 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 5.2 SR 6.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-9 CM-3(f) CM-7 DE.CM-1 DE.CM-7 PR.AC-4 PR.DS-5 PR.IP-1 PR.IP-3 PR.PT-1 PR.PT-3 SRG-OS-000480-GPOS-00227 If a device file carries the SELinux type device_t, then SELinux cannot properly restrict access to the device file. CCE-27326-8 Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t). $ sudo semanage login -m -s sysadm_u USER or $ sudo semanage login -m -s staff_u USER All authorized non-administrative users must be mapped to the user_u role or the appropriate domain (user_t). $ sudo semanage login -m -s user_u USER CCI-002235 SRG-OS-000324-GPOS-00125 RHEL-07-020020 SV-86595r2_rule Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. CCE-80543-2 The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode: SELINUX= RHEL-07-020210 SV-86613r3_rule 1.6.1.2 1 11 12 13 14 15 16 18 3 4 5 6 8 9 APO01.06 APO11.04 APO13.01 BAI03.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 MEA02.01 3.1.2 3.7.2 CCI-002165 CCI-002696 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) 4.2.3.4 4.3.3.2.2 4.3.3.3.9 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-3(3) AC-3(4) AC-4 AC-6 AU-9 SI-6(a) DE.AE-1 ID.AM-3 PR.AC-4 PR.AC-5 PR.AC-6 PR.DS-5 PR.PT-1 PR.PT-3 PR.PT-4 SRG-OS-000445-GPOS-00199 Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. CCE-27334-2 var_selinux_state="_{" replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state 'CCE-27334-2' '%s=%s' fixfiles onboot fixfiles -f relabel} - name: XCCDF Value var_selinux_state # promote to variable set_fact: var_selinux_state: !!str _{tags: - always - name: "Ensure SELinux State is Enforcing" lineinfile: path: /etc/sysconfig/selinux regexp: '^SELINUX=' line: "SELINUX={{ var_selinux_state }}" create: yes tags: - selinux_state - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-27334-2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3) - NIST-800-53-AC-3(4) - NIST-800-53-AC-4 - NIST-800-53-AC-6 - NIST-800-53-AU-9 - NIST-800-53-SI-6(a) - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - DISA-STIG-RHEL-07-020210 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")} Rules that check correct configration of Enterprise Application. Configure the Enterprise Application to travel mode. The travel mode enables optimizes the application to work outside the intranet, and enables extra security features. mkdir /etc/enterprise_app echo "mode travel" > /etc/enterprise_app/app.conf - name: "Set Enterprise Applicaton to travel mode" lineinfile: dest: /etc/enterprise_app/app.conf state: present line: "mode travel" tags: - enterprise_app_mode_travel - medium_severity During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly on different partitions or media. The default Red Hat Enterprise Linux boot loader for x86 systems is called GRUB. Options it can pass to the kernel include single-user mode, which provides root access without any authentication, and the ability to disable SELinux. To prevent local users from modifying the boot parameters and endangering security, protect the boot loader configuration with a password and ensure its configuration file's permissions are set properly. In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under Red Hat Enterprise Linux 7. Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the /etc/passwd and /etc/shadow files. Password-based login is vulnerable to guessing of weak passwords, and to sniffing and man-in-the-middle attacks against passwords entered over a network or at an insecure console. Therefore, mechanisms for accessing accounts by entering usernames and passwords should be restricted to those which are operationally necessary. The file /etc/login.defs controls several password-related settings. Programs such as passwd, su, and login consult /etc/login.defs to determine behavior with regard to password aging, expiration warnings, and length. See the man page login.defs(5) for more information. Users should be forced to change their passwords, in order to decrease the utility of compromised passwords. However, the need to change passwords often should be balanced against the risk that users will reuse or write down passwords if forced to change them too often. Forcing password changes every 90-360 days, depending on the environment, is recommended. Set the appropriate value as PASS_MAX_DAYS and apply it to existing accounts with the -M flag. The PASS_MIN_DAYS (-m) setting prevents password changes for 7 days after the first change, to discourage password cycling. If you use this setting, train users to contact an administrator for an emergency password change in case a new password becomes compromised. The PASS_WARN_AGE (-W) setting gives users 7 days of warnings at login time that their passwords are about to expire. For example, for each existing human user USER, expiration parameters could be adjusted to a 180 day maximum password age, 7 day minimum password age, and 7 day warning period with the following command: $ sudo chage -M 180 -m 7 -W 7 USER Maximum age of password in days This will only apply to newly created accounts 120 180 90 60 60 Minimum age of password in days This will only apply to newly created accounts 1 2 5 7 7 0 Minimum number of characters in password This will only check new passwords 15 6 8 10 12 14 15 The number of days' warning given before a password expires. This will only apply to newly created accounts 7 0 14 7 To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MIN_LEN The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is . If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements. 1 12 15 16 5 5.6.2.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.7 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. CCE-27123-9 declare var_accounts_password_minlen_login_defs var_accounts_password_minlen_login_defs="_{" grep -q ^PASS_MIN_LEN /etc/login.defs && \ sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ] then echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs fi} - name: XCCDF Value var_accounts_password_minlen_login_defs # promote to variable set_fact: var_accounts_password_minlen_login_defs: !!str _{tags: - always - name: "Set Password Minimum Length in login.defs" lineinfile: dest: /etc/login.defs regexp: "^PASS_MIN_LEN *[0-9]*" state: present line: "PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}" tags: - accounts_password_minlen_login_defs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27123-9 - NIST-800-53-IA-5(f) - NIST-800-53-IA-5(1)(a) - NIST-800-171-3.5.7 - CJIS-5.6.2.1} To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line: PASS_WARN_AGE The DoD requirement is 7. The profile requirement is . 1 12 13 14 15 16 18 3 5 7 8 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.8 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(2) IA-5(f) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 Setting the password warning age enables users to make the change at a practical time. CCE-26486-1 var_accounts_password_warn_age_login_defs="_{" grep -q ^PASS_WARN_AGE /etc/login.defs && \ sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_WARN_AGE $var_accounts_password_warn_age_login_defs" >> /etc/login.defs fi} - name: XCCDF Value var_accounts_password_warn_age_login_defs # promote to variable set_fact: var_accounts_password_warn_age_login_defs: !!str _{tags: - always - name: "Set Password Warning Age" lineinfile: dest: /etc/login.defs regexp: "^PASS_WARN_AGE *[0-9]*" state: present line: "PASS_WARN_AGE {{ var_accounts_password_warn_age_login_defs }}" tags: - accounts_password_warn_age_login_defs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26486-1 - NIST-800-53-AC-2(2) - NIST-800-53-IA-5(f) - NIST-800-171-3.5.8} To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MIN_DAYS A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is . RHEL-07-010230 SV-86549r2_rule 1 12 15 16 5 5.6.2.1.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.8 CCI-000198 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(1)(d) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000075-GPOS-00043 Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. CCE-27002-5 var_accounts_minimum_age_login_defs="_{" grep -q ^PASS_MIN_DAYS /etc/login.defs && \ sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs fi} - name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable set_fact: var_accounts_minimum_age_login_defs: !!str _{tags: - always - name: Set Password Minimum Age lineinfile: create: yes dest: /etc/login.defs regexp: ^#?PASS_MIN_DAYS line: "PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}" tags: - accounts_minimum_age_login_defs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27002-5 - NIST-800-53-IA-5(f) - NIST-800-53-IA-5(1)(d) - NIST-800-171-3.5.8 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010230} To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is . RHEL-07-010250 SV-86553r2_rule 5.4.1.1 1 12 15 16 5 5.6.2.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.6 CCI-000199 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(g) IA-5(1)(d) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.4 SRG-OS-000076-GPOS-00044 Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. CCE-27051-2 var_accounts_maximum_age_login_defs="_{" grep -q ^PASS_MAX_DAYS /etc/login.defs && \ sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs fi} - name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable set_fact: var_accounts_maximum_age_login_defs: !!str _{tags: - always - name: Set Password Maximum Age lineinfile: create: yes dest: /etc/login.defs regexp: ^#?PASS_MAX_DAYS line: "PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}" tags: - accounts_maximum_age_login_defs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27051-2 - NIST-800-53-IA-5(f) - NIST-800-53-IA-5(g) - NIST-800-53-IA-5(1)(d) - NIST-800-171-3.5.6 - PCI-DSS-Req-8.2.4 - CJIS-5.6.2.1 - DISA-STIG-RHEL-07-010250} Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: $ sudo chage -m 1 USER CCI-000198 SRG-OS-000075-GPOS-00043 RHEL-07-010240 SV-86551r2_rule Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. CCE-80521-8 Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: $ sudo chage -M 60 USER CCI-000199 SRG-OS-000076-GPOS-00044 RHEL-07-010260 SV-86555r3_rule Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. CCE-80522-6 Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use su or sudo to execute privileged commands. Discouraging administrators from accessing the root account directly ensures an audit trail in organizations with multiple administrators. Locking down the channels through which root can connect directly also reduces opportunities for password-guessing against the root account. The login program uses the file /etc/securetty to determine which interfaces should allow root logins. The virtual devices /dev/console and /dev/tty* represent the system consoles (accessible via the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default installation). The default securetty file also contains /dev/vc/*. These are likely to be deprecated in most environments, but may be retained for compatibility. Root should also be prohibited from connecting via network protocols. Other sections of this document include guidance describing how to prevent root from logging in via SSH. To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty: ttyS0 ttyS1 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.1 3.1.5 CCI-000770 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(2) IA-2 PR.AC-4 PR.DS-5 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. CCE-27268-2 sed -i '/ttyS/d' /etc/securetty - name: "Restrict Serial Port Root Logins" lineinfile: dest: /etc/securetty regexp: 'ttyS[0-9]' state: absent tags: - restrict_serial_port_logins - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27268-2 - NIST-800-53-AC-6(2) - NIST-800-53-IA-2 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 Assuming root shell is bash, edit the following files: ~/.profile ~/.bashrc Change any PATH variables to the vendor default for root and remove any empty PATH entries or references to relative paths. 18 APO13.01 BAI03.01 BAI03.02 BAI03.03 4.3.4.3.3 A.14.1.1 A.14.2.1 A.14.2.5 A.6.1.5 SA-8 PR.IP-2 The root account's executable search path must be the vendor default, and must contain only absolute paths. CCE-80210-8 To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enterprise Linux 7's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: $ sudo echo > /etc/securetty 5.5 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.1 3.1.6 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2 IA-2(1) PR.AC-1 PR.AC-6 PR.AC-7 Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. CCE-27294-8 echo > /etc/securetty - name: Test for existence /etc/cron.allow stat: path: /etc/securetty register: securetty_empty tags: - no_direct_root_logins - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27294-8 - NIST-800-53-IA-2 - NIST-800-53-IA-2(1) - NIST-800-171-3.1.1 - NIST-800-171-3.1.6 - name: "Direct root Logins Not Allowed" shell: echo > /etc/securetty changed_when: securetty_empty.stat.size > 1 tags: - no_direct_root_logins - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27294-8 - NIST-800-53-IA-2 - NIST-800-53-IA-2(1) - NIST-800-171-3.1.1 - NIST-800-171-3.1.6 Enforce policy requiring administrative accounts use web browsers only for local service administration. If a browser vulnerability is exploited while running with administrative privileges, the entire system could be compromised. Specific exceptions for local service administration should be documented in site-defined policy. CCE-80209-0 Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. System accounts are those user accounts with a user ID less than UID_MIN, where value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 500, thus system accounts are those user accounts with a user ID less than 500. If any system account SYSACCT (other than root) has an unlocked password, disable it with the command: $ sudo passwd -l SYSACCT IA-2 Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.false CCE-80650-5 To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty: vc/1 vc/2 vc/3 vc/4 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.1 3.1.5 CCI-000770 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(2) IA-2 PR.AC-4 PR.DS-5 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. CCE-27318-5 sed -i '/^vc\//d' /etc/securetty - name: "Restrict Virtual Console Root Logins" lineinfile: dest: /etc/securetty regexp: '^vc' state: absent tags: - securetty_root_login_console_only - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27318-5 - NIST-800-53-AC-6(2) - NIST-800-53-IA-2 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than UID_MIN, where value of UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000, thus system accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command: $ sudo usermod -s /sbin/nologin SYSACCT Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible. 5.4.2 1 12 13 14 15 16 18 3 5 7 8 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS06.03 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2 DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. CCE-26448-1 If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned. RHEL-07-020310 SV-86629r2_rule 6.2.5 1 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.10 3.1.1 3.1.5 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-6 IA-2 IA-2(1) IA-4 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 SRG-OS-000480-GPOS-00227 An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. CCE-27175-9 awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after inactivity can be set for all accounts by default and also on a per-account basis, such as for accounts that are known to be temporary. To configure automatic expiration of an account following the expiration of its password (that is, after the password has expired and not been changed), run the following command, substituting NUM_DAYS and USER appropriately: $ sudo chage -I NUM_DAYS USER Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the -E option. The file /etc/default/useradd controls default settings for all newly-created accounts created with the system's normal command line utilities. This will only apply to newly created accounts The number of days to wait after a password expires, until the account will be permanently disabled. 35 0 35 40 180 90 60 30 Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. This system should integrate with an existing enterprise user management system, such as one based on Identity Management tools such as Active Directory, Kerberos, Directory Server, etc. A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight. Change usernames, or delete accounts, so each has a unique name. 5.5.2 CCI-000770 CCI-000804 Req-8.1.1 Unique usernames allow for accountability on the system. CCE-80208-2 To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately: INACTIVE= A value of 35 is recommended; however, this profile expects that the value is set to . If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users. RHEL-07-010310 SV-86565r2_rule 1 12 13 14 15 16 18 3 5 7 8 5.6.2.1.1 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.6 CCI-000795 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(2) AC-2(3) IA-4(e) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 Req-8.1.4 SRG-OS-000118-GPOS-00060 Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. CCE-27355-7 var_account_disable_post_pw_expiration="_{" replace_or_append '/etc/default/useradd' '^INACTIVE' "$var_account_disable_post_pw_expiration" 'CCE-27355-7' '%s=%s'} - name: XCCDF Value var_account_disable_post_pw_expiration # promote to variable set_fact: var_account_disable_post_pw_expiration: !!str _{tags: - always - name: Set Account Expiration Following Inactivity lineinfile: create: yes dest: /etc/default/useradd regexp: ^INACTIVE line: "INACTIVE={{ var_account_disable_post_pw_expiration }}" tags: - account_disable_post_pw_expiration - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27355-7 - NIST-800-53-AC-2(2) - NIST-800-53-AC-2(3) - NIST-800-53-IA-4(e) - NIST-800-171-3.5.6 - PCI-DSS-Req-8.1.4 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010310} Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately: $ sudo chage -E YYYY-MM-DD USER YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours. 1 12 13 14 15 16 18 3 5 7 8 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS06.03 CCI-000016 CCI-001682 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(2) AC-2(3) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 SRG-OS-000002-GPOS-00153 If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. CCE-81000-2 By default, password hashes for local accounts are stored in the second field (colon-separated) in /etc/shadow. This file should be readable only by processes running with root credentials, preventing users from casually accessing others' password hashes and attempting to crack them. However, it remains possible to misconfigure the system and store password hashes in world-readable files such as /etc/passwd, or to even store passwords themselves in plaintext on the system. Using system-provided tools for password change/creation should allow administrators to avoid such misconfiguration. The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed. 1 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 CCI-000196 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 IA-5(h) AC-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.PT-3 Unencrypted passwords for remote FTP servers may be stored in .netrc files. DoD policy requires passwords be encrypted in storage and not used in access scripts. CCE-80211-6 If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords. RHEL-07-010290 SV-86561r3_rule 1 12 13 14 15 16 18 3 5 5.5.2 APO01.06 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.10 3.1.1 3.1.5 CCI-000366 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-6 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 FIA_AFL.1 Req-8.2.3 SRG-OS-000480-GPOS-00227 If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. CCE-27286-4 sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/password-auth - name: "Prevent Log In to Accounts With Empty Password - system-auth" replace: dest: /etc/pam.d/system-auth follow: yes regexp: 'nullok' tags: - no_empty_passwords - high_severity - configure_strategy - low_complexity - medium_disruption - CCE-27286-4 - NIST-800-53-AC-6 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(a) - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - PCI-DSS-Req-8.2.3 - CJIS-5.5.2 - DISA-STIG-RHEL-07-010290 - name: "Prevent Log In to Accounts With Empty Password - password-auth" replace: dest: /etc/pam.d/password-auth follow: yes regexp: 'nullok' tags: - no_empty_passwords - high_severity - configure_strategy - low_complexity - medium_disruption - CCE-27286-4 - NIST-800-53-AC-6 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(a) - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - PCI-DSS-Req-8.2.3 - CJIS-5.5.2 - DISA-STIG-RHEL-07-010290 If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. 1 12 15 16 5 5.5.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(h) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.1 The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users. CCE-27352-4 Add a group to the system for each GID referenced without a corresponding group. RHEL-07-020300 SV-86627r2_rule 1 12 15 16 5 5.5.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000764 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2 PR.AC-1 PR.AC-6 PR.AC-7 Req-8.5.a SRG-OS-000104-GPOS-00051 If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. CCE-27503-2 It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some steps which, if taken, make it more difficult for an attacker to quickly or undetectably modify a system from its console. When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User education and training is particularly important for screen locking to be effective, and policies can be implemented to reinforce this. Automatic screen locking is only meant as a safeguard for those cases where a user forgot to lock the screen. A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. To enable console screen locking, install the screen package. The screen package can be installed with the following command: $ sudo yum install screen Instruct users to begin new terminal sessions with the following command: $ screen The console can now be locked with the following key combination: ctrl+a x RHEL-07-010090 SV-86521r2_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000029-GPOS-00010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The screen package allows for a session lock to be implemented and configured. CCE-27351-6 _{package_install screen} - name: Ensure screen is installed package: name: screen state: present tags: - package_screen_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-27351-6 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - DISA-STIG-RHEL-07-010090 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_screen class install_screen { package { 'screen': ensure => 'installed', } } package --add=screen The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. In Red Hat Enterprise Linux servers and workstations, hardware token login is not enabled by default and must be enabled in the system settings. Choose the Smart Card Driver in use by your organization. For DoD, choose the cac driver. If your driver is not listed and you don't want to use the default driver, use the other option and manually specify your driver. flex cardos epass2003 PIV-II oberthur iasecc starcos gpk rutoken_ecp incrypto34 dnie rutoken jpki None belpic asepcos myeid MaskTech tcos itacns cyberflex entersafe acos5 npa isoApplet gemsafeV1 atrust-acos openpgp sc-hsm authentic coolkey akis gids default setcos westcos cac mcrd muscle Configure the operating system to implement multifactor authentication by installing the required packages with the following command: The esc pam_pkcs11 authconfig-gtk package can be installed with the following command: $ sudo yum install esc pam_pkcs11 authconfig-gtk CCI-001954 SRG-OS-000375-GPOS-00160 RHEL-07-041001 SV-87041r3_rule Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80519-2 _{package_install esc package_install pam_pkcs11 package_install authconfig-gtk} The OpenSC smart card tool can auto-detect smart card drivers; however, setting the smart card drivers in use by your organization helps to prevent users from using unauthorized smart cards. The default smart card driver for this profile is . To configure the OpenSC driver, edit the /etc/opensc-ARCH.conf (where ARCH is the architecture of your operating system) file. Look for a line similar to: # card_drivers = old, internal; and change it to: card_drivers = _; 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2(2) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.3 SRG-OS-000104-GPOS-00051 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000109-GPOS-00056 SRG-OS-000108-GPOS-00055 SRG-OS-000108-GPOS-00057 SRG-OS-000108-GPOS-00058 SRG-OS-000376-VMM-001520 Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Configuring the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards. CCE-80565-5 var_smartcard_drivers="_{" grep -qs "card_drivers =" /etc/opensc*.conf && \ sed -i "s/card_drivers =.*/card_drivers = $var_smartcard_drivers;/g" /etc/opensc*.conf if ! [ $? -eq 0 ]; then sed -i "s/.*card_drivers =.*/ card_drivers = $var_smartcard_drivers;/g" /etc/opensc*.conf fi} - name: XCCDF Value var_smartcard_drivers # promote to variable set_fact: var_smartcard_drivers: !!str _{tags: - always - name: Check existence of opensc conf stat: path: /etc/opensc-{{ ansible_architecture }}.conf register: opensc_conf_cd tags: - configure_opensc_card_drivers - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80565-5 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Configure opensc Smart Card Drivers" lineinfile: path: /etc/opensc-{{ ansible_architecture }}.conf line: ' card_drivers = {{ var_smartcard_drivers }}' regexp: '(^\s+#|^)\s+card_drivers\s+=\s+.*' state: present when: opensc_conf_cd.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - configure_opensc_card_drivers - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80565-5 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3} The opensc module should be configured for use over the Coolkey PKCS#11 module in the NSS database. To configure the NSS database ot use the opensc module, run the following command: $ sudo pkcs11-switch opensc 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2(2) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.3 SRG-OS-000104-GPOS-00051 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000109-GPOS-00056 SRG-OS-000108-GPOS-00055 SRG-OS-000108-GPOS-00057 SRG-OS-000108-GPOS-00058 SRG-OS-000376-VMM-001520 SRG-OS-000403-VMM-001640 Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. CCE-80567-1 PKCSSW=$(/usr/bin/pkcs11-switch) if ! [[ ${PKCSSW} -eq "opensc" ]] ; then ${PKCSSW} opensc fi - name: Check existence of pkcs11-switch stat: path: /usr/bin/pkcs11-switch register: pkcs11switch tags: - configure_opensc_nss_db - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80567-1 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Get NSS database smart card configuration command: /usr/bin/pkcs11-switch changed_when: True register: pkcsw_output when: pkcs11switch.stat.exists tags: - configure_opensc_nss_db - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80567-1 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Configure NSS DB To Use opensc" command: /usr/bin/pkcs11-switch opensc when: pkcs11switch.stat.exists and pkcsw_output.stdout != "opensc" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - configure_opensc_nss_db - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80567-1 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so: cert_policy = ca, ocsp_on, signature; CCI-001954 SRG-OS-000375-GPOS-00160 RHEL-07-041003 SV-87057r5_rule Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80520-0 # Install required packages if ! rpm --quiet -q pam_pkcs11; then yum -y -d 1 install pam_pkcs11; fi if grep "^\s*cert_policy" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv "ocsp_on"; then sed -i "/^\s*#/! s/cert_policy.*/cert_policy = ca, ocsp_on, signature;/g" /etc/pam_pkcs11/pam_pkcs11.conf fi The OpenSC smart card tool can auto-detect smart card drivers; however by forcing the smart card driver in use by your organization, opensc will no longer autodetect or use other drivers unless specified. This helps to prevent users from using unauthorized smart cards. The default smart card driver for this profile is . To force the OpenSC driver, edit the /etc/opensc-ARCH.conf (where ARCH is the architecture of your operating system) file. Look for a line similar to: # force_card_driver = customcos; and change it to: force_card_driver = _; 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2(2) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.3 SRG-OS-000104-GPOS-00051 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000109-GPOS-00056 SRG-OS-000108-GPOS-00055 SRG-OS-000108-GPOS-00057 SRG-OS-000108-GPOS-00058 SRG-OS-000376-VMM-001520 Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Forcing the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards. CCE-81002-8 var_smartcard_drivers="_{" grep -qs "force_card_driver =" /etc/opensc*.conf && \ sed -i "s/force_card_driver =.*/force_card_driver = $var_smartcard_drivers;/g" /etc/opensc*.conf if ! [ $? -eq 0 ]; then sed -i "s/.*force_card_driver =.*/ force_card_driver = $var_smartcard_drivers;/g" /etc/opensc*.conf fi} - name: XCCDF Value var_smartcard_drivers # promote to variable set_fact: var_smartcard_drivers: !!str _{tags: - always - name: Check existence of opensc conf stat: path: /etc/opensc-{{ ansible_architecture }}.conf register: opensc_conf_fcd tags: - force_opensc_card_drivers - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-81002-8 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Force opensc To Use Defined Smart Card Driver" lineinfile: path: /etc/opensc-{{ ansible_architecture }}.conf line: ' force_card_driver = {{ var_smartcard_drivers }}' regexp: '(^\s+#|^)\s+force_card_driver\s+=\s+.*' state: present when: opensc_conf_fcd.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - force_opensc_card_drivers - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-81002-8 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3} The pcsc-lite package can be installed with the following command: $ sudo yum install pcsc-lite CCI-001954 SRG-OS-000375-GPOS-00160 SRG-OS-000377-VMM-001530 The pcsc-lite package must be installed if it is to be available for multifactor authentication using smartcards. _{package_install pcsc-lite} - name: Ensure pcsc-lite is installed package: name: pcsc-lite state: present tags: - package_pcsc-lite_installed - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_pcsc-lite class install_pcsc-lite { package { 'pcsc-lite': ensure => 'installed', } } package --add=pcsc-lite The pcscd service can be enabled with the following command: $ sudo systemctl enable pcscd.service CCI-001954 SRG-OS-000375-GPOS-00160 SRG-OS-000377-VMM-001530 Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80569-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'pcscd.service' "$SYSTEMCTL_EXEC" enable 'pcscd.service' - name: Enable service pcscd service: name: pcscd enabled: "yes" state: "started" tags: - service_pcscd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80569-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273 RHEL-07-010500 SV-86589r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2(1) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.3 SRG-OS-000104-GPOS-00051 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000109-GPOS-00056 SRG-OS-000108-GPOS-00055 SRG-OS-000108-GPOS-00057 SRG-OS-000108-GPOS-00058 Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. CCE-80207-4 # Install required packages _{package_install esc package_install pam_pkcs11 # Enable pcscd.socket systemd activation socket service_command enable pcscd.socket # Configure the expected /etc/pam.d/system-auth{,-ac} settings directly # # The code below will configure system authentication in the way smart card # logins will be enabled, but also user login(s) via other method to be allowed # # NOTE: It is not possible to use the 'authconfig' command to perform the # remediation for us, because call of 'authconfig' would discard changes # for other remediations (see RH BZ#1357019 for details) # # Therefore we need to configure the necessary settings directly. # # Define system-auth config location SYSTEM_AUTH_CONF="/etc/pam.d/system-auth" # Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF PAM_ENV_SO="auth.*required.*pam_env.so" # Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF SYSTEM_AUTH_PAM_SUCCEED="\ auth [success=1 default=ignore] pam_succeed_if.so service notin \ login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid" # Define 'pam_pkcs11.so' row to be appended past $SYSTEM_AUTH_PAM_SUCCEED # row into SYSTEM_AUTH_CONF file SYSTEM_AUTH_PAM_PKCS11="\ auth [success=done authinfo_unavail=ignore ignore=ignore default=die] \ pam_pkcs11.so nodebug" # Define smartcard-auth config location SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth" # Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF SMARTCARD_AUTH_SECTION="\ auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card" # Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF PAM_PERMIT_SO="account.*required.*pam_permit.so" # Define 'pam_pkcs11.so' password section SMARTCARD_PASSWORD_SECTION="\ password required pam_pkcs11.so" # First Correct the SYSTEM_AUTH_CONF configuration if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF" then # Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file # and append (expected) pam_pkcs11.so row right after the pam_succeed_if.so we just added # in SYSTEM_AUTH_CONF file # This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED" echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF" fi # Then also correct the SMARTCARD_AUTH_CONF if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF" then # Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF" # Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF" fi # Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below # Define selected constants for later reuse SP="[:space:]" PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf" # Ensure OCSP is turned on in $PAM_PKCS11_CONF # 1) First replace any occurrence of 'none' value of 'cert_policy' key setting with the correct configuration sed -i "s/^[$SP]*cert_policy[$SP]\+=[$SP]\+none;/\t\tcert_policy = ca, ocsp_on, signature;/g" "$PAM_PKCS11_CONF" # 2) Then append 'ocsp_on' value setting to each 'cert_policy' key in $PAM_PKCS11_CONF configuration line, # which does not contain it yet sed -i "/ocsp_on/! s/^[$SP]*cert_policy[$SP]\+=[$SP]\+\(.*\);/\t\tcert_policy = \1, ocsp_on;/" "$PAM_PKCS11_CONF"} package --add=pam_pkcs11 --add=esc The opensc package can be installed with the following command: $ sudo yum install opensc CCI-001954 SRG-OS-000376-VMM-001520 Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80568-9 _{package_install opensc} - name: Ensure opensc is installed package: name: opensc state: present tags: - package_opensc_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80568-9 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_opensc class install_opensc { package { 'opensc': ensure => 'installed', } } package --add=opensc Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service. RHEL-07-010481 SV-92519r2_rule 1.4.3 1 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 3.1.1 3.4.5 CCI-000213 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 IA-2 IA-2(1) AC-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.PT-3 FIA_AFL.1 SRG-OS-000080-GPOS-00048 RHEL-07-010481 SV-92519r2_rule This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. CCE-27287-2 service_file="/usr/lib/systemd/system/rescue.service" sulogin="/sbin/sulogin" if grep "^ExecStart=.*" "$service_file" ; then sed -i "s%^ExecStart=.*%ExecStart=-$sulogin rescue%" "$service_file" else echo "ExecStart=-$sulogin rescue" >> "$service_file" fi By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf: CtrlAltDelBurstAction=none Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000366 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-80449-2 _{replace_or_append '/etc/systemd/system.conf' '^CtrlAltDelBurstAction=' 'none' 'CCE-80449-2' '%s=%s'} - name: Disable Ctrl-Alt-Del Burst Action lineinfile: dest: /etc/systemd/system.conf state: present regexp: ^CtrlAltDelBurstAction line: "CtrlAltDelBurstAction=none" tags: - disable_ctrlaltdel_burstaction - high_severity - disable_strategy - low_complexity - low_disruption - CCE-80449-2 - NIST-800-53-AC-6 - NIST-800-171-3.4.5 Red Hat Enterprise Linux 7 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 7 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument in /etc/default/grub. Remove any instance of systemd.confirm_spawn=(1|yes|true|on) from the kernel arguments in that file to disable interactive boot. It is also required to change the runtime configuration, run: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.1.2 3.4.5 CCI-000213 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-2 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 FIA_AFL.1 Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. CCE-27335-9 CONFIRM_SPAWN_YES="systemd.confirm_spawn=\(1\|yes\|true\|on\)" CONFIRM_SPAWN_NO="systemd.confirm_spawn=no" if grep -q "\(GRUB_CMDLINE_LINUX\|GRUB_CMDLINE_LINUX_DEFAULT\)" /etc/default/grub then sed -i "s/${CONFIRM_SPAWN_YES}/${CONFIRM_SPAWN_NO}/" /etc/default/grub fi # Remove 'systemd.confirm_spawn' kernel argument also from runtime settings /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" - name: Verify that Interactive Boot is Disabled in /etc/default/grub replace: dest: /etc/default/grub regexp: systemd.confirm_spawn=(1|yes|true|on) replace: systemd.confirm_spawn=no tags: - grub2_disable_interactive_boot - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27335-9 - NIST-800-53-SC-2 - NIST-800-53-AC-3 - NIST-800-171-3.1.2 - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Verify that Interactive Boot is Disabled (runtime) command: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" tags: - grub2_disable_interactive_boot - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27335-9 - NIST-800-53-SC-2 - NIST-800-53-AC-3 - NIST-800-171-3.1.2 - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed. To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following: ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target or systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates. Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3. RHEL-07-020230 SV-86617r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000366 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-27511-5 # The process to disable ctrl+alt+del has changed in RHEL7. # Reference: https://access.redhat.com/solutions/1123873 systemctl mask ctrl-alt-del.target - name: Disable Ctrl-Alt-Del Reboot Activation systemd: name: ctrl-alt-del.target masked: yes tags: - disable_ctrlaltdel_reboot - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27511-5 - NIST-800-53-AC-6 - NIST-800-171-3.4.5 - DISA-STIG-RHEL-07-020230 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled. By default, the debug-shell SystemD service is disabled. The debug-shell service can be disabled with the following command: $ sudo systemctl disable debug-shell.service 3.4.5 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) FIA_AFL.1 This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. CCE-80206-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'debug-shell.service' "$SYSTEMCTL_EXEC" disable 'debug-shell.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^debug-shell.socket\>' && "$SYSTEMCTL_EXEC" disable 'debug-shell.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'debug-shell.service' - name: Disable service debug-shell service: name: debug-shell enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_debug-shell_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80206-6 - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service debug-shell if applicable service: name: debug-shell.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_debug-shell_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80206-6 - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissions as a result of user error or misconfiguration. If an attacker can modify or even read certain types of account configuration information, they can often gain full access to the affected user's account. Therefore, it is important to test and correct configuration file permissions for interactive accounts, particularly those of privileged users such as root or system administrators. In an interactive shell, the value is interpreted as the number of seconds to wait for input after issueing the primary prompt. Bash terminates after waiting for that number of seconds if input does not arrive. 600 300 600 900 1800 Maximum number of concurrent sessions by a user 1 3 20 5 1 10 15 Maximum time in seconds between fail login attempts before re-prompting. 1 2 3 4 5 4 The active path of the root account can be obtained by starting a new root shell and running: # echo $PATH This will produce a colon-separated list of directories in the path. Certain path elements could be considered dangerous, as they could lead to root executing unknown or untrusted programs, which could contain malicious code. Since root may sometimes work inside untrusted directories, the . character, which represents the current directory, should never be in the root path, nor should any directory which can be written to by an unprivileged or semi-privileged (system) user. It is a good practice for administrators to always execute privileged commands by typing the full path to the command. Ensure that none of the directories in root's path is equal to a single . character, or that it contains any instances that lead to relative path traversal, such as .. or beginning a path without the slash (/) character. Also ensure that there are no "empty" elements in the path, such as in these examples: PATH=:/bin PATH=/bin: PATH=/bin::/sbin These empty elements have the same effect as a single . character. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 Including these entries increases the risk that root could execute code from an untrusted location. CCE-80199-3 For each element in root's path, run: # ls -ld DIR and ensure that write permissions are disabled for group and other. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code. CCE-80200-9 - name: "Fail if user is not root" fail: msg: 'Root account required to read root $PATH' when: ansible_user != "root" and True tags: - accounts_root_path_dirs_no_write - medium_severity - restrict_strategy - low_complexity - medium_disruption - CCE-80200-9 - NIST-800-53-CM-6(b) - name: "Get root paths which are not symbolic links" shell: 'tr ":" "\n" <<< "$PATH" | xargs -I% find % -maxdepth 0 -type d' changed_when: False failed_when: False register: root_paths when: ansible_user == "root" and True check_mode: no tags: - accounts_root_path_dirs_no_write - medium_severity - restrict_strategy - low_complexity - medium_disruption - CCE-80200-9 - NIST-800-53-CM-6(b) - name: "Disable writability to root directories" file: path: "{{ item }}" mode: "g-w,o-w" with_items: "{{ root_paths.stdout_lines }}" when: root_paths.stdout_lines is defined and True tags: - accounts_root_path_dirs_no_write - medium_severity - restrict_strategy - low_complexity - medium_disruption - CCE-80200-9 - NIST-800-53-CM-6(b) The umask setting controls the default permissions for the creation of new files. With a default umask setting of 077, files and directories created by users will not be readable by any other user on the system. Users who wish to make specific files group- or world-readable can accomplish this by using the chmod command. Additionally, users can make all their files readable to their group by default by setting a umask of 027 in their shell configuration files. If default per-user groups exist (that is, if every user has a default group whose name is the same as that user's username and whose only member is the user), then it may even be safe for users to select a umask of 007, making it very easy to intentionally share files with groups of which the user is a member. Enter default user umask 027 077 027 007 022 Remove the UMASK environment variable from all interactive users initialization files. CCI-001814 SRG-OS-000480-GPOS-00227 RHEL-07-021040 SV-86673r2_rule The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. CCE-80536-6 To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows: UMASK RHEL-07-020240 SV-86619r2_rule 11 18 3 9 APO13.01 BAI03.01 BAI03.02 BAI03.03 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.1.1 A.14.2.1 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.5 A.6.1.5 CM-6(b) SA-8 PR.IP-1 PR.IP-2 SRG-OS-000480-GPOS-00228 The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. CCE-80205-8 var_accounts_user_umask="_{" replace_or_append '/etc/login.defs' '^UMASK' "$var_accounts_user_umask" 'CCE-80205-8' '%s %s'} - name: XCCDF Value var_accounts_user_umask # promote to variable set_fact: var_accounts_user_umask: !!str _{tags: - always - name: Ensure the Default UMASK is Set Correctly lineinfile: create: yes dest: /etc/login.defs regexp: ^UMASK line: "UMASK {{ var_accounts_user_umask }}" tags: - accounts_umask_etc_login_defs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80205-8 - NIST-800-53-CM-6(b) - NIST-800-53-SA-8 - DISA-STIG-RHEL-07-020240} To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows: umask 5.4.4 18 APO13.01 BAI03.01 BAI03.02 BAI03.03 CCI-000366 4.3.4.3.3 A.14.1.1 A.14.2.1 A.14.2.5 A.6.1.5 SA-8 PR.IP-2 The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. CCE-80202-5 var_accounts_user_umask="_{" grep -q umask /etc/bashrc && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc if ! [ $? -eq 0 ]; then echo "umask $var_accounts_user_umask" >> /etc/bashrc fi} To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows: umask 18 APO13.01 BAI03.01 BAI03.02 BAI03.03 CCI-000366 4.3.4.3.3 A.14.1.1 A.14.2.1 A.14.2.5 A.6.1.5 SA-8 PR.IP-2 The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. CCE-80203-3 var_accounts_user_umask="_{" grep -q umask /etc/csh.cshrc && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc if ! [ $? -eq 0 ]; then echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc fi} To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows: umask 5.4.4 18 APO13.01 BAI03.01 BAI03.02 BAI03.03 CCI-000366 4.3.4.3.3 A.14.1.1 A.14.2.1 A.14.2.5 A.6.1.5 SA-8 PR.IP-2 The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. CCE-80204-1 var_accounts_user_umask="_{" grep -q umask /etc/profile && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile if ! [ $? -eq 0 ]; then echo "umask $var_accounts_user_umask" >> /etc/profile fi} Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile should read as follows: TMOUT= RHEL-07-040160 SV-86847r4_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.11 CCI-001133 CCI-000361 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-12 SC-10 PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000163-GPOS-00072 SRG-OS-000163-VMM-000700 SRG-OS-000279-VMM-001010 Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. CCE-27557-8 var_accounts_tmout="_{" if grep --silent ^TMOUT /etc/profile ; then sed -i "s/^TMOUT.*/TMOUT=$var_accounts_tmout/g" /etc/profile else echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile echo "TMOUT=$var_accounts_tmout" >> /etc/profile fi} - name: XCCDF Value var_accounts_tmout # promote to variable set_fact: var_accounts_tmout: !!str _{tags: - always - name: Set Interactive Session Timeout lineinfile: create: yes dest: /etc/profile regexp: ^#?TMOUT line: "TMOUT={{ var_accounts_tmout }}" tags: - accounts_tmout - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27557-8 - NIST-800-53-AC-12 - NIST-800-53-SC-10 - NIST-800-171-3.1.11 - DISA-STIG-RHEL-07-040160} For each human user of the system, view the permissions of the user's home directory: # ls -ld /home/USER Ensure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions: # chmod g-w /home/USER # chmod o-rwx /home/USER This action may involve modifying user home directories. Notify your user community, and solicit input if appropriate, before making this type of change. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000225 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs. CCE-80201-7 Set the owner of the user initialization files for interactive users to the primary owner with the following command: $ sudo chown USER /home/USER/.* CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020690 SV-86653r2_rule Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. CCE-80527-5 Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd: $ sudo mkdir /home/USER CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020620 SV-86639r2_rule If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. CCE-80529-1 Set the mode on files being executed by the user initialization files with the following command: $ sudo chmod 0755 FILE CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020730 SV-86661r2_rule If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. CCE-80523-4 All local interactive user accounts, upon creation, should be assigned a home directory. Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows: CREATE_HOME yes RHEL-07-020610 SV-86637r2_rule SRG-OS-000480-GPOS-00227 If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. CCE-80434-4 if ! grep -q ^CREATE_HOME /etc/login.defs; then echo "CREATE_HOME yes" >> /etc/login.defs else sed -i "s/^\(CREATE_HOME\).*/\1 yes/g" /etc/login.defs fi To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows: FAIL_DELAY RHEL-07-010430 SV-86575r2_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-7(b) CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00226 Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. CCE-80352-8 # Set variables var_accounts_fail_delay="_{" replace_or_append '/etc/login.defs' '^FAIL_DELAY' "$var_accounts_fail_delay" 'CCE-80352-8' '%s %s'} - name: XCCDF Value var_accounts_fail_delay # promote to variable set_fact: var_accounts_fail_delay: !!str _{tags: - always - name: Set accounts logon fail delay lineinfile: dest: /etc/login.defs regexp: ^FAIL_DELAY line: "FAIL_DELAY {{ var_accounts_fail_delay }}" tags: - accounts_logon_fail_delay - low_severity - CCE-80352-8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(b) - DISA-STIG-RHEL-07-010430} Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command: $ sudo chgrp USER_GROUP /home/USER/FILE_DIR CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020670 SV-86649r2_rule If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. CCE-80534-1 Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020720 SV-86659r4_rule The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). CCE-80524-2 Set the mode on files and directories in the local interactive user home directory with the following command: $ sudo chmod 0750 /home/USER/FILE_DIR CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020680 SV-86651r2_rule If a local interactive user files have excessive permissions, unintended users may be able to access or modify them. CCE-80535-8 Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf: * hard maxlogins RHEL-07-040000 SV-86841r2_rule 14 15 18 9 5.5.2.2 DSS01.05 DSS05.02 CCI-000054 4.3.3.4 SR 3.1 SR 3.8 A.13.1.1 A.13.1.3 A.13.2.1 A.14.1.2 A.14.1.3 AC-10 PR.AC-5 SRG-OS-000027-GPOS-00008 SRG-OS-000027-VMM-000080 Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. CCE-27081-9 var_accounts_max_concurrent_login_sessions="_{" if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf else echo "* hard maxlogins $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf fi} - name: XCCDF Value var_accounts_max_concurrent_login_sessions # promote to variable set_fact: var_accounts_max_concurrent_login_sessions: !!str _{tags: - always - name: "Limit the Number of Concurrent Login Sessions Allowed Per User" lineinfile: state: present dest: /etc/security/limits.conf insertbefore: "^# End of file" regexp: "^#?\\*.*maxlogins" line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}" tags: - accounts_max_concurrent_login_sessions - low_severity - restrict_strategy - low_complexity - low_disruption - CCE-27081-9 - NIST-800-53-AC-10 - CJIS-5.5.2.2 - DISA-STIG-RHEL-07-040000} Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020650 SV-86645r5_rule If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. CCE-80532-5 Assign home directories to all interactive users that currently do not have a home directory assigned. CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020600 SV-86635r2_rule If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. CCE-80528-3 Set the mode of the user initialization files to 0740 with the following command: $ sudo chmod 0740 /home/USER/.INIT_FILE CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020710 SV-86657r2_rule Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. CCE-80525-9 Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command: $ sudo chown USER /home/USER CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020640 SV-86643r5_rule If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files. CCE-80531-7 Change the owner of a interactive users files and directories to that owner. To change the of a local interactive users files and directories, use the following command: $ sudo chown -R USER /home/USER CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020660 SV-86647r2_rule If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise. CCE-80533-3 Change the group owner of interactive users files to the group found in /etc/passwd for the user. To change the group owner of a local interactive user home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER/.INIT_FILE CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020700 SV-86655r3_rule Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. CCE-80526-7 Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command: $ sudo chmod 0750 /home/USER CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020630 SV-86641r3_rule Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. CCE-80530-9 Each system should expose as little information about itself as possible. System banners, which are typically displayed just before a login prompt, give out information about the service or the host's operating system. This might include the distribution name and the system kernel version, and the particular version of a network service. This information can assist intruders in gaining access to the system as it can reveal whether the system is running vulnerable software. Most network services can be configured to limit what information is displayed. Many organizations implement security policies that require a system banner provide notice of the system's ownership, provide warning to unauthorized users, and remind authorized users of their consent to monitoring. Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. [\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times. --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreement. In the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME Display Manager (GDM). The warning banner should be displayed in this graphical environment for these users. The following sections describe how to configure the GDM login banner. In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true. To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-enable=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-enable After the settings have been set, run dconf update. The banner text must also be set. RHEL-07-010030 SV-86483r4_rule 1.7.2 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) PR.AC-7 FMT_MOF_EXT.1 OS-SRG-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. CCE-26970-4 _{include_dconf_settings dconf_settings 'org/gnome/login-screen' 'banner-message-enable' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'banner-message-enable' 'gdm.d' '00-security-settings-lock'} - name: "Enable GNOME3 Login Warning Banner" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/login-screen" option: banner-message-enable value: "true" create: yes tags: - dconf_gnome_banner_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26970-4 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c)(1) - NIST-800-53-AC-8(c)(2) - NIST-800-53-AC-8(c)(3) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010030 - name: "Prevent user modification of GNOME banner-message-enabled" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/banner-message-enable' line: '/org/gnome/login-screen/banner-message-enable' create: yes tags: - dconf_gnome_banner_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26970-4 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c)(1) - NIST-800-53-AC-8(c)(2) - NIST-800-53-AC-8(c)(3) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010030 In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to string 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment. To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-text='APPROVED_BANNER' Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-text After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines. RHEL-07-010040 SV-86485r4_rule 1.7.2 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. CCE-26892-0 login_banner_text="_{" include_dconf_settings expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') dconf_settings 'org/gnome/login-screen' 'banner-message-text' "string '${expanded}'" 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'banner-message-text' 'gdm.d' '00-security-settings-lock'} - name: XCCDF Value login_banner_text # promote to variable set_fact: login_banner_text: !!str _{tags: - always - name: "Set the GNOME3 Login Warning Banner Text" file: path: "/etc/dconf/db/{{ item }}" owner: root group: root mode: 0755 state: directory with_items: - gdm.d - gdm.d/locks tags: - dconf_gnome_login_banner_text - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26892-0 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010040 - name: "Set the GNOME3 Login Warning Banner Text" file: path: "/etc/dconf/db/gdm.d/{{ item }}" owner: root group: root mode: 0644 state: touch with_items: - 00-security-settings - locks/00-security-settings-lock tags: - dconf_gnome_login_banner_text - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26892-0 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010040 - name: "Set the GNOME3 Login Warning Banner Text" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: banner-message-text value: string '{{ login_banner_text }}' create: yes tags: - dconf_gnome_login_banner_text - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26892-0 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010040 - name: "Prevent user modification of the GNOME3 Login Warning Banner Text" lineinfile: path: '/etc/dconf/db/gdm.d/locks/00-security-settings-lock' regexp: '^org/gnome/login-screen/banner-message-text$' line: 'org/gnome/login-screen/banner-message-text' create: yes state: present tags: - dconf_gnome_login_banner_text - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26892-0 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010040} To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable true To display a banner, this setting must be enabled and then banner text must also be set. 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c) PR.AC-7 An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. To set the text shown by the GNOME Display Manager in the login screen, run the following command: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gdm/simple-greeter/banner_message_text \ "Text of the warning banner here" When entering a warning banner that spans several lines, remember to begin and end the string with ". This command writes directly either to the /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml if it exists or to the file /etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml. Either of these files can later be edited directly if necessary. 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c) PR.AC-7 An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: I've read & consent to terms in IS user agreem't. RHEL-07-010050 SV-86487r3_rule 1.7.1.2 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000023-VMM-000060 SRG-OS-000024-VMM-000070 Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. CCE-27303-7 login_banner_text="_{" # There was a regular-expression matching various banners, needs to be expanded expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') formatted=$(echo "$expanded" | fold -sw 80) cat <<EOF >/etc/issue $formatted EOF printf "\n" >> /etc/issue} PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it should be configured to minimize exposure to unnecessary risk. This section contains guidance on how to accomplish that. PAM is implemented as a set of shared objects which are loaded and invoked whenever an application wishes to authenticate a user. Typically, the application must be running as root in order to take advantage of PAM, because PAM's modules often need to be able to access sensitive stores of account information, such as /etc/shadow. Traditional privileged network listeners (e.g. sshd) or SUID programs (e.g. sudo) already meet this requirement. An SUID root application, userhelper, is provided so that programs which are not SUID or privileged themselves can still take advantage of PAM. PAM looks in the directory /etc/pam.d for application-specific configuration information. For instance, if the program login attempts to authenticate a user, then PAM's libraries follow the instructions in the file /etc/pam.d/login to determine what actions should be taken. One very important file in /etc/pam.d is /etc/pam.d/system-auth. This file, which is included by many other PAM configuration files, defines 'default' system authentication measures. Modifying this file is a good way to make far-reaching authentication changes, for instance when implementing a centralized authentication service. Be careful when making changes to PAM's configuration files. The syntax for these files is complex, and modifications can have unexpected consequences. The default configurations shipped with applications should be sufficient for most users. Running authconfig or system-config-authentication will re-write the PAM configuration files, destroying any manually made changes and replacing them with a series of system defaults. One reference to the configuration file syntax can be found at http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html. The last n passwords for each user are saved in /etc/security/opasswd in order to force password change history and keep the user from alternating between the same password too frequently. 0 4 5 24 5 10 The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations. In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512 RHEL-07-010210 SV-86545r2_rule 6.3.1 1 12 15 16 5 5.6.2.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.13.11 CCI-000196 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(c) IA-7 PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.1 SRG-OS-000073-GPOS-00041 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. Using a stronger hashing algorithm makes password cracking attacks more difficult. CCE-27124-7 if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/g' /etc/login.defs else echo "" >> /etc/login.defs echo "ENCRYPT_METHOD SHA512" >> /etc/login.defs fi - name: Set Password Hashing Algorithm in /etc/login.defs lineinfile: dest: /etc/login.defs regexp: ^#?ENCRYPT_METHOD line: ENCRYPT_METHOD SHA512 state: present tags: - set_password_hashing_algorithm_logindefs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27124-7 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-7 - NIST-800-171-3.13.11 - PCI-DSS-Req-8.2.1 - CJIS-5.6.2.2 - DISA-STIG-RHEL-07-010210 In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512 RHEL-07-010220 SV-86547r3_rule 1 12 15 16 5 5.6.2.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.13.11 CCI-000196 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(c) IA-7 PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.1 SRG-OS-000073-GPOS-00041 SRG-OS-000480-VMM-002000 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. CCE-27053-8 LIBUSER_CONF="/etc/libuser.conf" CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*' # Try find crypt_style in [defaults] section. If it is here, then change algorithm to sha512. # If it isn't here, then add it to [defaults] section. if grep -qzosP $CRYPT_STYLE_REGEX $LIBUSER_CONF ; then sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1sha512/g" $LIBUSER_CONF elif grep -qs "\[defaults]" $LIBUSER_CONF ; then sed -i "/[[:space:]]*\[defaults]/a crypt_style = sha512" $LIBUSER_CONF else echo -e "[defaults]\ncrypt_style = sha512" >> $LIBUSER_CONF fi - name: Set Password Hashing Algorithm in /etc/libuser.conf lineinfile: dest: /etc/libuser.conf insertafter: '^\s*\[defaults]' regexp: ^#?crypt_style line: crypt_style = sha512 state: present tags: - set_password_hashing_algorithm_libuserconf - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27053-8 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-7 - NIST-800-171-3.13.11 - PCI-DSS-Req-8.2.1 - CJIS-5.6.2.2 - DISA-STIG-RHEL-07-010220 The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below: password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. RHEL-07-010200 SV-86543r3_rule 6.3.1 1 12 15 16 5 5.6.2.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.13.11 CCI-000196 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(c) IA-7 PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.1 SRG-OS-000073-GPOS-00041 SRG-OS-000480-VMM-002000 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. CCE-27104-9 AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in "${AUTH_FILES[@]}" do if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" $pamFile fi done The pam_faillock PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in /usr/share/doc/pam-VERSION/txts/README.pam_faillock. Locking out user accounts presents the risk of a denial-of-service attack. The lockout policy must weigh whether the risk of such a denial-of-service attack outweighs the benefits of thwarting password guessing attacks. To configure the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: Modify the following line in the AUTH section to add even_deny_root: auth required pam_faillock.so preauth silent even_deny_root deny= _{unlock_time= fail_interval=}Modify the following line in the AUTH section to add even_deny_root: auth [default=die] pam_faillock.so authfail even_deny_root deny= _{unlock_time= fail_interval=} RHEL-07-010330 SV-86569r4_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 CCI-002238 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-7(b) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. CCE-80353-6 AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" # This script fixes absence of pam_faillock.so in PAM stack or the # absense of even_deny_root in pam_faillock.so arguments # When inserting auth pam_faillock.so entries, # the entry with preauth argument will be added before pam_unix.so module # and entry with authfail argument will be added before pam_deny.so module. # The placement of pam_faillock.so entries will not be changed # if they are already present for pamFile in "${AUTH_FILES[@]}" do # if PAM file is missing, system is not using PAM or broken if [ ! -f $pamFile ]; then continue fi # is 'auth required' here? if grep -q "^auth.*required.*pam_faillock.so.*" $pamFile; then # has 'auth required' even_deny_root option? if ! grep -q "^auth.*required.*pam_faillock.so.*preauth.*even_deny_root" $pamFile; then # even_deny_root is not present sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*\).*/\1 even_deny_root/" $pamFile fi else # no 'auth required', add it sed -i --follow-symlinks "/^auth.*pam_unix.so.*/i auth required pam_faillock.so preauth silent even_deny_root" $pamFile fi # is 'auth [default=die]' here? if grep -q "^auth.*\[default=die\].*pam_faillock.so.*" $pamFile; then # has 'auth [default=die]' even_deny_root option? if ! grep -q "^auth.*\[default=die\].*pam_faillock.so.*authfail.*even_deny_root" $pamFile; then # even_deny_root is not present sed -i --follow-symlinks "s/\(^auth.*\[default=die\].*pam_faillock.so.*authfail.*\).*/\1 even_deny_root/" $pamFile fi else # no 'auth [default=die]', add it sed -i --follow-symlinks "/^auth.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail silent even_deny_root" $pamFile fi done - name: Add auth pam_faillock preauth even_deny_root before pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: required new_module_path: pam_faillock.so module_arguments: 'preauth silent even_deny_root' state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny_root - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80353-6 - NIST-800-53-AC-7(b) - DISA-STIG-RHEL-07-010330 - name: Add even_deny_root argument to auth pam_faillock preauth pamd: name: "{{ item }}" type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent even_deny_root' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny_root - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80353-6 - NIST-800-53-AC-7(b) - DISA-STIG-RHEL-07-010330 - name: Add auth pam_faillock authfail even_deny_root after pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: '[default=die]' new_module_path: pam_faillock.so module_arguments: 'authfail even_deny_root' state: after loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny_root - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80353-6 - NIST-800-53-AC-7(b) - DISA-STIG-RHEL-07-010330 - name: Add even_deny_root argument to auth pam_faillock authfail pamd: name: "{{ item }}" type: auth control: '[default=die]' module_path: pam_faillock.so module_arguments: 'authfail even_deny_root' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny_root - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80353-6 - NIST-800-53-AC-7(b) - DISA-STIG-RHEL-07-010330 - name: Add account pam_faillock before pam_unix.so pamd: name: "{{ item }}" type: account control: required module_path: pam_unix.so new_type: account new_control: required new_module_path: pam_faillock.so state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny_root - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80353-6 - NIST-800-53-AC-7(b) - DISA-STIG-RHEL-07-010330 To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= _{unlock_time= fail_interval=} add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= _{unlock_time= fail_interval=} add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so RHEL-07-010320 SV-86567r4_rule 5.3.2 1 12 15 16 5.5.3 DSS05.04 DSS05.10 DSS06.10 3.1.8 CCI-002238 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-7(b) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.7 SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 SRG-OS-000329-VMM-001180 Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. CCE-26884-7 var_accounts_passwords_pam_faillock_unlock_time="_{" include_set_faillock_option AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pam_file in "${AUTH_FILES[@]}" do set_faillock_option "$pam_file" "unlock_time" "$var_accounts_passwords_pam_faillock_unlock_time" done} - name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time # promote to variable set_fact: var_accounts_passwords_pam_faillock_unlock_time: !!str _{tags: - always - name: Add auth pam_faillock preauth unlock_time before pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: required new_module_path: pam_faillock.so module_arguments: 'preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}' state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_unlock_time - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26884-7 - NIST-800-53-AC-7(b) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.7 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add unlock_time argument to pam_faillock preauth pamd: name: "{{ item }}" type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_unlock_time - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26884-7 - NIST-800-53-AC-7(b) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.7 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add auth pam_faillock authfail unlock_interval after pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: '[default=die]' new_module_path: pam_faillock.so module_arguments: 'authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}' state: after loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_unlock_time - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26884-7 - NIST-800-53-AC-7(b) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.7 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add unlock_time argument to auth pam_faillock authfail pamd: name: "{{ item }}" type: auth control: '[default=die]' module_path: pam_faillock.so module_arguments: 'authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_unlock_time - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26884-7 - NIST-800-53-AC-7(b) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.7 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add account pam_faillock before pam_unix.so pamd: name: "{{ item }}" type: account control: required module_path: pam_unix.so new_type: account new_control: required new_module_path: pam_faillock.so state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_unlock_time - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26884-7 - NIST-800-53-AC-7(b) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.7 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320} Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords. RHEL-07-010270 SV-86557r3_rule 5.3.3 1 12 15 16 5 5.6.2.1.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.8 CCI-000200 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(1)(e) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.5 SRG-OS-000077-GPOS-00045 SRG-OS-000077-VMM-000440 Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. CCE-26923-3 var_password_pam_unix_remember="_{" AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in "${AUTH_FILES[@]}" do if grep -q "remember=" $pamFile; then sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" $pamFile else sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" $pamFile fi done} - name: XCCDF Value var_password_pam_unix_remember # promote to variable set_fact: var_password_pam_unix_remember: !!str _{tags: - always - name: "Do not allow users to reuse recent passwords - system-auth (change)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$' replace: '\g<1>{{ var_password_pam_unix_remember }}\g<3>' tags: - accounts_password_pam_unix_remember - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-26923-3 - NIST-800-53-IA-5(f) - NIST-800-53-IA-5(1)(e) - NIST-800-171-3.5.8 - PCI-DSS-Req-8.2.5 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010270 - name: "Do not allow users to reuse recent passwords - system-auth (add)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$' replace: '\g<0> remember={{ var_password_pam_unix_remember }}' tags: - accounts_password_pam_unix_remember - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-26923-3 - NIST-800-53-IA-5(f) - NIST-800-53-IA-5(1)(e) - NIST-800-171-3.5.8 - PCI-DSS-Req-8.2.5 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010270} Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: Add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= _{unlock_time= fail_interval=} Add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= _{unlock_time= fail_interval=} Add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so RHEL-07-010320 SV-86567r4_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 CCI-002238 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-7(a) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. CCE-27297-1 _{include_set_faillock_option var_accounts_passwords_pam_faillock_fail_interval="" AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pam_file in "${AUTH_FILES[@]}" do set_faillock_option "$pam_file" "fail_interval" "$var_accounts_passwords_pam_faillock_fail_interval" done} - name: XCCDF Value var_accounts_passwords_pam_faillock_fail_interval # promote to variable set_fact: var_accounts_passwords_pam_faillock_fail_interval: !!str _{tags: - always - name: Add auth pam_faillock preauth fail_interval before pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: required new_module_path: pam_faillock.so module_arguments: 'preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_interval - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27297-1 - NIST-800-53-AC-7(a) - DISA-STIG-RHEL-07-010320 - name: Add fail_interval argument to auth pam_faillock preauth pamd: name: "{{ item }}" type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_interval - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27297-1 - NIST-800-53-AC-7(a) - DISA-STIG-RHEL-07-010320 - name: Add auth pam_faillock aufthfail fail_interval after pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: '[default=die]' new_module_path: pam_faillock.so module_arguments: 'authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: after loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_interval - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27297-1 - NIST-800-53-AC-7(a) - DISA-STIG-RHEL-07-010320 - name: Add fail_interval argument to auth pam_faillock authfail pamd: name: "{{ item }}" type: auth control: '[default=die]' module_path: pam_faillock.so module_arguments: 'authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_interval - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27297-1 - NIST-800-53-AC-7(a) - DISA-STIG-RHEL-07-010320 - name: Add account pam_faillock before pam_unix.so pamd: name: "{{ item }}" type: account control: required module_path: pam_unix.so new_type: account new_control: required new_module_path: pam_faillock.so state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_interval - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27297-1 - NIST-800-53-AC-7(a) - DISA-STIG-RHEL-07-010320} To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= _{unlock_time= fail_interval=} add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= _{unlock_time= fail_interval=} add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so RHEL-07-010320 SV-86567r4_rule 5.3.2 1 12 15 16 5.5.3 DSS05.04 DSS05.10 DSS06.10 3.1.8 CCI-002238 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-7(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.6 SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 SRG-OS-000021-VMM-000050 Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. CCE-27350-8 var_accounts_passwords_pam_faillock_deny="_{" include_set_faillock_option AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pam_file in "${AUTH_FILES[@]}" do set_faillock_option "$pam_file" "deny" "$var_accounts_passwords_pam_faillock_deny" done} - name: XCCDF Value var_accounts_passwords_pam_faillock_deny # promote to variable set_fact: var_accounts_passwords_pam_faillock_deny: !!str _{tags: - always - name: Add auth pam_faillock preauth deny before pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: required new_module_path: pam_faillock.so module_arguments: 'preauth silent deny={{ var_accounts_passwords_pam_faillock_deny }}' state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27350-8 - NIST-800-53-AC-7(a) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.6 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add deny argument to auth pam_faillock preauth pamd: name: "{{ item }}" type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent deny={{ var_accounts_passwords_pam_faillock_deny }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27350-8 - NIST-800-53-AC-7(a) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.6 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add auth pam_faillock authfail deny after pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: '[default=die]' new_module_path: pam_faillock.so module_arguments: 'authfail deny={{ var_accounts_passwords_pam_faillock_deny }}' state: after loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27350-8 - NIST-800-53-AC-7(a) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.6 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add deny argument to auth pam_faillock authfail pamd: name: "{{ item }}" type: auth new_type: auth control: '[default=die]' module_path: pam_faillock.so module_arguments: 'authfail deny={{ var_accounts_passwords_pam_faillock_deny }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27350-8 - NIST-800-53-AC-7(a) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.6 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add account pam_faillock before pam_unix.so pamd: name: "{{ item }}" type: account control: required module_path: pam_unix.so new_type: account new_control: required new_module_path: pam_faillock.so state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27350-8 - NIST-800-53-AC-7(a) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.6 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320} The default pam_pwquality PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of at least a certain length, are not the previous password reversed, and are not simply a change of case from the previous password. It can also require passwords to be in certain character classes. The pam_pwquality module is the preferred way of configuring password requirements. The pam_cracklib PAM module can also provide strength checking for passwords as the pam_pwquality module. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of at least a certain length, are not the previous password reversed, and are not simply a change of case from the previous password. It can also require passwords to be in certain character classes. The man pages pam_pwquality(8) and pam_cracklib(8) provide information on the capabilities and configuration of each. The pam_pwquality PAM module can be configured to meet requirements for a variety of policies. For example, to configure pam_pwquality to require at least one uppercase character, lowercase character, digit, and other (special) character, make sure that pam_pwquality exists in /etc/pam.d/system-auth: password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. Next, modify the settings in /etc/security/pwquality.conf to match the following: difok = 4 minlen = 14 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 maxrepeat = 3 The arguments can be modified to ensure compliance with your organization's security policy. Discussion of each parameter follows. Minimum number of lower case in password -1 0 -2 -1 Minimum number of categories of characters that must exist in a password 3 1 2 3 4 Maximum Number of Consecutive Repeating Characters in a Password 3 1 2 3 Interval for counting failed login attempts before account lockout 100000000 86400 900 900 3600 1800 Minimum number of upper case in password -1 0 -2 -1 Number of failed login attempts before account lockout 3 10 3 5 6 Minimum number of characters not present in old password 2 3 4 5 6 7 8 15 8 Seconds before automatic unlocking or permanently locking after excessive failed logins 604800 86400 900 1800 never 3600 never 600 Maximum Number of Consecutive Repeating Characters in a Password From the Same Character Class 4 1 2 3 4 Minimum number of other (special characters) in password -1 0 -2 -1 Minimum number of digits in password -1 0 -2 -1 Number of retry attempts before erroring out 1 2 3 4 5 3 Minimum number of characters in password 6 7 8 10 12 14 15 15 The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. RHEL-07-010280 SV-86559r2_rule 6.3.2 1 12 15 16 5 5.6.2.1.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000205 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 Req-8.2.3 SRG-OS-000078-GPOS-00046 SRG-OS-000072-VMM-000390 SRG-OS-000078-VMM-000450 The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password. CCE-27293-0 var_password_pam_minlen="_{" replace_or_append '/etc/security/pwquality.conf' '^minlen' $var_password_pam_minlen 'CCE-27293-0' '%s = %s'} - name: XCCDF Value var_password_pam_minlen # promote to variable set_fact: var_password_pam_minlen: !!str _{tags: - always - name: Ensure PAM variable minlen is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*minlen' line: "minlen = {{ var_password_pam_minlen }}" tags: - accounts_password_pam_minlen - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27293-0 - NIST-800-53-IA-5(1)(a) - PCI-DSS-Req-8.2.3 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010280} The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal _{to prevent a run of ( + 1) or more identical characters.} RHEL-07-010190 SV-86541r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000195 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5 IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000072-GPOS-00040 Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised. CCE-27512-3 var_password_pam_maxclassrepeat="_{" replace_or_append '/etc/security/pwquality.conf' '^maxclassrepeat' $var_password_pam_maxclassrepeat 'CCE-27512-3' '%s = %s'} - name: XCCDF Value var_password_pam_maxclassrepeat # promote to variable set_fact: var_password_pam_maxclassrepeat: !!str _{tags: - always - name: Ensure PAM variable maxclassrepeat is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*maxclassrepeat' line: "maxclassrepeat = {{ var_password_pam_maxclassrepeat }}" tags: - accounts_password_pam_maxclassrepeat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27512-3 - NIST-800-53-IA-5 - NIST-800-53-IA-5(c) - DISA-STIG-RHEL-07-010190} The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal _{to prevent a run of ( + 1) or more identical characters.} RHEL-07-010180 SV-86539r3_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000195 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5 IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000072-GPOS-00040 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. CCE-27333-4 var_password_pam_maxrepeat="_{" replace_or_append '/etc/security/pwquality.conf' '^maxrepeat' $var_password_pam_maxrepeat 'CCE-27333-4' '%s = %s'} - name: XCCDF Value var_password_pam_maxrepeat # promote to variable set_fact: var_password_pam_maxrepeat: !!str _{tags: - always - name: Ensure PAM variable maxrepeat is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*maxrepeat' line: "maxrepeat = {{ var_password_pam_maxrepeat }}" tags: - accounts_password_pam_maxrepeat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27333-4 - NIST-800-53-IA-5 - NIST-800-53-IA-5(c) - DISA-STIG-RHEL-07-010180} The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords. RHEL-07-010140 SV-86531r3_rule 6.3.2 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000194 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(1)(a) IA-5(b) IA-5(c) 194 PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 Req-8.2.3 SRG-OS-000071-GPOS-00039 SRG-OS-000071-VMM-000380 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. CCE-27214-6 var_password_pam_dcredit="_{" replace_or_append '/etc/security/pwquality.conf' '^dcredit' $var_password_pam_dcredit 'CCE-27214-6' '%s = %s'} - name: XCCDF Value var_password_pam_dcredit # promote to variable set_fact: var_password_pam_dcredit: !!str _{tags: - always - name: Ensure PAM variable dcredit is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*dcredit' line: "dcredit = {{ var_password_pam_dcredit }}" tags: - accounts_password_pam_dcredit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27214-6 - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-194 - PCI-DSS-Req-8.2.3 - DISA-STIG-RHEL-07-010140} The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available: * Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation) Modify the minclass setting in /etc/security/pwquality.conf entry to require _{differing categories of characters when changing passwords.} RHEL-07-010170 SV-86537r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000195 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5 PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000072-GPOS-00040 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space. CCE-27115-5 var_password_pam_minclass="_{" replace_or_append '/etc/security/pwquality.conf' '^minclass' $var_password_pam_minclass 'CCE-27115-5' '%s = %s'} - name: XCCDF Value var_password_pam_minclass # promote to variable set_fact: var_password_pam_minclass: !!str _{tags: - always - name: Ensure PAM variable minclass is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*minclass' line: "minclass = {{ var_password_pam_minclass }}" tags: - accounts_password_pam_minclass - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27115-5 - NIST-800-53-IA-5 - DISA-STIG-RHEL-07-010170} The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change. Modify the difok setting in /etc/security/pwquality.conf to equal _{to require differing characters when changing passwords.} RHEL-07-010160 SV-86535r2_rule 1 12 15 16 5 5.6.2.1.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000195 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(b) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000072-GPOS-00040 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. CCE-26631-2 var_password_pam_difok="_{" replace_or_append '/etc/security/pwquality.conf' '^difok' $var_password_pam_difok 'CCE-26631-2' '%s = %s'} - name: XCCDF Value var_password_pam_difok # promote to variable set_fact: var_password_pam_difok: !!str _{tags: - always - name: Ensure PAM variable difok is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*difok' line: "difok = {{ var_password_pam_difok }}" tags: - accounts_password_pam_difok - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26631-2 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(b) - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010160} The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal _{to require use of a special character in passwords.} RHEL-07-010150 SV-86533r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-001619 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000266-GPOS-00101 SRG-OS-000266-VMM-000940 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. CCE-27360-7 var_password_pam_ocredit="_{" replace_or_append '/etc/security/pwquality.conf' '^ocredit' $var_password_pam_ocredit 'CCE-27360-7' '%s = %s'} - name: XCCDF Value var_password_pam_ocredit # promote to variable set_fact: var_password_pam_ocredit: !!str _{tags: - always - name: Ensure PAM variable ocredit is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*ocredit' line: "ocredit = {{ var_password_pam_ocredit }}" tags: - accounts_password_pam_ocredit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27360-7 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(a) - DISA-STIG-RHEL-07-010150} The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords. RHEL-07-010130 SV-86529r5_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000193 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 Req-8.2.3 SRG-OS-000070-GPOS-00038 SRG-OS-000070-VMM-000370 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. CCE-27345-8 var_password_pam_lcredit="_{" replace_or_append '/etc/security/pwquality.conf' '^lcredit' $var_password_pam_lcredit 'CCE-27345-8' '%s = %s'} - name: XCCDF Value var_password_pam_lcredit # promote to variable set_fact: var_password_pam_lcredit: !!str _{tags: - always - name: Ensure PAM variable lcredit is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*lcredit' line: "lcredit = {{ var_password_pam_lcredit }}" tags: - accounts_password_pam_lcredit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27345-8 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(a) - PCI-DSS-Req-8.2.3 - DISA-STIG-RHEL-07-010130} The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords. RHEL-07-010120 SV-86527r3_rule 6.3.2 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000192 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 Req-8.2.3 SRG-OS-000069-GPOS-00037 SRG-OS-000069-VMM-000360 Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. CCE-27200-5 var_password_pam_ucredit="_{" replace_or_append '/etc/security/pwquality.conf' '^ucredit' $var_password_pam_ucredit 'CCE-27200-5' '%s = %s'} - name: XCCDF Value var_password_pam_ucredit # promote to variable set_fact: var_password_pam_ucredit: !!str _{tags: - always - name: Ensure PAM variable ucredit is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*ucredit' line: "ucredit = {{ var_password_pam_ucredit }}" tags: - accounts_password_pam_ucredit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27200-5 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(a) - PCI-DSS-Req-8.2.3 - DISA-STIG-RHEL-07-010120} To configure the number of retry prompts that are permitted per-session: Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to show retry=, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. RHEL-07-010119 SV-87811r4_rule 6.3.2 1 11 12 15 16 3 5 9 5.5.3 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 CM-6(b) IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 PR.IP-1 FMT_MOF_EXT.1 SRG-OS-000480-GPOS-00225 Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. CCE-27160-1 var_password_pam_retry="_{" if grep -q "retry=" /etc/pam.d/system-auth ; then sed -i --follow-symlinks "s/\(retry *= *\).*/\1$var_password_pam_retry/" /etc/pam.d/system-auth else sed -i --follow-symlinks "/pam_pwquality.so/ s/$/ retry=$var_password_pam_retry/" /etc/pam.d/system-auth fi} - name: XCCDF Value var_password_pam_retry # promote to variable set_fact: var_password_pam_retry: !!str _{tags: - always - name: "Set Password Retry Prompts Permitted Per-Session - system-auth (change)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '(^.*\spam_pwquality.so\s.*retry\s*=\s*)(\S+)(.*$)' replace: '\g<1>{{ var_password_pam_retry }}\g<3>' tags: - accounts_password_pam_retry - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-27160-1 - NIST-800-53-CM-6(b) - NIST-800-53-IA-5(c) - CJIS-5.5.3 - DISA-STIG-RHEL-07-010119 - name: "Set Password Retry Prompts Permitted Per-Session - system-auth (add)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '^.*\spam_pwquality.so\s(?!.*retry\s*=\s*).*$' replace: '\g<0> retry={{ var_password_pam_retry }}' tags: - accounts_password_pam_retry - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-27160-1 - NIST-800-53-CM-6(b) - NIST-800-53-IA-5(c) - CJIS-5.5.3 - DISA-STIG-RHEL-07-010119} The pam_cracklib PAM module can be configured to meet requirements for a variety of policies. For example, to configure pam_cracklib to require at least one uppercase character, lowercase character, digit, and other (special) character, locate the following line in /etc/pam.d/system-auth: password requisite pam_cracklib.so try_first_pass retry=3 and then alter it to read: password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. The arguments can be modified to ensure compliance with your organization's security policy. Discussion of each parameter follows. Note that the password quality requirements are not enforced for the root account for some reason. To configure the number of retry prompts that are permitted per-session: Edit the pam_cracklib.so statement in /etc/pam.d/system-auth to show retry=, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add ocredit= after pam_cracklib.so to require use of a special character in passwords. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. The pam_cracklib module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available: * Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation) Add minclass= after pam_cracklib.so entry into the /etc/pam.d/system-auth file in order to require <sub>differing categories of characters when changing passwords. For example to require at least three character classes to be used in password, use minclass=3.</sub> Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space. The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.7 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. The pam_cracklib module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. The pam_cracklib module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Add maxrepeat= after pam_cracklib.so to prevent a run of ( <sub>+ 1) or more identical characters: password required pam_cracklib.so maxrepeat=</sub> 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. The pam_cracklib module's difok parameter controls requirements for usage of different characters during a password change. Add difok= after pam_cracklib.so to require differing characters when changing passwords. The DoD requirement is 4. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(b) PR.AC-1 PR.AC-6 PR.AC-7 Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/postlogin to read as follows: session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed RHEL-07-040530 SV-86899r3_rule 1 12 15 16 5.5.2 DSS05.04 DSS05.10 DSS06.10 CCI-000366 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-9 PR.AC-7 Req-10.2.4 SRG-OS-000480-GPOS-00227 Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. CCE-27275-7 if $(grep -q "^session.*pam_lastlog.so" /etc/pam.d/postlogin) ; then sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin fi echo "session [default=1] pam_lastlog.so nowtmp showfailed" >> /etc/pam.d/postlogin echo "session optional pam_lastlog.so silent noupdate showfailed" >> /etc/pam.d/postlogin The I/O operations of the Linux kernel block layer due to their inherently unpredictable execution times have been traditionally considered as a reliable source to contribute to random-number entropy pool of the Linux kernel. This has changed with introduction of solid-state storage devices (SSDs) though. For each solid-state drive on the system, run: # echo 0 > /sys/block/DRIVE/queue/add_random In contrast to traditional electromechanical magnetic disks, containing spinning disks and / or movable read / write heads, the solid-state storage devices (SSDs) do not contain moving / mechanical components. Therefore the I/O operation completion times are much more predictable for them. The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates. To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning scheme creates separate logical volumes for /, /boot, and swap. If starting with any of the default layouts, check the box to \"Review and modify partitioning.\" This allows for the easy creation of additional logical volumes inside the volume group already created, though it may require making /'s logical volume smaller to create space. In general, using logical volumes is preferable to using partitions because they can be more easily adjusted later.If creating a custom layout, create the partitions mentioned in the previous paragraph (which the installer will require anyway), as well as separate ones described in the following sections. If a system has already been installed, and the default partitioning scheme was used, it is possible but nontrivial to modify it to create separate logical volumes for the directories listed above. The Logical Volume Manager (LVM) makes this possible. See the LVM HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ for more detailed information on LVM. Red Hat Enterprise Linux 7 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled. Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 7 Documentation web site: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html. 13 14 APO01.06 BAI02.01 BAI06.01 DSS04.07 DSS05.03 DSS05.04 DSS05.07 DSS06.02 DSS06.06 3.13.16 CCI-001199 CCI-002476 164.308(a)(1)(ii)(D) 164.308(b)(1) 164.310(d) 164.312(a)(1) 164.312(a)(2)(iii) 164.312(a)(2)(iv) 164.312(b) 164.312(c) 164.314(b)(2)(i) 164.312(d) SR 3.4 SR 4.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-13 SC-28(1) PR.DS-1 PR.DS-5 SRG-OS-000405-GPOS-00184 SRG-OS-000185-GPOS-00079 The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. CCE-27128-8 If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. RHEL-07-021310 SV-86683r2_rule 1.1.13 12 15 8 APO13.01 DSS05.02 CCI-000366 CCI-001208 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32(1) PR.PT-4 SRG-OS-000480-GPOS-00227 Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. CCE-80144-9 part /home If a file server (FTP, TFTP...) is hosted locally, create a separate partition for /srv at installation time (or migrate it later using LVM). If /srv will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. NT28(R12) Srv deserves files for local network file server such as FTP. Ensuring that /srv is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. 1.1.7 The /var/tmp partition is used as temporary storage by many programs. Placing /var/tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. part /var/tmp The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. RHEL-07-021340 SV-86689r2_rule 1.1.2 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32(1) PR.PT-4 SRG-OS-000480-GPOS-00227 The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. CCE-27173-4 part /tmp The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. RHEL-07-021320 SV-86685r2_rule 1.1.6 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32(1) PR.PT-4 SRG-OS-000480-GPOS-00227 SRG-OS-000341-VMM-001220 Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. CCE-26404-4 part /var Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. RHEL-07-021330 SV-86687r6_rule 1.1.12 1 12 13 14 15 16 2 3 5 6 8 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS05.02 DSS05.04 DSS05.07 MEA02.01 CCI-000366 164.312(a)(2)(ii) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.2 SR 7.6 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.17.2.1 AU-4 AU-9 SC-32(1) PR.DS-4 PR.PT-1 PR.PT-4 SRG-OS-000480-GPOS-00227 SRG-OS-000341-VMM-001220 Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. CCE-26971-2 part /var/log/audit System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. 1.1.11 1 12 14 15 16 3 5 6 8 APO11.04 APO13.01 BAI03.05 DSS05.02 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 AU-9 SC-32 PR.PT-1 PR.PT-4 Placing /var/log in its own partition enables better separation between log files and other files in /var/. CCE-26967-0 part /var/log Sudo, which stands for \"su 'do'\", provides the ability to delegate authority to certain users, groups of users, or system administrators. When configured for system users and/or groups, Sudo can allow a user or group to execute privileged commands that normally only root is allowed to execute. For more information on Sudo and addition Sudo configuration options, see https://www.sudo.ws. The sudo NOPASSWD and !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that NOPASSWD and/or !authenticate do not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/." 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 PR.AC-1 PR.AC-7 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the vdsm user should have this capability in any sudo configuration snippets in /etc/sudoers.d/. Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. RHEL-07-010350 SV-86573r3_rule NT28(R5) 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 CCI-002038 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 PR.AC-1 PR.AC-7 SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. CCE-80350-2 The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. RHEL-07-010340 SV-86571r3_rule NT28(R5) 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 CCI-002038 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 PR.AC-1 PR.AC-7 SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. CCE-80351-0 SAP (Systems, Applications and Products in Data Processing) is enterprise software to manage business operations and customer relations. The following section contains SAP specific requirement that is not part of standard or common OS setting. List the user accounts that are authorized locally on the operating system. This list includes both users requried by the operating system and by the installed applications. Depending on the Operating System distribution, version, software groups and applications, the user list is different and can be customized with scap-workbench. OVAL regular expression is used for the user list. The list starts with '^' and ends with '$' so that it matches exactly the username, not any string that includes the username. Users are separated with '|'. For example, three users: bin, oracle and sapadm are allowd, then the list is ^(bin|oracle|sapadm)$. The user root is the only user that is hard coded in OVAL that is always allowed on the operating system. ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$ ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$ System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevention System, etc. However, installing or enabling integrity checking tools cannot prevent intrusions, but they can detect that an intrusion may have occurred. Requirements for integrity checking may be highly dependent on the environment in which the system will be used. Snapshot-based approaches such as AIDE may induce considerable overhead in the presence of frequent software updates. The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stability and security over the life of the product. A certified product that follows the necessary standards and government certification requirements guarantees that known software vulnerabilities will be remediated, and proper guidance for protecting and securing the operating system will be given. The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches. There is no remediation besides switching to a different operating system. RHEL-07-020250 SV-86621r3_rule 18 20 4 APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02 CCI-000366 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3 SI-2(c) ID.RA-1 PR.IP-12 SRG-OS-000480-GPOS-00227 An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. To enable processing of sensitive information the operating system must provide certified cryptographic modules compliant with FIPS 140-2 standard. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for maintaining government certifications and standards. There is no remediation besides switching to a different operating system. IA-5 SC-13 The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2) is a computer security standard. The standard specifies security requirements for cryptographic modules used to protect sensitive unclassified information. Refer to the full FIPS 140-2 standard at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf for further details on the requirements. FIPS 140-2 validation is required by U.S. law when information systems use cryptography to protect sensitive government information. In order to achieve FIPS 140-2 certification, cryptographic modules are subject to extensive testing by independent laboratories, accredited by National Institute of Standards and Technology (NIST). CCE-80657-0 The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working groups to validate the quality of cryptographic modules. The FIPS standard provides four security levels to ensure adequate coverage of different industries, implementation of cryptographic modules, and organizational sizes and requirements. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux 7. See http://csrc.nist.gov/publications/PubsFIPS.html for more information. To enable FIPS, the system requires that the dracut-fips package be installed. The dracut-fips package can be installed with the following command: $ sudo yum install dracut-fips 12 15 8 5.10.1.2 APO13.01 DSS01.04 DSS05.02 DSS05.03 3.13.11 3.13.8 CCI-000068 CCI-002450 4.3.3.6.6 SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.6.2.1 A.6.2.2 AC-17(2) PR.AC-3 PR.PT-4 SRG-OS-000033-GPOS-00014 SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. CCE-80358-5 <sub>package_install dracut-fips</sub> - name: Ensure dracut-fips is installed package: name: dracut-fips state: present when: ansible_distribution == 'Red Hat Enterprise Linux' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - package_dracut-fips_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80358-5 - NIST-800-53-AC-17(2) - NIST-800-171-3.13.11 - NIST-800-171-3.13.8 - CJIS-5.10.1.2 package --add=dracut-fips To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands: $ sudo yum install dracut-fips dracut -f After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1" Finally, rebuild the grub.cfg file by using the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg Running dracut -f will overwrite the existing initramfs file. The system needs to be rebooted for these changes to take effect. The ability to enable FIPS does not denote FIPS compliancy or certification. Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm for a list of FIPS certified vendors. RHEL-07-021350 SV-86691r4_rule 12 15 8 5.10.1.2 APO13.01 DSS01.04 DSS05.02 DSS05.03 3.13.8 3.13.11 CCI-000068 CCI-002450 4.3.3.6.6 SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.6.2.1 A.6.2.2 IA-5 SC-13 AC-17(2) PR.AC-3 PR.PT-4 SRG-OS-000033-GPOS-00014 SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. CCE-80359-3 <sub>disable_prelink package_install dracut-fips dracut -f # Correct the form of default kernel command line in grub if grep -q '^GRUB_CMDLINE_LINUX=.*fips=.*"' /etc/default/grub; then # modify the GRUB command-line if a fips= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)fips=[^[:space:]]*\(.*"\)/\1 fips=1 \2/' /etc/default/grub else # no existing fips=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 fips=1"/' /etc/default/grub fi # Get the UUID of the device mounted at /boot. BOOT_UUID=$(findmnt --noheadings --output uuid --target /boot) if grep -q '^GRUB_CMDLINE_LINUX=".*boot=.*"' /etc/default/grub; then # modify the GRUB command-line if a boot= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)boot=[^[:space:]]*\(.*"\)/\1 boot=UUID='"${BOOT_UUID} \2/" /etc/default/ grub else # no existing boot=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 boot=UUID='${BOOT_UUID}'"/' /etc/default/grub fi # Correct the form of kernel command line for each installed kernel in the bootloader /sbin/grubby --update-kernel=ALL --args="fips=1 boot=UUID=${BOOT_UUID}"</sub> package --add=dracut-fips Linux has the capability to centrally configure cryptographic polices. The command update-crypto-policies is used to set the policy applicable for the various cryptographic back-ends, such as SSL/TLS libraries. The configured cryptographic policies will be the default policy used by these backends unless the application user configures them otherwise. When the system has been configured to use the centralized cryptographic policies, the administrator is assured that any application that utilizes the supported backends will follow a policy that adheres to the configured profile. Currently the supported backends are: GnuTLS libraryOpenSSL libraryNSS libraryOpenJDKLibkrb5BINDOpenSSH Applications and languages which rely on any of these backends will follow the system policies as well. Examples are apache httpd, nginx, php, and others. Specify the crypto policy for the system. DEFAULT FIPS FUTURE LEGACY NEXT Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base platform. Add-on software may not be appropriate for some specialized systems. In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems. Specify the amount of time (in seconds) before McAfee definition files need to be updated. 2592000 2592000 604800 86400 McAfee Host-based Security System (HBSS) is a suite of software applications used to monitor, detect, and defend computer networks and systems. Install the Policy Auditor (PA) Module. Due to McAfee being 3rd party software, automated remediation is not available for this configuration check. 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 APO01.06 APO07.06 APO08.04 APO10.05 APO11.06 APO12.01 APO12.02 APO12.03 APO12.04 APO12.06 APO13.01 APO13.02 BAI08.02 BAI08.04 DSS01.03 DSS01.05 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.04 DSS03.05 DSS04.05 DSS05.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.01 DSS06.02 MEA03.03 MEA03.04 CCI-000366 CCI-001263 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 4.3.3.4 4.3.4.5.2 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.3.2 4.4.3.3 4.4.3.4 SR 2.10 SR 2.11 SR 2.12 SR 2.4 SR 2.8 SR 2.9 SR 3.1 SR 3.3 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.3 A.12.5.1 A.12.6.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.7 A.14.2.8 A.15.2.1 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.7 A.18.1.4 A.18.2.2 A.18.2.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 Clause 16.1.2 Clause 7.4 SC-7 SI-4(1).1 DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.CM-1 DE.CM-5 DE.CM-6 DE.CM-7 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 ID.RA-1 PR.AC-5 PR.DS-5 PR.IP-8 PR.PT-4 RS.AN-1 RS.CO-3 Req-11.4 STG-OS-000480-GPOS-00227 Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. CCE-80369-2 Install the Asset Configuration Compliance Module (ACCM). Due to HBSS ACCM being 3rd party software, automated remediation is not available for this configuration check. 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 APO01.06 APO07.06 APO08.04 APO10.05 APO11.06 APO12.01 APO12.02 APO12.03 APO12.04 APO12.06 APO13.01 APO13.02 BAI08.02 BAI08.04 DSS01.03 DSS01.05 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.04 DSS03.05 DSS04.05 DSS05.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.01 DSS06.02 MEA03.03 MEA03.04 CCI-000366 CCI-001263 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 4.3.3.4 4.3.4.5.2 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.3.2 4.4.3.3 4.4.3.4 SR 2.10 SR 2.11 SR 2.12 SR 2.4 SR 2.8 SR 2.9 SR 3.1 SR 3.3 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.3 A.12.5.1 A.12.6.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.7 A.14.2.8 A.15.2.1 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.7 A.18.1.4 A.18.2.2 A.18.2.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 Clause 16.1.2 Clause 7.4 SC-7 SI-4(1).1 DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.CM-1 DE.CM-5 DE.CM-6 DE.CM-7 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 ID.RA-1 PR.AC-5 PR.DS-5 PR.IP-8 PR.PT-4 RS.AN-1 RS.CO-3 Req-11.4 STG-OS-000480-GPOS-00227 Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. CCE-80126-6 Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module. Installing and enabling this module conflicts with SELinux. Per DoD/DISA guidance, SELinux takes precedence over this module. Due to McAfee HIPS being 3rd party software, automated remediation is not available for this configuration check. 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 APO01.06 APO07.06 APO08.04 APO10.05 APO11.06 APO12.01 APO12.02 APO12.03 APO12.04 APO12.06 APO13.01 APO13.02 BAI08.02 BAI08.04 DSS01.03 DSS01.05 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.04 DSS03.05 DSS04.05 DSS05.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.01 DSS06.02 MEA03.03 MEA03.04 CCI-000366 CCI-001263 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 4.3.3.4 4.3.4.5.2 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.3.2 4.4.3.3 4.4.3.4 SR 2.10 SR 2.11 SR 2.12 SR 2.4 SR 2.8 SR 2.9 SR 3.1 SR 3.3 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.3 A.12.5.1 A.12.6.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.7 A.14.2.8 A.15.2.1 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.7 A.18.1.4 A.18.2.2 A.18.2.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 Clause 16.1.2 Clause 7.4 SC-7 SI-4(1).1 DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.CM-1 DE.CM-5 DE.CM-6 DE.CM-7 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 ID.RA-1 PR.AC-5 PR.DS-5 PR.IP-8 PR.PT-4 RS.AN-1 RS.CO-3 Req-11.4 STG-OS-000480-GPOS-00227 Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. CCE-80368-4 The nails service is used to run McAfee VirusScan Enterprise for Linux and McAfee Host-based Security System (HBSS) services. The nails service can be enabled with the following command: $ sudo systemctl enable nails.service 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-000366 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 SC-28 SI-3 SI-3(1)(ii) DE.CM-4 DE.DP-3 PR.DS-1 SRG-OS-000480-GPOS-00227 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. CCE-80128-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'nails.service' "$SYSTEMCTL_EXEC" enable 'nails.service' - name: Enable service nails service: name: nails enabled: "yes" state: "started" tags: - service_nails_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80128-2 - NIST-800-53-SC-28 - NIST-800-53-SI-3 - NIST-800-53-SI-3(1)(ii) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. Due to McAfee HIPS being 3rd party software, automated remediation is not available for this configuration check. RHEL-07-032000 SV-86837r3_rule 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-000366 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 SC-28 SI-3 SI-3(1)(ii) DE.CM-4 DE.DP-3 PR.DS-1 SRG-OS-000480-GPOS-00227 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. CCE-80127-4 Ensure virus definition files are no older than 7 days or their last release. RHEL-07-032010 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-000366 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 SC-28 SI-3 SI-3(1)(ii) DE.CM-4 DE.DP-3 PR.DS-1 SRG-OS-000480-GPOS-00227 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. CCE-80129-0 Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma). The McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) are dependencies for VirusScan Enterprise for Linux (VSEL) and Host-based Security System (HBSS) to run. CCE-80367-6 The operating system must conduct backups of user data contained in the operating system. The operating system provides utilities for automating backups of user data. Commercial and open-source products are also available. Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.false Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail. 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 SC-28 SI-3 DE.CM-4 DE.DP-3 PR.DS-1 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. CCE-27140-3 The base Red Hat Enterprise Linux 7 platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised. Note in DoD environments, supplemental intrusion detection tools, such as the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with proper functioning of SELinux, SELinux takes precedence. 1 12 13 14 15 16 18 7 8 9 APO01.06 APO13.01 DSS01.03 DSS01.05 DSS03.05 DSS05.02 DSS05.04 DSS05.07 DSS06.02 CCI-001263 4.3.3.4 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-7 DE.CM-1 PR.AC-5 PR.DS-5 PR.PT-4 Req-11.4 Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network. CCE-26818-5 Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of file metadata (such as hashes) and compares these to current system files in order to detect changes. The RPM package management system can conduct integrity checks by comparing information in its metadata database with files installed on the system. The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To list which files on the system differ from what is expected by the RPM database: $ rpm -qVa See the man page for rpm to see a complete explanation of each column. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command: $ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME Note: Due to a bug in the gdm package, the RPM verify command may continue to fail even after file permissions have been correctly set on /var/log/gdm. This is being tracked in Red Hat Bugzilla #1277603. RHEL-07-010010 SV-86473r3_rule 1.2.6 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.2.3 1 11 12 13 14 15 16 18 3 5 6 9 5.10.4.1 APO01.06 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.04 DSS05.07 DSS06.02 MEA02.01 3.3.8 3.4.1 CCI-001494 CCI-001496 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-9(1) AU-9(3) CM-6(d) CM-6(3) PR.AC-4 PR.DS-5 PR.IP-1 PR.PT-1 Req-11.5 SRG-OS-000257-GPOS-00098 SRG-OS-000278-GPOS-00108 Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. CCE-27209-6 # Declare array to hold list of RPM packages we need to correct permissions for declare -a SETPERMS_RPM_LIST # Create a list of files on the system having permissions different from what # is expected by the RPM database FILES_WITH_INCORRECT_PERMS=($(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')) # For each file path from that list: # * Determine the RPM package the file path is shipped by, # * Include it into SETPERMS_RPM_LIST array for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" do RPM_PACKAGE=$(rpm -qf "$FILE_PATH") SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}" "$RPM_PACKAGE") done # Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any) SETPERMS_RPM_LIST=( $(echo "${SETPERMS_RPM_LIST[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' ') ) # For each of the RPM packages left in the list -- reset its permissions to the # correct values for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}" do rpm --setperms "${RPM_PACKAGE}" done - name: "Read list of files with incorrect permissions" shell: "rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)==\"M\") print $NF }'" args: warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module register: files_with_incorrect_permissions failed_when: False changed_when: False check_mode: no tags: - rpm_verify_permissions - high_severity - restrict_strategy - high_complexity - medium_disruption - CCE-27209-6 - NIST-800-53-AC-6 - NIST-800-53-AU-9(1) - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010010 - name: "Correct file permissions with RPM" shell: "rpm --setperms $(rpm -qf '{{ item }}')" args: warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module with_items: "{{ files_with_incorrect_permissions.stdout_lines }}" when: (files_with_incorrect_permissions.stdout_lines | length > 0) and True tags: - rpm_verify_permissions - high_severity - restrict_strategy - high_complexity - medium_disruption - CCE-27209-6 - NIST-800-53-AC-6 - NIST-800-53-AU-9(1) - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010010 The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }' run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setugids PACKAGENAME Note: Due to a bug in the gdm package, the RPM verify command may continue to fail even after file permissions have been correctly set on /var/log/gdm. This is being tracked in Red Hat Bugzilla #1277603. 1.2.6 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.2.3 1 11 12 13 14 15 16 18 3 5 6 9 5.10.4.1 APO01.06 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.04 DSS05.07 DSS06.02 MEA02.01 3.3.8 3.4.1 CCI-001494 CCI-001496 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-9(1) AU-9(3) CM-6(d) CM-6(3) PR.AC-4 PR.DS-5 PR.IP-1 PR.PT-1 Req-11.5 SRG-OS-000257-GPOS-00098 SRG-OS-000278-GPOS-00108 Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated. CCE-80545-7 # Declare array to hold list of RPM packages we need to correct permissions for SETPERMS_RPM_LIST=() # Create a list of files on the system having permissions different from what # is expected by the RPM database FILES_WITH_INCORRECT_PERMS=($(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')) # For each file path from that list: # * Determine the RPM package the file path is shipped by, # * Include it into SETPERMS_RPM_LIST array for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" do RPM_PACKAGE=$(rpm -qf "$FILE_PATH") SETPERMS_RPM_LIST+=("$RPM_PACKAGE") done # Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any) SETPERMS_RPM_LIST=( $(printf "%s\n" "${SETPERMS_RPM_LIST[@]}" | sort -u) ) # For each of the RPM packages left in the list -- reset its permissions to the # correct values for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}" do rpm --setugids "${RPM_PACKAGE}" done - name: "Read list of files with incorrect ownership" shell: "rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)==\"U\" || substr($0,7,1)==\"G\") print $NF }'" args: warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module register: files_with_incorrect_ownership failed_when: False changed_when: False check_mode: no tags: - rpm_verify_ownership - high_severity - restrict_strategy - high_complexity - medium_disruption - CCE-80545-7 - NIST-800-53-AC-6 - NIST-800-53-AU-9(1) - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - name: Create list of uniq packages shell: "rpm -qf {{ files_with_incorrect_ownership.stdout_lines }}|sort |uniq" args: warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module register: uniq_list_of_packages when: (files_with_incorrect_ownership.stdout_lines | length > 0) and True tags: - rpm_verify_ownership - high_severity - restrict_strategy - high_complexity - medium_disruption - CCE-80545-7 - NIST-800-53-AC-6 - NIST-800-53-AU-9(1) - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - name: "Correct file ownership with RPM" shell: "rpm --quiet --setugids '{{ item }}'" args: warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module with_items: "{{ uniq_list_of_packages.stdout_lines }}" when: (files_with_incorrect_ownership.stdout_lines | length > 0) and True tags: - rpm_verify_ownership - high_severity - restrict_strategy - high_complexity - medium_disruption - CCE-80545-7 - NIST-800-53-AC-6 - NIST-800-53-AU-9(1) - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: $ rpm -Va | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: $ rpm -qf FILENAME The package can be reinstalled from a yum repository using the command: $ sudo yum reinstall PACKAGENAME Alternatively, the package can be reinstalled from trusted media using the command: $ sudo rpm -Uvh PACKAGENAME RHEL-07-010020 SV-86479r3_rule 1.2.6 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.3.8 3.4.1 CCI-000663 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(d) CM-6(3) SI-7(1) PR.DS-6 PR.DS-8 PR.IP-1 Req-11.5 SRG-OS-000480-GPOS-00227 The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. CCE-27157-7 # Find which files have incorrect hash (not in /etc, because there are all system related config. files) and then get files names files_with_incorrect_hash="$(rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}' )" # From files names get package names and change newline to space, because rpm writes each package to new line packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')" yum reinstall -y $packages_to_reinstall - name: "Set fact: Package manager reinstall command (dnf)" set_fact: package_manager_reinstall_cmd: dnf reinstall -y when: ansible_distribution == "Fedora" and True tags: - rpm_verify_hashes - high_severity - unknown_strategy - high_complexity - medium_disruption - CCE-27157-7 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SI-7(1) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010020 - name: "Set fact: Package manager reinstall command (yum)" set_fact: package_manager_reinstall_cmd: yum reinstall -y when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") and True tags: - rpm_verify_hashes - high_severity - unknown_strategy - high_complexity - medium_disruption - CCE-27157-7 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SI-7(1) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010020 - name: "Read files with incorrect hash" shell: "rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}'" args: warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module register: files_with_incorrect_hash changed_when: False when: (package_manager_reinstall_cmd is defined) and True check_mode: no tags: - rpm_verify_hashes - high_severity - unknown_strategy - high_complexity - medium_disruption - CCE-27157-7 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SI-7(1) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010020 - name: "Reinstall packages of files with incorrect hash" shell: "{{ package_manager_reinstall_cmd }} $(rpm -qf '{{ item }}')" args: warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager with_items: "{{ files_with_incorrect_hash.stdout_lines }}" when: (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) and True tags: - rpm_verify_hashes - high_severity - unknown_strategy - high_complexity - medium_disruption - CCE-27157-7 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SI-7(1) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010020 AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and then again after any software update. AIDE is highly configurable, with further configuration information located in /usr/share/doc/aide-VERSION. The aide package can be installed with the following command: $ sudo yum install aide 1.3.1 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 CM-3(d) CM-3(e) CM-6(d) CM-6(3) SC-28 SI-7 DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 The AIDE package must be installed if it is to be available for integrity checking. CCE-27096-7 <sub>package_install aide</sub> - name: Ensure aide is installed package: name: aide state: present tags: - package_aide_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-27096-7 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_aide class install_aide { package { 'aide': ensure => 'installed', } } package --add=aide By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. RHEL-07-021610 SV-86695r3_rule 2 3 APO01.06 BAI03.05 BAI06.01 DSS06.02 CCI-000366 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 A.11.2.4 A.12.2.1 A.12.5.1 A.14.1.2 A.14.1.3 A.14.2.4 SI-7.1 PR.DS-6 PR.DS-8 SRG-OS-000480-GPOS-00227 Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. CCE-80376-7 <sub>package_install aide aide_conf="/etc/aide.conf" groups=$(LC_ALL=C grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *xattrs* ]] then if [[ -z $config ]] then config="xattrs" else config=$config"+xattrs" fi fi sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done</sub> By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. RHEL-07-021600 SV-86693r3_rule 2 3 APO01.06 BAI03.05 BAI06.01 DSS06.02 CCI-000366 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 A.11.2.4 A.12.2.1 A.12.5.1 A.14.1.2 A.14.1.3 A.14.2.4 SI-7.1 PR.DS-6 PR.DS-8 SRG-OS-000480-GPOS-00227 ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. CCE-80375-9 <sub>package_install aide aide_conf="/etc/aide.conf" groups=$(LC_ALL=C grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *acl* ]] then if [[ -z $config ]] then config="acl" else config=$config"+acl" fi fi sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done</sub> By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf: NORMAL = FIPSR+sha512 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. RHEL-07-021620 SV-86697r3_rule 2 3 APO01.06 BAI03.05 BAI06.01 DSS06.02 3.13.11 CCI-000366 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 A.11.2.4 A.12.2.1 A.12.5.1 A.14.1.2 A.14.1.3 A.14.2.4 SI-7(1) PR.DS-6 PR.DS-8 SRG-OS-000480-GPOS-00227 File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. CCE-80377-5 <sub>package_install aide aide_conf="/etc/aide.conf" forbidden_hashes=(sha1 rmd160 sha256 whirlpool tiger haval gost crc32) groups=$(LC_ALL=C grep "^[A-Z]\+" $aide_conf | cut -f1 -d ' ' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *sha512* ]] then config=$config"+sha512" fi for hash in ${forbidden_hashes[@]} do config=$(echo $config | sed "s/$hash//") done config=$(echo $config | sed "s/^\+*//") config=$(echo $config | sed "s/\+\++/+/") config=$(echo $config | sed "s/\+$//") sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done</sub> AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line: | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost Otherwise, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost AIDE can be executed periodically through other means; this is merely one example. RHEL-07-020040 SV-86599r2_rule 1 11 12 13 15 16 2 3 5 7 8 9 BAI01.06 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 CCI-001744 4.3.4.3.2 4.3.4.3.3 SR 6.2 SR 7.6 A.12.1.2 A.12.4.1 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 CM-3(5) DE.CM-1 DE.CM-7 PR.IP-1 PR.IP-3 SRG-OS-000363-GPOS-00150 Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. CCE-80374-2 <sub>package_install aide CRONTAB=/etc/crontab CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' if [ -f /var/spool/cron/root ]; then VARSPOOL=/var/spool/cron/root fi if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB fi</sub> At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable. RHEL-07-020030 SV-86597r2_rule 1.3.2 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 CCI-001744 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 CM-3(d) CM-3(e) CM-3(5) CM-6(d) CM-6(3) SC-28 SI-7 DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 SRG-OS-000363-GPOS-00150 By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. CCE-26952-2 <sub>package_install aide if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab fi</sub> - name: "Ensure AIDE is installed" package: name: "{{ item }}" state: present with_items: - aide tags: - aide_periodic_cron_checking - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26952-2 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-3(5) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 - DISA-STIG-RHEL-07-020030 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Configure Periodic Execution of AIDE" cron: name: "run AIDE check" minute: 05 hour: 04 weekday: 0 user: root job: "/usr/sbin/aide --check" tags: - aide_periodic_cron_checking - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26952-2 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-3(5) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 - DISA-STIG-RHEL-07-020030 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Run the following command to generate a new database: $ sudo /usr/sbin/aide --init By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: $ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: $ sudo /usr/sbin/aide --check If this check produces any unexpected output, investigate. 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 CM-3(d) CM-3(e) CM-6(d) CM-6(3) SC-28 SI-7 DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. CCE-27220-3 <sub>package_install aide /usr/sbin/aide --init /bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</sub> - name: "Ensure AIDE is installed" package: name: "{{ item }}" state: present with_items: - aide tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27220-3 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Build and Test AIDE Database" command: /usr/sbin/aide --init changed_when: True tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27220-3 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # mainly to allow ansible's check mode to work - name: "Check whether the stock AIDE Database exists" stat: path: /var/lib/aide/aide.db.new.gz register: aide_database_stat tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27220-3 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Stage AIDE Database" copy: src: /var/lib/aide/aide.db.new.gz dest: /var/lib/aide/aide.db.gz backup: yes remote_src: yes when: (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27220-3 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file /etc/sysconfig/prelink: PRELINKING=no Next, run the following command to return binaries to a normal, non-prelinked state: $ sudo /usr/sbin/prelink -ua 1.5.4 11 13 14 2 3 9 5.10.1.3 APO01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS04.07 DSS05.03 DSS06.02 DSS06.06 3.13.11 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.3 CM-6(d) CM-6(3) SC-28 SI-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 Req-11.5 Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc. CCE-27078-5 <sub>disable_prelink</sub> - name: Does prelink file exist stat: path: /etc/sysconfig/prelink register: prelink_exists tags: - disable_prelink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27078-5 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - NIST-800-171-3.13.11 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 - name: disable prelinking lineinfile: path: /etc/sysconfig/prelink regexp: '^PRELINKING=' line: 'PRELINKING=no' when: prelink_exists.stat.exists and True tags: - disable_prelink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27078-5 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - NIST-800-171-3.13.11 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 The yum command line tool is used to install and update software packages. The system also provides a graphical software update tool in the System menu, in the Administration submenu, called Software Update. Red Hat Enterprise Linux 7 systems contain an installed software catalog called the RPM database, which records metadata of installed packages. Consistently using yum or the graphical Software Update for all software installation allows for insight into the current inventory of installed software on the system. To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: gpgcheck=0 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) CM-11(a) SI-7 MA-1(b) PR.DS-6 PR.DS-8 PR.IP-1 FAU_GEN.1.1.c Req-6.2 SRG-OS-000366-GPOS-00153 SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." CCE-26876-3 sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* # - name: Find All yum Repositories find: paths: "/etc/yum.repos.d/" patterns: "*.repo" contains: ^\[.+]$ register: yum_find tags: - ensure_gpgcheck_never_disabled - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26876-3 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - name: Ensure gpgcheck Enabled For All yum Package Repositories with_items: "{{ yum_find.files }}" lineinfile: create: yes dest: "{{ item.path }}" regexp: '^gpgcheck' line: 'gpgcheck=1' tags: - ensure_gpgcheck_never_disabled - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26876-3 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm. NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. RHEL-07-020260 SV-86623r4_rule 1.8 18 20 4 5.10.4.1 APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02 CCI-000366 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3 SI-2 SI-2(c) MA-1(b) ID.RA-1 PR.IP-12 FMT_MOF_EXT.1 Req-6.2 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. CCE-26895-3 yum -y update - name: "Security patches are up to date" package: name: "*" state: "latest" tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - security_patches_up_to_date - high_severity - patch_strategy - low_complexity - high_disruption - CCE-26895-3 - NIST-800-53-SI-2 - NIST-800-53-SI-2(c) - NIST-800-53-MA-1(b) - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-020260 yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. RHEL-07-020060 SV-86603r2_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) CM-11 PR.IP-1 FAU_GEN.1.1.c SRG-OS-000366-GPOS-00153 SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. CCE-80347-8 <sub>replace_or_append '/etc/yum.conf' '^localpkg_gpgcheck' '1' 'CCE-80347-8'</sub> - name: Check existence of yum on Fedora stat: path: /etc/yum.conf register: yum_config_file check_mode: no when: ansible_distribution == "Fedora" and True tags: - ensure_gpgcheck_local_packages - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80347-8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-171-3.4.8 - DISA-STIG-RHEL-07-020060 # Old versions of Fedora use yum - name: Ensure GPG check Enabled for Local Packages (Yum) ini_file: dest: /etc/yum.conf section: main option: localpkg_gpgcheck value: 1 create: True when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists) and True tags: - ensure_gpgcheck_local_packages - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80347-8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-171-3.4.8 - DISA-STIG-RHEL-07-020060 - name: Ensure GPG check Enabled for Local Packages (DNF) ini_file: dest: /etc/dnf/dnf.conf section: main option: localpkg_gpgcheck value: 1 create: True when: ansible_distribution == "Fedora" and True tags: - ensure_gpgcheck_local_packages - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80347-8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-171-3.4.8 - DISA-STIG-RHEL-07-020060 To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo subscription-manager register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring: $ sudo rpm --import /media/cdrom/RPM-GPG-KEY 1.2.3 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) CM-11(a) SI-7 MA-1(b) PR.DS-6 PR.DS-8 PR.IP-1 FAU_GEN.1.1.c Req-6.2 SRG-OS-000366-GPOS-00153 SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. CCE-26957-1 # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key readonly REDHAT_RELEASE_2_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51" readonly REDHAT_AUXILIARY_FINGERPRINT="43A6E49C4A38F4BE9ABF2A5345689C882FA658E0" # Location of the key we would like to import (once it's integrity verified) readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")") # Verify /etc/pki/rpm-gpg directory permissions are safe if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] then # If they are safe, try to obtain fingerprints from the key file # (to ensure there won't be e.g. CRC error). # Backup IFS value IFS_BKP=$IFS IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10)) GPG_RESULT=$? # Reset IFS back to default IFS=$IFS_BKP # No CRC error, safe to proceed if [ "${GPG_RESULT}" -eq "0" ] then echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_2_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it rpm --import "${REDHAT_RELEASE_KEY}" } fi fi - name: "Read permission of GPG key directory" stat: path: /etc/pki/rpm-gpg/ register: gpg_key_directory_permission check_mode: no tags: - ensure_redhat_gpgkey_installed - high_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26957-1 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 # It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well. - name: Read signatures in GPG key # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10 shell: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep "^fpr" | cut -d ":" -f 10 changed_when: False register: gpg_fingerprints check_mode: no tags: - ensure_redhat_gpgkey_installed - high_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26957-1 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - name: Set Fact - Valid fingerprints set_fact: gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0") tags: - ensure_redhat_gpgkey_installed - high_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26957-1 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - name: Import RedHat GPG key rpm_key: state: present key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release when: (gpg_key_directory_permission.stat.mode <= '0755') and (( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) | length == 0) and (gpg_fingerprints.stdout_lines | length > 0) and (ansible_distribution == "RedHat") and True tags: - ensure_redhat_gpgkey_installed - high_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26957-1 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. Check that yum verifies the repository metadata prior to install with the following command. This should be configured by setting repo_gpgcheck to 1 in /etc/yum.conf. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) PR.IP-1 SRG-OS-000366-GPOS-00153 Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. NOTE: For U.S. Military systems, this requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority. CCE-80348-6 yum should be configured to remove previous software components after new versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf. RHEL-07-020200 SV-86611r2_rule 18 20 4 APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02 3.4.8 CCI-002617 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3 SI-2(6) CM-11 ID.RA-1 PR.IP-12 SRG-OS-000437-GPOS-00194 Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. CCE-80346-0 if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf else echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf echo "clean_requirements_on_remove=1" >> /etc/yum.conf fi - name: "Ensure YUM Removes Previous Package Versions" lineinfile: dest: /etc/yum.conf regexp: ^#?clean_requirements_on_remove line: clean_requirements_on_remove=1 insertafter: '\[main\]' tags: - clean_components_post_updating - low_severity - restrict_strategy - low_complexity - low_disruption - CCE-80346-0 - NIST-800-53-SI-2(6) - NIST-800-53-CM-11 - NIST-800-171-3.4.8 - DISA-STIG-RHEL-07-020200 The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section: gpgcheck=1 RHEL-07-020050 SV-86601r2_rule 1.2.2 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) CM-11 SI-7 MA-1(b) PR.DS-6 PR.DS-8 PR.IP-1 FAU_GEN.1.1.c Req-6.2 SRG-OS-000366-GPOS-00153 SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). CCE-26989-4 <sub>replace_or_append "/etc/yum.conf" '^gpgcheck' '1' 'CCE-26989-4'</sub> - name: Check existence of yum on Fedora stat: path: /etc/yum.conf register: yum_config_file check_mode: no when: ansible_distribution == "Fedora" and True tags: - ensure_gpgcheck_globally_activated - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26989-4 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-020050 # Old versions of Fedora use yum - name: Ensure GPG check is globally activated (yum) ini_file: dest: /etc/yum.conf section: main option: gpgcheck value: 1 create: False when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists) and True tags: - ensure_gpgcheck_globally_activated - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26989-4 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-020050 - name: Ensure GPG check is globally activated (dnf) ini_file: dest: /etc/dnf/dnf.conf section: main option: gpgcheck value: 1 create: False when: ansible_distribution == "Fedora" and True tags: - ensure_gpgcheck_globally_activated - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26989-4 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-020050 GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphically rather than textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user switching contexts as well as display server management. GNOME is developed by the GNOME Project and is considered the default Red Hat Graphical environment. For more information on GNOME and the GNOME Project, see https://www.gnome.org. In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting Lock. The following sections detail commands to enforce idle activation of the screensaver, screen locking, a blank-screen screensaver, and an idle activation time. Because users should be trained to lock the screen when they step away from the computer, the automatic locking feature is only meant as a backup. The root account can be screen-locked; however, the root account should never be used to log into an X Windows environment and should only be used to for direct login via console in emergency circumstances. For more information about enforcing preferences in the GNOME3 environment using the DConf configuration system, see http://wiki.gnome.org/dconf and the man page dconf(1). For Red Hat specific information on configuring DConf settings, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/part-Configuration_and_Administration.html Choose allowed duration (in seconds) of inactive graphical sessions 900 300 1800 900 600 Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication prompt 0 5 0 10 Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(b) PR.AC-7 Req-8.1.8 Setting the screensaver mode to blank-only conceals the contents of the display from passersby. Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 Req-8.1.8 Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby. Run the following command to prevent changes to the screensaver lock keybindings: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome_settings_daemon/keybindings/screensaver "<Control><Alt>l" 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily. If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/session/idle-delay After the settings have been set, run dconf update. RHEL-07-010082 SV-87809r4_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-00029-GPOS-0010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. CCE-80544-0 <sub>include_dconf_settings dconf_lock 'org/gnome/desktop/session' 'idle-delay' 'local.d' '00-security-settings-lock'</sub> - name: "Prevent user modification of GNOME Session idle-delay" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/session/idle-delay' line: '/org/gnome/desktop/session/idle-delay' create: yes tags: - dconf_gnome_session_idle_user_locks - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80544-0 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - DISA-STIG-RHEL-07-010082 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] lock-delay=uint32 Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-delay After the settings have been set, run dconf update. RHEL-07-010110 SV-86525r3_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000056 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 OS-SRG-000029-GPOS-00010 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-80370-0 var_screensaver_lock_delay="<sub>" include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'lock-delay' "uint32 ${var_screensaver_lock_delay}" 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'lock-delay' 'local.d' '00-security-settings-lock'</sub> - name: "Set GNOME3 Screensaver Lock Delay After Activation Period" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: lock-delay value: uint32 5 create: yes tags: - dconf_gnome_screensaver_lock_delay - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80370-0 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - DISA-STIG-RHEL-07-010110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME lock-delay" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/lock-delay' line: '/org/gnome/desktop/screensaver/lock-delay' create: yes tags: - dconf_gnome_screensaver_lock_delay - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80370-0 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - DISA-STIG-RHEL-07-010110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") By default when the screen is locked, the splash shield will show the user's full name. This should be disabled to prevent casual observers from seeing who has access to the system. This can be disabled by adding or setting show-full-name-in-top-bar to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] show-full-name-in-top-bar=false Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/show-full-name-in-top-bar After the settings have been set, run dconf update. FMT_MOF_EXT.1 Setting the splash screen to not reveal the logged in user's name conceals who has access to the system from passersby. CCE-80114-2 <sub>include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'show-full-name-in-top-bar' 'false' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'show-full-name-in-top-bar' 'local.d' '00-security-settings-lock'</sub> - name: "Disable Full Username on Splash Screen" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: show-full-name-in-top-bar value: "false" create: yes tags: - dconf_gnome_screensaver_user_info - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80114-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME show-full-name-in-top-bar" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/show-full-name-in-top-bar' line: '/org/gnome/desktop/screensaver/show-full-name-in-top-bar' create: yes tags: - dconf_gnome_screensaver_user_info - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80114-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-delay After the settings have been set, run dconf update. RHEL-07-010081 SV-87807r4_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-00029-GPOS-0010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. CCE-80371-8 <sub>include_dconf_settings dconf_lock 'org/gnome/desktop/screensaver' 'lock-delay' 'local.d' '00-security-settings-lock'</sub> - name: "Prevent user modification of GNOME lock-delay" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/lock-delay' line: '/org/gnome/desktop/screensaver/lock-delay' create: yes tags: - dconf_gnome_screensaver_user_locks - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80371-8 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - DISA-STIG-RHEL-07-010081 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 Req-8.1.8 Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set idle-activation-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] idle-activation-enabled=true Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/idle-activation-enabled After the settings have been set, run dconf update. RHEL-07-010100 SV-86523r4_rule 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. CCE-80111-8 <sub>include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'idle-activation-enabled' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'idle-activation-enabled' 'local.d' '00-security-settings-lock'</sub> - name: "Enable GNOME3 Screensaver Idle Activation" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: idle_activation_enabled value: "true" create: yes tags: - dconf_gnome_screensaver_idle_activation_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80111-8 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010100 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME idle_activation_enabled" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/idle-activation-enabled' line: '/org/gnome/desktop/screensaver/idle-activation-enabled' create: yes tags: - dconf_gnome_screensaver_idle_activation_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80111-8 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010100 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Run the following command to set force logout an inactive user when the maximum allowed inactivity period has expired: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /desktop/gnome/session/max_idle_action "forced-logout" Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session and will also free up resources utilized by an idle session. The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification. For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings: [org/gnome/desktop/session] idle-delay=uint32 900 Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/session/idle-delay After the settings have been set, run dconf update. RHEL-07-010070 SV-86517r5_rule 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. CCE-80110-0 inactivity_timeout_value="<sub>" include_dconf_settings dconf_settings 'org/gnome/desktop/session' 'idle-delay' "uint32 ${inactivity_timeout_value}" 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/session' 'idle-delay' 'local.d' '00-security-settings-lock'</sub> - name: XCCDF Value inactivity_timeout_value # promote to variable set_fact: inactivity_timeout_value: !!str <sub>tags: - always - name: "Set GNOME3 Screensaver Inactivity Timeout" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: idle-delay value: "{{ inactivity_timeout_value }}" create: yes tags: - dconf_gnome_screensaver_idle_delay - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80110-0 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010070 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME idle-delay" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/idle-delay' line: '/org/gnome/desktop/screensaver/idle-delay' create: yes tags: - dconf_gnome_screensaver_idle_delay - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80110-0 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010070 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")</sub> If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-enabled to /etc/dconf/db/local.d/00-security-settings. For example: /org/gnome/desktop/screensaver/lock-enabled After the settings have been set, run dconf update. RHEL-07-010062 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000056 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(b) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-80563-0 <sub>include_dconf_settings dconf_lock 'org/gnome/desktop/screensaver' 'lock-enabled' 'local.d' '00-security-settings-lock'</sub> Run the following command to set the maximum allowed period of inactivity for an inactive user in the GNOME desktop to <sub>minutes: $ sudo gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /desktop/gnome/session/max_idle_time</sub> Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session and will also free up resources utilized by an idle session. To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] picture-uri='' Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/picture-uri After the settings have been set, run dconf update. 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000060 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(b) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 Setting the screensaver mode to blank-only conceals the contents of the display from passersby. CCE-80113-4 <sub>include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'picture-uri' "string ''" 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'picture-uri' 'local.d' '00-security-settings-lock'</sub> - name: "Implement Blank Screensaver" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: picture-uri value: string '' create: yes tags: - dconf_gnome_screensaver_mode_blank - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80113-4 - NIST-800-53-AC-11(b) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME picture-uri" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/picture-uri' line: '/org/gnome/desktop/screensaver/picture-uri' create: yes tags: - dconf_gnome_screensaver_mode_blank - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80113-4 - NIST-800-53-AC-11(b) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Run the following command to set the idle time-out value for inactivity in the GNOME desktop to <sub>minutes: $ sudo gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /desktop/gnome/session/idle_delay</sub> 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 Req-8.1.8 Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby. To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] lock-enabled=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-enabled After the settings have been set, run dconf update. RHEL-07-010060 SV-86515r5_rule 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000056 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(b) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000028-GPOS-00009 OS-SRG-000030-GPOS-00011 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-80112-6 <sub>include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'lock-enabled' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'lock-enabled' 'local.d' '00-security-settings-lock'</sub> - name: "Enable GNOME3 Screensaver Lock After Idle Period" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: lock-enabled value: "true" create: yes tags: - dconf_gnome_screensaver_lock_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80112-6 - NIST-800-53-AC-11(b) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010060 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME lock-enabled" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/lock-enabled' line: '/org/gnome/desktop/screensaver/lock-enabled' create: yes tags: - dconf_gnome_screensaver_lock_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80112-6 - NIST-800-53-AC-11(b) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010060 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/idle-activation-enabled to /etc/dconf/db/local.d/00-security-settings. For example: /org/gnome/desktop/screensaver/idle-activation-enabled After the settings have been set, run dconf update. RHEL-07-010101 SV-93703r2_rule 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-80564-8 <sub>include_dconf_settings dconf_lock 'org/gnome/desktop/screensaver' 'idle-activation-enabled' 'local.d' '00-security-settings-lock'</sub> GNOME media settings that apply to the graphical interface. The system's default desktop environment, GNOME, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount and autorun within GNOME by running the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nautilus/preferences/media_automount false $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nautilus/preferences/media_autorun_never true 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) PR.AC-3 PR.AC-6 Disabling automatic mounting in GNOME can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. The system's default desktop environment, GNOME, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. The following command can disable the execution of these thumbnail applications: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /desktop/gnome/thumbnailers/disable_all true This effectively prevents an attacker from gaining access to a system through a flaw in GNOME's Nautilus thumbnail creators. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An attacker with knowledge of a flaw in a GNOME thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. To disable the execution of these thumbnail applications, add or set disable-all to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/thumbnailers] disable-all=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/thumbnailers/disable-all After the settings have been set, run dconf update. This effectively prevents an attacker from gaining access to a system through a flaw in GNOME3's Nautilus thumbnail creators. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. CCE-80123-3 <sub>include_dconf_settings dconf_settings 'org/gnome/desktop/thumbnailers' 'disable-all' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/thumbnailers' 'disable-all' 'local.d' '00-security-settings-lock'</sub> - name: "Disable All GNOME3 Thumbnailers" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/thumbnailers option: disable-all value: "true" create: yes tags: - dconf_gnome_disable_thumbnailers - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80123-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Thumbnailers" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/thumbnailers/disable-all' line: '/org/gnome/desktop/thumbnailers/disable-all' create: yes tags: - dconf_gnome_disable_thumbnailers - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80123-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount and autorun within GNOME3, add or set automount to false, automount-open to false, and autorun-never to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/media-handling] automount=false automount-open=false autorun-never=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/media-handling/automount /org/gnome/desktop/media-handling/automount-open /org/gnome/desktop/media-handling/autorun-never After the settings have been set, run dconf update. 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 3.1.7 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) PR.AC-3 PR.AC-6 Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. CCE-80122-5 <sub>include_dconf_settings dconf_settings 'org/gnome/desktop/media-handling' 'automount' 'false' 'local.d' '00-security-settings' dconf_settings 'org/gnome/desktop/media-handling' 'automount-open' 'false' 'local.d' '00-security-settings' dconf_settings 'org/gnome/desktop/media-handling' 'autorun-never' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/media-handling' 'automount' 'local.d' '00-security-settings-lock' dconf_lock 'org/gnome/desktop/media-handling' 'automount-open' 'local.d' '00-security-settings-lock' dconf_lock 'org/gnome/desktop/media-handling' 'autorun-never' 'local.d' '00-security-settings-lock'</sub> - name: "Disable GNOME3 Automounting - automount" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount value: "false" create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Automounting - automount" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/media-handling/automount' line: '/org/gnome/desktop/media-handling/automount' create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Disable GNOME3 Automounting - automount-open" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount-open value: "false" create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Automounting - automount-open" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/media-handling/automount-open' line: '/org/gnome/desktop/media-handling/automount-open' create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Disable GNOME3 Automounting - autorun-never" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: autorun-never value: "true" create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Automounting - autorun-never" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/media-handling/autorun-never' line: '/org/gnome/desktop/media-handling/autorun-never' create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") GNOME provides configuration and functionality to a graphical desktop environment that changes grahical configurations or allow a user to perform actions that users normally would not be able to do in non-graphical mode such as remote access configuration, power policies, Geo-location, etc. Configuring such settings in GNOME will prevent accidential graphical configuration changes by users from taking place. GNOME allows the clock and applications to track and access location information. This setting should be disabled as applications should not track system location. To configure the system to disable location tracking, add or set enabled to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/system/location] enabled=false To configure the clock to disable location tracking, add or set geolocation to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/clocks] geolocation=false Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/system/location/enabled /org/gnome/clocks/geolocation After the settings have been set, run dconf update. Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. CCE-80117-5 <sub>include_dconf_settings dconf_settings 'org/gnome/system/location' 'enabled' 'false' 'local.d' '00-security-settings' dconf_settings 'org/gnome/clocks' 'geolocation' 'false' 'local.d' '00-security-settings' dconf_lock 'org/gnome/system/location' 'enabled' 'local.d' '00-security-settings-lock' dconf_lock 'org/gnome/clocks' 'geolocation' 'local.d' '00-security-settings-lock'</sub> - name: "Disable Geolocation in GNOME3 - location tracking" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/system/location option: enabled value: "false" create: yes tags: - dconf_gnome_disable_geolocation - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80117-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Disable Geolocation in GNOME3 - clock location tracking" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/clocks option: gelocation value: "false" create: yes tags: - dconf_gnome_disable_geolocation - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80117-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME geolocation - location tracking" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/system/location/enabled' line: '/org/gnome/system/location/enabled' create: yes tags: - dconf_gnome_disable_geolocation - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80117-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME geolocation - clock location tracking" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/clocks/geolocation' line: '/org/gnome/clocks/geolocation' create: yes tags: - dconf_gnome_disable_geolocation - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80117-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed. To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, run the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome_settings_daemon/keybindings/power "" 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/panel/applets/clock/prefs/show_weather false Disabling the weather feature in the GNOME clock prevents the system from connecting to the internet and diclosing the system location when set by a user. Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/panel/applets/clock/prefs/show_temperature false Disabling the temperature feature in the GNOME clock prevents the system from connecting to the internet and diclosing the system location when set by a user. By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed. To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to string '' in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/settings-daemon/plugins/media-keys] logout='' Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/settings-daemon/plugins/media-keys/logout After the settings have been set, run dconf update. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.2 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-80124-1 <sub>include_dconf_settings dconf_settings 'org/gnome/settings-daemon/plugins/media-keys' 'logout' "string ''" 'local.d' '00-security-settings' dconf_lock 'org/gnome/settings-daemon/plugins/media-keys' 'logout' 'local.d' '00-security-settings-lock'</sub> - name: "Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/settings-daemon/plugins/media-keys option: logout value: string '' create: yes tags: - dconf_gnome_disable_ctrlaltdel_reboot - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80124-1 - NIST-800-53-AC-6 - NIST-800-171-3.1.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME disablement of Ctrl-Alt-Del" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/settings-daemon/plugins/media-keys/logout' line: '/org/gnome/settings-daemon/plugins/media-keys/logout' create: yes tags: - dconf_gnome_disable_ctrlaltdel_reboot - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80124-1 - NIST-800-53-AC-6 - NIST-800-171-3.1.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") By default, GNOME enables a power profile designed for mobile devices with battery usage. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the power setting, add or set active to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/settings-daemon/plugins/power] active=false Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/settings-daemon/plugins/power After the settings have been set, run dconf update. Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. CCE-80116-7 By default, GNOME will allow all users to have some administratrion capability. This should be disabled so that non-administrative users are not making configuration changes. To configure the system to disable user administration capability in the Graphical User Interface (GUI), add or set user-administration-disabled to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/lockdown] user-administration-disabled=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/lockdown/user-administration-disabled After the settings have been set, run dconf update. 3.1.5 FMT_MOD_EXT.1 Allowing all users to have some administratrive capabilities to the system through the Graphical User Interface (GUI) when they would not have them otherwise could allow unintended configuration changes as well as a nefarious user the capability to make system changes such as adding new accounts, etc. CCE-80115-9 <sub>include_dconf_settings dconf_settings 'org/gnome/desktop/lockdown' 'user-administration-disabled' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/lockdown' 'user-administration-disabled' 'local.d' '00-security-settings-lock'</sub> - name: "Disable User Administration in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/lockdown option: user-administration-disabled value: "true" create: yes tags: - dconf_gnome_disable_user_admin - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80115-9 - NIST-800-171-3.1.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Thumbnailers" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/lockdown/user-administration-disabled' line: '/org/gnome/desktop/lockdown/user-administration-disabled' create: yes tags: - dconf_gnome_disable_user_admin - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80115-9 - NIST-800-171-3.1.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow users to login automatically and/or with a guest account. The login screen should be configured to prevent such behavior. For more information about enforcing preferences in the GNOME3 environment using the DConf configuration system, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/index.html/> and the man page dconf(1). In the default graphical environment, smart card authentication can be enabled on the login screen by setting enable-smartcard-authentication to true. To enable, add or edit enable-smartcard-authentication to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] enable-smartcard-authentication=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/enable-smartcard-authentication After the settings have been set, run dconf update. CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 CCI-001954 Req-8.3 SRG-OS-000375-GPOS-00160 RHEL-07-010061 SV-92515r2_rule Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. CCE-80108-4 <sub>include_dconf_settings dconf_settings 'org/gnome/login-screen' 'enable-smartcard-authentication' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'enable-smartcard-authentication' 'gdm.d' '00-security-settings-lock'</sub> - name: "Enable the GNOME3 Login Smartcard Authentication" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: enable-smartcard-authentication value: "true" create: yes tags: - dconf_gnome_enable_smartcard_auth - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80108-4 - PCI-DSS-Req-8.3 - DISA-STIG-RHEL-07-010061 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 disablement of Smartcard Authentication" lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/enable-smartcard-authentication' line: '/org/gnome/login-screen/enable-smartcard-authentication' create: yes tags: - dconf_gnome_enable_smartcard_auth - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80108-4 - PCI-DSS-Req-8.3 - DISA-STIG-RHEL-07-010061 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown, the ability the ability to shutdown or restart the system. This functionality should be disabled by setting disable-restart-buttons to true. To disable, add or edit disable-restart-buttons to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] disable-restart-buttons=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/disable-restart-buttons After the settings have been set, run dconf update. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.2 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. CCE-80107-6 <sub>include_dconf_settings dconf_settings 'org/gnome/login-screen' 'disable-restart-buttons' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'disable-restart-buttons' 'gdm.d' '00-security-settings-lock'</sub> - name: "Disable the GNOME3 Login Restart and Shutdown Buttons" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: disable-restart-buttons value: "true" create: yes tags: - dconf_gnome_disable_restart_shutdown - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80107-6 - NIST-800-53-AC-6 - NIST-800-171-3.1.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME disablement of Login Restart and Shutdown Buttons" lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/disable-restart-buttons' line: '/org/gnome/login-screen/disable-restart-buttons' create: yes tags: - dconf_gnome_disable_restart_shutdown - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80107-6 - NIST-800-53-AC-6 - NIST-800-171-3.1.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown, the ability shutdown or restart the system. This functionality should be disabled by running the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/disable_restart_buttons true 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: [daemon] AutomaticLoginEnable=false RHEL-07-010440 SV-86577r2_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.1 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 FIA_AFL.1 SRG-OS-000480-GPOS-00229 Failure to restrict system access to authenticated users negatively impacts operating system security. CCE-80104-3 if rpm --quiet -q gdm then if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf then sed -i "/^\[daemon\]/a \ AutomaticLoginEnable=False" /etc/gdm/custom.conf else sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf fi fi - name: "Disable GDM Automatic Login" ini_file: dest: /etc/gdm/custom.conf section: daemon option: AutomaticLoginEnable value: "false" no_extra_spaces: yes create: yes tags: - gnome_gdm_disable_automatic_login - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80104-3 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.1 - DISA-STIG-RHEL-07-010440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") In the default graphical environment, the GNOME3 login screen and be configured to restart the authentication process after a configured number of attempts. This can be configured by setting allowed-failures to 3 or less. To enable, add or edit allowed-failures to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] allowed-failures=3 Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/allowed-failures After the settings have been set, run dconf update. 3.1.8 FMT_MOF_EXT.1 Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. CCE-80109-2 <sub>include_dconf_settings dconf_settings 'org/gnome/login-screen' 'allowed-failures' "3" 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'allowed-failures' 'gdm.d' '00-security-settings-lock'</sub> - name: "Enable the GNOME3 Login Number of Failures" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: allowed-failures value: "3" create: yes tags: - dconf_gnome_login_retries - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80109-2 - NIST-800-171-3.1.8 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Login Number of Failures" lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/allowed-failures' line: '/org/gnome/login-screen/allowed-failures' create: yes tags: - dconf_gnome_login_retries - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80109-2 - NIST-800-171-3.1.8 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting disable-user-list to true. To disable, add or edit disable-user-list to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] disable-user-list=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/disable-user-list After the settings have been set, run dconf update. AC-23 Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. CCE-80106-8 <sub>include_dconf_settings dconf_settings 'org/gnome/login-screen' 'disable-user-list' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'disable-user-list' 'gdm.d' '00-security-settings-lock'</sub> - name: "Disable the GNOME3 Login User List" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: disable-user-list value: "true" create: yes tags: - dconf_gnome_disable_user_list - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80106-8 - NIST-800-53-AC-23 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 disablement of Login User List" lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/disable-user-list' line: '/org/gnome/login-screen/disable-user-list' create: yes tags: - dconf_gnome_disable_user_list - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80106-8 - NIST-800-53-AC-23 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. Run the following command to disable the user list: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/disable_user_list true AC-23 Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access has inherent security risks and should be disabled. To do disable timed logins or guest account access, set the TimedLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: [daemon] TimedLoginEnable=false RHEL-07-010450 SV-86579r3_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.1 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 FIA_AFL.1 SRG-OS-000480-GPOS-00229 Failure to restrict system access to authenticated users negatively impacts operating system security. CCE-80105-0 if rpm --quiet -q gdm then if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf then sed -i "/^\[daemon\]/a \ TimedLoginEnable=False" /etc/gdm/custom.conf else sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=False/g" /etc/gdm/custom.conf fi fi - name: "Disable GDM Guest Login" ini_file: dest: /etc/gdm/custom.conf section: daemon option: TimedLoginEnable value: "false" no_extra_spaces: yes create: yes tags: - gnome_gdm_disable_guest_login - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80105-0 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.1 - DISA-STIG-RHEL-07-010450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") GNOME network settings that apply to the graphical interface. GNOME allows users to create ad-hoc wireless connections through the NetworkManager applet. Wireless connections should be disabled by running the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nm-applet/disable-wifi-create true Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. GNOME allows users to create ad-hoc wireless connections through the NetworkManager applet. Wireless connections should be disabled by adding or setting disable-wifi-create to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/nm-applet] disable-wifi-create=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/nm-applet/disable-wifi-create After the settings have been set, run dconf update. 3.1.16 Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. CCE-80118-3 <sub>include_dconf_settings dconf_settings 'org/gnome/nm-applet' 'disable-wifi-create' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/nm-applet' 'disable-wifi-create' 'local.d' '00-security-settings-lock'</sub> - name: "Disable WiFi Network Connection Creation in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/nm-applet option: disable-wifi-create value: "true" create: yes tags: - dconf_gnome_disable_wifi_create - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80118-3 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 disablement of WiFi" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/nm-applet/disable-wifi-create' line: '/org/gnome/nm-applet/disable-wifi-create' create: yes tags: - dconf_gnome_disable_wifi_create - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80118-3 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") By default, GNOME disables WIFI notification. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, add or set suppress-wireless-networks-available to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/nm-applet] suppress-wireless-networks-available=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/nm-applet/suppress-wireless-networks-available After the settings have been set, run dconf update. 3.1.16 Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. CCE-80119-1 <sub>include_dconf_settings dconf_settings 'org/gnome/nm-applet' 'suppress-wireless-networks-available' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/nm-applet' 'suppress-wireless-networks-available' 'local.d' '00-security-settings-lock'</sub> - name: "Disable WiFi Network Notification in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/nm-applet option: suppress-wireless-networks-available value: "true" create: yes tags: - dconf_gnome_disable_wifi_notification - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80119-1 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 disablement of WiFi" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/nm-applet/suppress-wireless-networks-available' line: '/org/gnome/nm-applet/suppress-wireless-networks-available' create: yes tags: - dconf_gnome_disable_wifi_notification - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80119-1 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") By default, GNOME disables WIFI notification when connecting to a wireless network. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, run the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nm-applet/disable-connected-notifications true Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. By default, GNOME disables WIFI notification when disconnecting from a wireless network. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, run the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nm-applet/disable-disconnected-notifications true Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. GNOME remote access settings that apply to the graphical interface. By default, GNOME requires encryption when using Vino for remote access. To prevent remote access encryption from being disabled, add or set require-encryption to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/Vino] require-encryption=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/Vino/require-encryption After the settings have been set, run dconf update. 1 11 12 13 15 16 18 20 3 4 6 9 BAI03.08 BAI07.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS03.01 3.1.13 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 7.6 A.12.1.1 A.12.1.2 A.12.1.4 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-2(1)(b) DE.AE-1 PR.DS-7 PR.IP-1 SRG-OS-000480-GPOS-00227 Open X displays allow an attacker to capture keystrokes and to execute commands remotely. CCE-80121-7 <sub>include_dconf_settings dconf_settings 'org/gnome/Vino' 'require-encryption' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/Vino' 'require-encryption' 'local.d' '00-security-settings-lock'</sub> - name: "Require Encryption for Remote Access in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/Vino option: require-encryption value: "true" create: yes tags: - dconf_gnome_remote_access_encryption - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80121-7 - NIST-800-53-CM-2(1)(b) - NIST-800-171-3.1.13 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Encryption for Remote Access" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/Vino/require-encryption' line: '/org/gnome/Vino/require-encryption' create: yes tags: - dconf_gnome_remote_access_encryption - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80121-7 - NIST-800-53-CM-2(1)(b) - NIST-800-171-3.1.13 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") By default, GNOME does not require credentials when using Vino for remote access. To configure the system to require remote credentials, add or set authentication-methods to ['vnc'] in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/Vino] authentication-methods=['vnc'] Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/Vino/authentication-methods After the settings have been set, run dconf update. 3.1.12 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely. CCE-80120-9 <sub>include_dconf_settings dconf_settings 'org/gnome/Vino' 'authentication-methods' "['vnc']" 'local.d' '00-security-settings' dconf_lock 'org/gnome/Vino' 'authentication-methods' 'local.d' '00-security-settings-lock'</sub> - name: "Require Credential Prompting for Remote Access in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/Vino option: authentication-methods value: "['vnc']" create: yes tags: - dconf_gnome_remote_access_credential_prompt - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80120-9 - NIST-800-171-3.1.12 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Credential Prompting for Remote Access" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/Vino/authentication-methods' line: '/org/gnome/Vino/authentication-methods' create: yes tags: - dconf_gnome_remote_access_credential_prompt - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80120-9 - NIST-800-171-3.1.12 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") By removing the gdm package, the system no longer has GNOME installed installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command: $ sudo yum remove gdm AC-17(8).1(ii) SRG-OS-000480-GPOS-00227 Unnecessary service packages must not be installed to decrease the attack surface of the system. A graphical environment is unnecessary for certain types of systems including a virtualization hypervisor. <sub>package_remove gdm</sub> - name: Ensure gdm is removed package: name: gdm state: absent tags: - package_gdm_removed - medium_severity - disable_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(8).1(ii) include remove_gdm class remove_gdm { package { 'gdm': ensure => 'purged', } } package --remove=gdm By default, DConf uses a binary database as a data backend. The database is compiled from config files by the dconf update command. dconf can be configured to look into those text files directly by inserting the service-db:keyfile/user directive at the beginning of the /etc/dconf/profile/user file. Unlike text config files, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and dconf has to be forced to use them as the primary settings storage. mkdir -p /etc/dconf/profile if test -f /etc/dconf/profile/user then sed -i '1s|^|service-db:keyfile/user\n|' /etc/dconf/profile/user else echo 'service-db:keyfile/user' > /etc/dconf/profile/user fi - name: "Remove the existing \"use textfile backend\" directive from the config - it may not be at the file's very top" lineinfile: path: '/etc/dconf/profile/user' regexp: '^service-db:keyfile/user.*' state: 'absent' check_mode: no tags: - dconf_use_text_backend - high_severity - unknown_strategy - low_complexity - medium_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Insert the \" use textfiles backend\" directive at the top of the config file" lineinfile: path: '/etc/dconf/profile/user' regexp: '^service-db:keyfile/user$' line: 'service-db:keyfile/user' insertbefore: 'BOF' create: yes check_mode: no tags: - dconf_use_text_backend - high_severity - unknown_strategy - low_complexity - medium_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf update command. Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them. CCE-81004-4 dconf update By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf User profile should always exist and be configured correctly. To make sure that the user profile is configured correctly, the /etc/dconf/profile/user should be set as follows: user-db:user system-db:local system-db:site system-db:distro Failure to have a functional DConf profile prevents GNOME3 configuration settings from being enforced for all users and allows various security risks. CCE-27446-4 Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. Several of the commands in this section search filesystems for files or directories with certain characteristics, and are intended to be run on every local partition on a given system. When the variable PART appears in one of the commands below, it means that the command is intended to be run repeatedly, with the name of each local partition substituted for PART in turn. The following command prints a list of all xfs partitions on the local system, which is the default filesystem for Red Hat Enterprise Linux 7 installations: $ mount -t xfs | awk '{print $3}' For any systems that use a different local filesystem type, modify this command as appropriate. Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen. The default restrictive permissions for files which act as important security databases such as passwd, shadow, group, and gshadow files must be maintained. Many utilities need read access to the passwd file in order to function properly, but read access to the shadow file allows malicious attacks against system passwords, and should never be enabled. To properly set the permissions of /etc/shadow, run the command: $ sudo chmod 0640 /etc/shadow 6.1.3 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. CCE-27100-7 chmod 0000 /etc/shadow - name: Test for existence /etc/shadow stat: path: /etc/shadow register: file_exists tags: - file_permissions_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27100-7 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure permission 0000 on /etc/shadow file: path: /etc/shadow mode: 0000 when: file_exists.stat.exists and True tags: - file_permissions_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27100-7 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the owner of /etc/shadow, run the command: $ sudo chown root /etc/shadow 6.1.3 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. CCE-26795-5 chown 0 /etc/shadow - name: Test for existence /etc/shadow stat: path: /etc/shadow register: file_exists tags: - file_owner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26795-5 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure owner 0 on /etc/shadow file: path: /etc/shadow owner: 0 when: file_exists.stat.exists and True tags: - file_owner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26795-5 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the owner of /etc/gshadow, run the command: $ sudo chown root /etc/gshadow 6.1.5 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-27161-9 chown 0 /etc/gshadow - name: Test for existence /etc/gshadow stat: path: /etc/gshadow register: file_exists tags: - file_owner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27161-9 - NIST-800-53-AC-6 - name: Ensure owner 0 on /etc/gshadow file: path: /etc/gshadow owner: 0 when: file_exists.stat.exists and True tags: - file_owner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27161-9 - NIST-800-53-AC-6 To properly set the permissions of /etc/passwd, run the command: $ sudo chmod 0644 /etc/passwd 6.1.4 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-26949-8 chmod 0644 /etc/group - name: Test for existence /etc/group stat: path: /etc/group register: file_exists tags: - file_permissions_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26949-8 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure permission 0644 on /etc/group file: path: /etc/group mode: 0644 when: file_exists.stat.exists and True tags: - file_permissions_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26949-8 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp root /etc/gshadow 6.1.5 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-26840-9 chgrp 0 /etc/gshadow - name: Test for existence /etc/gshadow stat: path: /etc/gshadow register: file_exists tags: - file_groupowner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26840-9 - NIST-800-53-AC-6 - name: Ensure group owner 0 on /etc/gshadow file: path: /etc/gshadow group: 0 when: file_exists.stat.exists and True tags: - file_groupowner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26840-9 - NIST-800-53-AC-6 To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd 6.1.2 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-27138-7 chown 0 /etc/passwd - name: Test for existence /etc/passwd stat: path: /etc/passwd register: file_exists tags: - file_owner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27138-7 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure owner 0 on /etc/passwd file: path: /etc/passwd owner: 0 when: file_exists.stat.exists and True tags: - file_owner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27138-7 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp root /etc/shadow 6.1.3 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/shadow file stores password hashes. Protection of this file is critical for system security. CCE-27125-4 chgrp 0 /etc/shadow - name: Test for existence /etc/shadow stat: path: /etc/shadow register: file_exists tags: - file_groupowner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27125-4 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure group owner 0 on /etc/shadow file: path: /etc/shadow group: 0 when: file_exists.stat.exists and True tags: - file_groupowner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27125-4 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group 6.1.4 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-26933-2 chown 0 /etc/group - name: Test for existence /etc/group stat: path: /etc/group register: file_exists tags: - file_owner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26933-2 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure owner 0 on /etc/group file: path: /etc/group owner: 0 when: file_exists.stat.exists and True tags: - file_owner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26933-2 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group 6.1.4 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-27037-1 chgrp 0 /etc/group - name: Test for existence /etc/group stat: path: /etc/group register: file_exists tags: - file_groupowner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27037-1 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure group owner 0 on /etc/group file: path: /etc/group group: 0 when: file_exists.stat.exists and True tags: - file_groupowner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27037-1 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the permissions of /etc/gshadow, run the command: $ sudo chmod 0000 /etc/gshadow 6.1.5 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-27162-7 chmod 0000 /etc/gshadow - name: Test for existence /etc/gshadow stat: path: /etc/gshadow register: file_exists tags: - file_permissions_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27162-7 - NIST-800-53-AC-6 - name: Ensure permission 0000 on /etc/gshadow file: path: /etc/gshadow mode: 0000 when: file_exists.stat.exists and True tags: - file_permissions_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27162-7 - NIST-800-53-AC-6 To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd 6.1.2 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-26639-5 chgrp 0 /etc/passwd - name: Test for existence /etc/passwd stat: path: /etc/passwd register: file_exists tags: - file_groupowner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26639-5 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure group owner 0 on /etc/passwd file: path: /etc/passwd group: 0 when: file_exists.stat.exists and True tags: - file_groupowner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26639-5 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the permissions of /etc/passwd, run the command: $ sudo chmod 0644 /etc/passwd 6.1.2 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security. CCE-26887-0 chmod 0644 /etc/passwd - name: Test for existence /etc/passwd stat: path: /etc/passwd register: file_exists tags: - file_permissions_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26887-0 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure permission 0644 on /etc/passwd file: path: /etc/passwd mode: 0644 when: file_exists.stat.exists and True tags: - file_permissions_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26887-0 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 Some directories contain files whose confidentiality or integrity is notably important and may also be susceptible to misconfiguration over time, particularly if unpackaged software is installed. As such, an argument exists to verify that files' permissions within these directories remain configured correctly and restrictively. System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. CCE-27075-1 DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" for dirPath in $DIRS; do find "$dirPath" -perm /022 -exec chmod go-w '{}' \; done - name: "Read list of world and group writable system executables" shell: "find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec -perm /022 -type f" register: world_writable_library_files changed_when: False failed_when: False check_mode: no tags: - file_permissions_binary_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-27075-1 - NIST-800-53-AC-6 - name: "Remove world/group writability of system executables" file: path: "{{ item }}" mode: "go-w" with_items: "{{ world_writable_library_files.stdout_lines }}" when: world_writable_library_files.stdout_lines | length > 0 and True tags: - file_permissions_binary_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-27075-1 - NIST-800-53-AC-6 System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chown root FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. CCE-26648-6 for LIBDIR in /usr/lib /usr/lib64 /lib /lib64 do if [ -d $LIBDIR ] then find -L $LIBDIR \! -user root -exec chown root {} \; fi done - name: "Read list libraries without root ownership" shell: "find -L /usr/lib /usr/lib64 /lib /lib64 \\! -user root" register: libraries_not_owned_by_root changed_when: False failed_when: False check_mode: no tags: - file_ownership_library_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26648-6 - NIST-800-53-AC-6 - name: "Set ownership of system libraries to root" file: path: "{{ item }}" owner: "root" with_items: "{{ libraries_not_owned_by_root.stdout_lines }}" when: libraries_not_owned_by_root | length > 0 and True tags: - file_ownership_library_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26648-6 - NIST-800-53-AC-6 System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: $ sudo chown root FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. CCE-27119-7 find /bin/ \ /usr/bin/ \ /usr/local/bin/ \ /sbin/ \ /usr/sbin/ \ /usr/local/sbin/ \ /usr/libexec \ \! -user root -execdir chown root {} \; - name: "Read list of system executables without root ownership" shell: "find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/ /usr/libexec \\! -user root" register: no_root_system_executables changed_when: False failed_when: False check_mode: no tags: - file_ownership_binary_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-27119-7 - NIST-800-53-AC-6 - name: "Set ownership to root of system executables" file: path: "{{ item }}" owner: "root" with_items: "{{ no_root_system_executables.stdout_lines }}" when: no_root_system_executables.stdout_lines | length > 0 and True tags: - file_ownership_binary_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-27119-7 - NIST-800-53-AC-6 System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. CCE-26966-2 DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do find "$dirPath" -perm /022 -type f -exec chmod go-w '{}' \; done - name: "Read list of world and group writable files in libraries directories" shell: "find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f" register: world_writable_library_files changed_when: False failed_when: False check_mode: no tags: - file_permissions_library_dirs - medium_severity - restrict_strategy - high_complexity - medium_disruption - CCE-26966-2 - NIST-800-53-AC-6 - name: "Disable world/group writability to library files" file: path: "{{ item }}" mode: "go-w" with_items: "{{ world_writable_library_files.stdout_lines }}" when: world_writable_library_files.stdout_lines | length > 0 and True tags: - file_permissions_library_dirs - medium_severity - restrict_strategy - high_complexity - medium_disruption - CCE-26966-2 - NIST-800-53-AC-6 The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. 6.1.14 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(1) PR.AC-4 PR.DS-5 Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. CCE-80132-4 To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 NT28(R23) 1.6.1 SI-11 Disallowing such symlink mitigate vulnerabilities based on insecure file system accessed by privilegied programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. RHEL-07-021030 SV-86671r4_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. CCE-80136-5 If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. RHEL-07-020330 SV-86633r3_rule 6.1.12 1 11 12 13 14 15 16 18 3 5 APO01.06 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.06 DSS06.10 CCI-002165 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-3(4) AC-6 IA-2 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 PR.PT-3 SRG-OS-000480-GPOS-00227 Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. CCE-80135-7 If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. RHEL-07-020320 SV-86631r3_rule 6.1.11 11 12 13 14 15 16 18 3 5 9 APO01.06 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 CCI-002165 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3(4) AC-6 CM-6(b) PR.AC-4 PR.AC-6 PR.DS-5 PR.IP-1 PR.PT-3 SRG-OS-000480-GPOS-00227 Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. CCE-80134-0 To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1 NT28(R23) 1.6.1 SI-11 Disallowing such hardlink mitigate vulnerabilities based on insecure file system accessed by privilegied programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as sysfs or procfs. 6.1.10 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files. CCE-80131-6 When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory DIR, run the following command: $ sudo chmod +t DIR 1.1.21 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access. CCE-80130-8 df --local -P | awk {'if (NR!=1) print $6'} \ | xargs -I '{}' find '{}' -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ | xargs chmod a+t Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of /boot/System.map-*, run the command: $ sudo chmod 0600 /boot/System.map-* NT28(R13) The System.map file contains information about kernel symbols and can give some hints to generate local exploitation. The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. 6.1.13 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(1) PR.AC-4 PR.DS-5 Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. CCE-80133-2 Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary in many environments, but this capability also carries some risk -- whether direct risk from allowing users to introduce arbitrary filesystems, or risk that software flaws in the automated mount facility itself could allow an attacker to compromise the system. This command can be used to list the types of filesystems that are available to the currently executing kernel: $ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko' If these filesystems are not required then they can be explicitly disabled in a configuratio file in /etc/modprobe.d. To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install usb-storage /bin/true This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually. RHEL-07-020100 SV-86607r3_rule 1 12 15 16 5 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.21 CCI-000366 CCI-000778 CCI-001958 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.310(d)(1) 164.310(d)(2) 164.312(a)(1) 164.312(a)(2)(iv) 164.312(b) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-19(a) AC-19(d) AC-19(e) IA-3 MP-7 PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-0016 SRG-OS-000480-GPOS-00227 USB storage devices such as thumb drives can be used to introduce malicious software. CCE-27277-3 if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then sed -i 's/^install usb-storage.*/install usb-storage /bin/true/g' /etc/modprobe.d/usb-storage.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf fi - name: Ensure kernel module 'usb-storage' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/usb-storage.conf" regexp: 'usb-storage' line: "install usb-storage /bin/true" tags: - kernel_module_usb-storage_disabled - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27277-3 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-IA-3 - NIST-800-53-MP-7 - NIST-800-171-3.1.21 - DISA-STIG-RHEL-07-020100 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Assign a password to the system boot firmware (historically called BIOS on PC systems) to require a password for any configuration changes. Assigning a password to the system boot firmware prevents anyone with physical access from configuring the system to boot from local media and circumvent the operating system's access controls. For systems in physically secure locations, such as a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed against the risk of administrative personnel being unable to conduct recovery operations in a timely fashion. CCE-27194-0 Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives. 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 CCI-001250 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) PR.AC-3 PR.AC-6 Booting a system from a USB device would allow an attacker to circumvent any security measures provided by the operating system. Attackers could mount partitions and modify the configuration of the OS. CCE-26960-5 To configure the system to prevent the freevxfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install freevxfs /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.2 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80138-1 if LC_ALL=C grep -q -m 1 "^install freevxfs" /etc/modprobe.d/freevxfs.conf ; then sed -i 's/^install freevxfs.*/install freevxfs /bin/true/g' /etc/modprobe.d/freevxfs.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/freevxfs.conf echo "install freevxfs /bin/true" >> /etc/modprobe.d/freevxfs.conf fi - name: Ensure kernel module 'freevxfs' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/freevxfs.conf" regexp: 'freevxfs' line: "install freevxfs /bin/true" tags: - kernel_module_freevxfs_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80138-1 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To configure the system to prevent the udf kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install udf /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.7 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80143-1 if LC_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then sed -i 's/^install udf.*/install udf /bin/true/g' /etc/modprobe.d/udf.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/udf.conf echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf fi - name: Ensure kernel module 'udf' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/udf.conf" regexp: 'udf' line: "install udf /bin/true" tags: - kernel_module_udf_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80143-1 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To configure the system to prevent the squashfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install squashfs /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.6 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80142-3 if LC_ALL=C grep -q -m 1 "^install squashfs" /etc/modprobe.d/squashfs.conf ; then sed -i 's/^install squashfs.*/install squashfs /bin/true/g' /etc/modprobe.d/squashfs.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/squashfs.conf echo "install squashfs /bin/true" >> /etc/modprobe.d/squashfs.conf fi - name: Ensure kernel module 'squashfs' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/squashfs.conf" regexp: 'squashfs' line: "install squashfs /bin/true" tags: - kernel_module_squashfs_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80142-3 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter. The autofs service can be disabled with the following command: $ sudo systemctl disable autofs.service RHEL-07-020110 SV-86609r2_rule 1.1.22 1 12 15 16 5 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.4.6 CCI-000366 CCI-000778 CCI-001958 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.310(d)(1) 164.310(d)(2) 164.312(a)(1) 164.312(a)(2)(iv) 164.312(b) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-19(a) AC-19(d) AC-19(e) IA-3 PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163 SRG-OS-000480-GPOS-00227 Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab. Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity. CCE-27498-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'autofs.service' "$SYSTEMCTL_EXEC" disable 'autofs.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^autofs.socket\>' && "$SYSTEMCTL_EXEC" disable 'autofs.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'autofs.service' - name: Disable service autofs service: name: autofs enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_autofs_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27498-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-IA-3 - NIST-800-171-3.4.6 - DISA-STIG-RHEL-07-020110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service autofs if applicable service: name: autofs.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_autofs_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27498-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-IA-3 - NIST-800-171-3.4.6 - DISA-STIG-RHEL-07-020110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To configure the system to prevent the jffs2 kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install jffs2 /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.3 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80139-9 if LC_ALL=C grep -q -m 1 "^install jffs2" /etc/modprobe.d/jffs2.conf ; then sed -i 's/^install jffs2.*/install jffs2 /bin/true/g' /etc/modprobe.d/jffs2.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/jffs2.conf echo "install jffs2 /bin/true" >> /etc/modprobe.d/jffs2.conf fi - name: Ensure kernel module 'jffs2' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/jffs2.conf" regexp: 'jffs2' line: "install jffs2 /bin/true" tags: - kernel_module_jffs2_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80139-9 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, append "nousb" to the kernel line in /etc/default/grub as shown: kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb Disabling all kernel support for USB will cause problems for systems with USB-based keyboards, mice, or printers. This configuration is infeasible for systems which require USB devices, which is common. 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 CCI-001250 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.310(d)(1) 164.310(d)(2) 164.312(a)(1) 164.312(a)(2)(iv) 164.312(b) 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) PR.AC-3 PR.AC-6 Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems. CCE-26548-8 # Correct the form of default kernel command line in /etc/default/grub if ! grep -q ^GRUB_CMDLINE_LINUX=\".*nousb.*\" /etc/default/grub; then # Edit configuration setting # Append 'nousb' argument to /etc/default/grub (if not present yet) sed -i "s/\(GRUB_CMDLINE_LINUX=\)\"\(.*\)\"/\1\"\2 nousb\"/" /etc/default/grub # Edit runtime setting # Correct the form of kernel command line for each installed kernel in the bootloader /sbin/grubby --update-kernel=ALL --args="nousb" fi To configure the system to prevent the hfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install hfs /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.4 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80140-7 if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then sed -i 's/^install hfs.*/install hfs /bin/true/g' /etc/modprobe.d/hfs.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfs.conf echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf fi - name: Ensure kernel module 'hfs' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/hfs.conf" regexp: 'hfs' line: "install hfs /bin/true" tags: - kernel_module_hfs_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80140-7 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To configure the system to prevent the cramfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install cramfs /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.1 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80137-3 if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then sed -i 's/^install cramfs.*/install cramfs /bin/true/g' /etc/modprobe.d/cramfs.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf fi - name: Ensure kernel module 'cramfs' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/cramfs.conf" regexp: 'cramfs' line: "install cramfs /bin/true" tags: - kernel_module_cramfs_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80137-3 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install hfsplus /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.5 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80141-5 if LC_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then sed -i 's/^install hfsplus.*/install hfsplus /bin/true/g' /etc/modprobe.d/hfsplus.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf fi - name: Ensure kernel module 'hfsplus' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/hfsplus.conf" regexp: 'hfsplus' line: "install hfsplus /bin/true" tags: - kernel_module_hfsplus_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80141-5 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the /etc/fstab configuration file, and can be used to make certain types of malicious behavior more difficult. This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions, and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable partitions that are required on the local system. /dev/cdrom The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. 1.1.16 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. CCE-80154-8 <sub>include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/dev/shm" "nosuid" ensure_partition_is_mounted "/dev/shm" } perform_remediation</sub> - name: get back device associated to mountpoint shell: mount | grep ' /dev/shm ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_dev_shm_nosuid - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80154-8 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /dev/shm ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /dev/shm ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nosuid are set on /dev/shm mount: path: "/dev/shm" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nosuid" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_dev_shm_nosuid - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80154-8 - NIST-800-53-CM-7 - NIST-800-53-MP-2 The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. 1.1.17 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise. CCE-80153-0 <sub>include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/dev/shm" "noexec" ensure_partition_is_mounted "/dev/shm" } perform_remediation</sub> - name: get back device associated to mountpoint shell: mount | grep ' /dev/shm ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_dev_shm_noexec - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80153-0 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /dev/shm ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /dev/shm ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission noexec are set on /dev/shm mount: path: "/dev/shm" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},noexec" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_dev_shm_noexec - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80153-0 - NIST-800-53-CM-7 - NIST-800-53-MP-2 The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp. 1.1.3 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. CCE-80149-8 <sub>include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/tmp" "nodev" ensure_partition_is_mounted "/tmp" } perform_remediation</sub> - name: get back device associated to mountpoint shell: mount | grep ' /tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_tmp_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80149-8 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nodev are set on /tmp mount: path: "/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nodev" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_tmp_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80149-8 - NIST-800-53-CM-7 - NIST-800-53-MP-2 part /tmp --mountoptions="nodev" The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp. 1.1.5 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise. CCE-80150-6 <sub>include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/tmp" "noexec" ensure_partition_is_mounted "/tmp" } perform_remediation</sub> - name: get back device associated to mountpoint shell: mount | grep ' /tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_tmp_noexec - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80150-6 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission noexec are set on /tmp mount: path: "/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},noexec" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_tmp_noexec - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80150-6 - NIST-800-53-CM-7 - NIST-800-53-MP-2 part /tmp --mountoptions="noexec" The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home. RHEL-07-021000 SV-86665r4_rule 1.1.3 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. CCE-81153-9 <sub>include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /home || { echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/home" "nosuid" ensure_partition_is_mounted "/home" } perform_remediation</sub> - name: get back device associated to mountpoint shell: mount | grep ' /home ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_home_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-81153-9 - NIST-800-53-CM-7 - NIST-800-53-MP-2 - DISA-STIG-RHEL-07-021000 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /home ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /home ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nosuid are set on /home mount: path: "/home" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nosuid" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_home_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-81153-9 - NIST-800-53-CM-7 - NIST-800-53-MP-2 - DISA-STIG-RHEL-07-021000 part /home --mountoptions="nosuid" The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp. 1.1.4 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. CCE-80151-4 <sub>include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/tmp" "nosuid" ensure_partition_is_mounted "/tmp" } perform_remediation</sub> - name: get back device associated to mountpoint shell: mount | grep ' /tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_tmp_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80151-4 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nosuid are set on /tmp mount: path: "/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nosuid" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_tmp_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80151-4 - NIST-800-53-CM-7 - NIST-800-53-MP-2 part /tmp --mountoptions="nosuid" The nodev mount option can be used to prevent device files from being created in /var/tmp. Legitimate character and block devices should not exist within temporary directories like /var/tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp. 1.1.8 The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. <sub>include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/var/tmp" "nodev" ensure_partition_is_mounted "/var/tmp" } perform_remediation</sub> - name: get back device associated to mountpoint shell: mount | grep ' /var/tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_var_tmp_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /var/tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /var/tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nodev are set on /var/tmp mount: path: "/var/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nodev" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_var_tmp_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption part /var/tmp --mountoptions="nodev" The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. RHEL-07-021010 SV-86667r2_rule 1.1.19 11 12 13 14 15 16 18 3 5 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.06 DSS05.07 DSS06.02 DSS06.03 DSS06.06 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.11.2.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-19(a) AC-19(d) AC-19(e) CM-7 MP-2 PR.AC-3 PR.AC-4 PR.AC-6 PR.DS-5 PR.IP-1 PR.PT-2 PR.PT-3 SRG-OS-000480-GPOS-00227 The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. CCE-80148-0 var_removable_partition="<sub>" include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab "$var_removable_partition" || { echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "$var_removable_partition" "nosuid" ensure_partition_is_mounted "$var_removable_partition" } perform_remediation</sub> - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str <sub>tags: - always - name: get back device associated to mountpoint shell: mount | grep ' {{ var_removable_partition }} ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_nosuid_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80148-0 - NIST-800-53-AC-6 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 - DISA-STIG-RHEL-07-021010 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' {{ var_removable_partition }} ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' {{ var_removable_partition }} ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nosuid are set on var_removable_partition mount: path: "{{ var_removable_partition }}" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nosuid" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_nosuid_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80148-0 - NIST-800-53-AC-6 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 - DISA-STIG-RHEL-07-021010</sub> The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any non-root local partitions. 1.1.11 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems. CCE-80145-6 The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. 1.1.18 11 12 13 14 16 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.06 DSS05.07 DSS06.03 DSS06.06 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.7.1.1 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) CM-7 MP-2 PR.AC-3 PR.AC-6 PR.IP-1 PR.PT-2 PR.PT-3 The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems. CCE-80146-4 var_removable_partition="<sub>" include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab "$var_removable_partition" || { echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "$var_removable_partition" "nodev" ensure_partition_is_mounted "$var_removable_partition" } perform_remediation</sub> - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str <sub>tags: - always - name: get back device associated to mountpoint shell: mount | grep ' {{ var_removable_partition }} ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_nodev_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80146-4 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' {{ var_removable_partition }} ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' {{ var_removable_partition }} ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nodev are set on var_removable_partition mount: path: "{{ var_removable_partition }}" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nodev" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_nodev_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80146-4 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2</sub> The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. 1.1.20 11 12 13 14 16 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.06 DSS05.07 DSS06.03 DSS06.06 CCI-000087 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.7.1.1 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) CM-7 MP-2 PR.AC-3 PR.AC-6 PR.IP-1 PR.PT-2 PR.PT-3 Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. CCE-80147-2 var_removable_partition="<sub>" include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab "$var_removable_partition" || { echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "$var_removable_partition" "noexec" ensure_partition_is_mounted "$var_removable_partition" } perform_remediation</sub> - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str <sub>tags: - always - name: get back device associated to mountpoint shell: mount | grep ' {{ var_removable_partition }} ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_noexec_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80147-2 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' {{ var_removable_partition }} ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' {{ var_removable_partition }} ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission noexec are set on var_removable_partition mount: path: "{{ var_removable_partition }}" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},noexec" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_noexec_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80147-2 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2</sub> The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp. 1.1.10 Allowing users to execute binaries from world-writable directories such as /var/tmp should never be necessary in normal operation and can expose the system to potential compromise. <sub>include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/var/tmp" "noexec" ensure_partition_is_mounted "/var/tmp" } perform_remediation</sub> - name: get back device associated to mountpoint shell: mount | grep ' /var/tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_var_tmp_noexec - unknown_severity - configure_strategy - low_complexity - high_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /var/tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /var/tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission noexec are set on /var/tmp mount: path: "/var/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},noexec" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_var_tmp_noexec - unknown_severity - configure_strategy - low_complexity - high_disruption part /var/tmp --mountoptions="noexec" The /var/tmp directory is a world-writable directory. Bind-mount it to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp. To do so, edit /etc/fstab and add the following line: /tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0 See the mount(8) man page for further explanation of bind mounting. 1.1.6 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Having multiple locations for temporary storage is not required. Unless absolutely necessary to meet requirements, the storage location /var/tmp should be bind mounted to /tmp and thus share the same protections. CCE-80155-5 # Delete particular /etc/fstab's row if /var/tmp is already configured to # represent a mount point (for some device or filesystem other than /tmp) if grep -q -P '.*\/var\/tmp.*' /etc/fstab then sed -i '/.*\/var\/tmp.*/d' /etc/fstab fi umount /var/tmp # Bind-mount /var/tmp to /tmp via /etc/fstab (preserving the /etc/fstab form) printf "%-24s%-24s%-8s%-32s%-3s\n" "/tmp" "/var/tmp" "none" "rw,nodev,noexec,nosuid,bind" "0 0" >> /etc/fstab mkdir -p /var/tmp mount -B /tmp /var/tmp The nodev mount option can be used to prevent device files from being created in /home. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /home. 1.1.14 The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. <sub>include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /home || { echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/home" "nodev" ensure_partition_is_mounted "/home" } perform_remediation</sub> - name: get back device associated to mountpoint shell: mount | grep ' /home ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_home_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /home ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /home ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nodev are set on /home mount: path: "/home" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nodev" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_home_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption part /home --mountoptions="nodev" The nosuid mount option can be used to prevent execution of setuid programs in /var/tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp. 1.1.9 The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. <sub>include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/var/tmp" "nosuid" ensure_partition_is_mounted "/var/tmp" } perform_remediation</sub> - name: get back device associated to mountpoint shell: mount | grep ' /var/tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_var_tmp_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /var/tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /var/tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nosuid are set on /var/tmp mount: path: "/var/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nosuid" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_var_tmp_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption part /var/tmp --mountoptions="nosuid" The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. 1.1.15 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. CCE-80152-2 <sub>include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/dev/shm" "nodev" ensure_partition_is_mounted "/dev/shm" } perform_remediation</sub> - name: get back device associated to mountpoint shell: mount | grep ' /dev/shm ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_dev_shm_nodev - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80152-2 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /dev/shm ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /dev/shm ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nodev are set on /dev/shm mount: path: "/dev/shm" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nodev" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_dev_shm_nodev - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80152-2 - NIST-800-53-CM-7 - NIST-800-53-MP-2 The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the system initialization or kernel level, and defend against certain types of badly-configured or compromised programs. The umask is a per-process setting which limits the default permissions for creation of new files and directories. The system includes initialization scripts which set the default umask for system daemons. Enter umask for daemons 022 027 022 The file /etc/init.d/functions includes initialization parameters for most or all daemons started at boot time. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts. By default, the umask of 022 is set which prevents creation of group- or world-writable files. To set the umask for daemons expected by the profile, edit the following line: umask Setting the umask to too restrictive a setting can cause serious errors at runtime. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions. CCE-27068-6 var_umask_for_daemons="<sub>" grep -q ^umask /etc/init.d/functions && \ sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions if ! [ $? -eq 0 ]; then echo "umask $var_umask_for_daemons" >> /etc/init.d/functions fi</sub> Memory Poisoning consists of writing a special value to uninitialized or freed memory. Poisoning can be used as a mechanism to prevent leak of information and detection of corrupted memory. To enable poisoning of SLUB/SLAB objects, add the argument slub_debug=P to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="slub_debug=P" The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. # Correct the form of default kernel command line in GRUB if grep -q '^GRUB_CMDLINE_LINUX=.*slub_debug=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an slub_debug= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)slub_debug=[^[:space:]]*\(.*"\)/\1 slub_debug=P \2/' '/etc/default/grub' else # no slub_debug=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 slub_debug=P"/' '/etc/default/grub' fi # Correct the form of kernel command line for each installed kernel in the bootloader grubby --update-kernel=ALL --args="slub_debug=P" To enable poisoning of free pages, add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="page_poison=1" The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. # Correct the form of default kernel command line in GRUB if grep -q '^GRUB_CMDLINE_LINUX=.*page_poison=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an page_poison= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)page_poison=[^[:space:]]*\(.*"\)/\1 page_poison=1 \2/' '/etc/default/grub' else # no page_poison=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 page_poison=1"/' '/etc/default/grub' fi # Correct the form of kernel command line for each installed kernel in the bootloader grubby --update-kernel=ALL --args="page_poison=1" A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to access these files. The core dump files may also contain sensitive information, or unnecessarily occupy large amounts of disk space. Once a hard limit is set in /etc/security/limits.conf, a user cannot increase that limit within his or her own session. If access to core dumps is required, consider restricting them to only certain users or groups. See the limits.conf man page for more information. The core dumps of setuid programs are further protected. The sysctl variable fs.suid_dumpable controls whether the kernel allows core dumps from these programs at all. The default value of 0 is recommended. To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.suid_dumpable = 0 1.5.1 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) SI-11 The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. CCE-26900-1 # # Set runtime for fs.suid_dumpable # /sbin/sysctl -q -n -w fs.suid_dumpable=0 # # If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" # else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf # <sub>replace_or_append '/etc/sysctl.conf' '^fs.suid_dumpable' "0" 'CCE-26900-1'</sub> - name: Ensure sysctl fs.suid_dumpable is set to 0 sysctl: name: fs.suid_dumpable value: 0 state: present reload: yes tags: - sysctl_fs_suid_dumpable - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-26900-1 - NIST-800-53-SI-11 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To disable core dumps for all users, add the following line to /etc/security/limits.conf: * hard core 0 1.5.1 1 12 13 15 16 2 7 8 APO13.01 BAI04.04 DSS01.03 DSS03.05 DSS05.07 SR 6.2 SR 7.1 SR 7.2 A.12.1.3 A.17.2.1 DE.CM-1 PR.DS-4 A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. CCE-80169-6 echo "* hard core 0" >> /etc/security/limits.conf Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support. The kernel-PAE package can be installed with the following command: $ sudo yum install kernel-PAE The installation process should also have configured the bootloader to load the new kernel at boot. Verify this after reboot and modify /etc/default/grub if necessary. The kernel-PAE package should not be installed on older systems that do not support the XD or NX bit, as 8this may prevent them from booting.8 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.7 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support. CCE-27116-3 Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.7 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. CCE-27099-1 ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and other memory regions, prevention of execution in memory that should only hold data, and special handling of text buffers. These protections are enabled by default on 32-bit systems and controlled through sysctl variables kernel.exec-shield and kernel.randomize_va_space. On the latest 64-bit systems, kernel.exec-shield cannot be enabled or disabled with sysctl. To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1 NT28(R23) SC-39 Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures that can contain functions pointers. If a write vulnereability occurs in the kernel allowing a write access to any of this structure, the kernel can be compromise. This option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, replacing them with 0. CCE-80659-6 # # Set runtime for kernel.kptr_restrict # /sbin/sysctl -q -n -w kernel.kptr_restrict=1 # # If kernel.kptr_restrict present in /etc/sysctl.conf, change value to "1" # else, add "kernel.kptr_restrict = 1" to /etc/sysctl.conf # <sub>replace_or_append '/etc/sysctl.conf' '^kernel.kptr_restrict' "1" 'CCE-80659-6'</sub> - name: Ensure sysctl kernel.kptr_restrict is set to 1 sysctl: name: kernel.kptr_restrict value: 1 state: present reload: yes tags: - sysctl_kernel_kptr_restrict - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80659-6 - NIST-800-53-SC-39 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub. For Red Hat Enterprise Linux 7 32-bit systems, sysctl can be used to enable ExecShield. 1.5.2 12 15 8 APO13.01 DSS05.02 3.1.7 CCI-002530 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-39 PR.PT-4 ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. CCE-27211-2 if [ $(getconf LONG_BIT) = "32" ] ; then # # Set runtime for kernel.exec-shield # sysctl -q -n -w kernel.exec-shield=1 # # If kernel.exec-shield present in /etc/sysctl.conf, change value to "1" # else, add "kernel.exec-shield = 1" to /etc/sysctl.conf # <sub>replace_or_append '/etc/sysctl.conf' '^kernel.exec-shield' '1' 'CCE-27211-2' fi if [ $(getconf LONG_BIT) = "64" ] ; then if grep --silent noexec /boot/grub2/grub*.cfg ; then sed -i "s/noexec.*//g" /etc/default/grub sed -i "s/noexec.*//g" /etc/grub.d/* GRUBCFG=`ls | grep '.cfg$'` grub2-mkconfig -o /boot/grub2/$GRUBCFG fi fi</sub> To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 1.5.1 3.1.7 CCI-000366 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) SC-30(2) SC-39 SRG-OS-000480-GPOS-00227 RHEL-07-040201 SV-92521r2_rule Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. CCE-27127-0 # # Set runtime for kernel.randomize_va_space # /sbin/sysctl -q -n -w kernel.randomize_va_space=2 # # If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2" # else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf # <sub>replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' "2" 'CCE-27127-0'</sub> - name: Ensure sysctl kernel.randomize_va_space is set to 2 sysctl: name: kernel.randomize_va_space value: 2 state: present reload: yes tags: - sysctl_kernel_randomize_va_space - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27127-0 - NIST-800-53-SC-30(2) - NIST-800-53-SC-39 - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-040201 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1 Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled. # # Set runtime for kernel.kexec_load_disabled # /sbin/sysctl -q -n -w kernel.kexec_load_disabled=1 # # If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1" # else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf # <sub>replace_or_append '/etc/sysctl.conf' '^kernel.kexec_load_disabled' "1" ''</sub> - name: Ensure sysctl kernel.kexec_load_disabled is set to 1 sysctl: name: kernel.kexec_load_disabled value: 1 state: present reload: yes tags: - sysctl_kernel_kexec_load_disabled - medium_severity - disable_strategy - low_complexity - medium_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To disable use of virtual syscalls, add the argument vsyscall=none to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="vsyscall=none" The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. # Correct the form of default kernel command line in GRUB if grep -q '^GRUB_CMDLINE_LINUX=.*vsyscall=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an vsyscall= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)vsyscall=[^[:space:]]*\(.*"\)/\1 vsyscall=none \2/' '/etc/default/grub' else # no vsyscall=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 vsyscall=none"/' '/etc/default/grub' fi # Correct the form of kernel command line for each installed kernel in the bootloader grubby --update-kernel=ALL --args="vsyscall=none" To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1 Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing). # # Set runtime for kernel.yama.ptrace_scope # /sbin/sysctl -q -n -w kernel.yama.ptrace_scope=1 # # If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1" # else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf # <sub>replace_or_append '/etc/sysctl.conf' '^kernel.yama.ptrace_scope' "1" ''</sub> - name: Ensure sysctl kernel.yama.ptrace_scope is set to 1 sysctl: name: kernel.yama.ptrace_scope value: 1 state: present reload: yes tags: - sysctl_kernel_yama_ptrace_scope - medium_severity - disable_strategy - low_complexity - medium_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 3.1.5 CCI-001314 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) SI-11 Unprivileged access to the kernel syslog can expose sensitive kernel address information. CCE-27050-4 # # Set runtime for kernel.dmesg_restrict # /sbin/sysctl -q -n -w kernel.dmesg_restrict=1 # # If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1" # else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf # <sub>replace_or_append '/etc/sysctl.conf' '^kernel.dmesg_restrict' "1" 'CCE-27050-4'</sub> - name: Ensure sysctl kernel.dmesg_restrict is set to 1 sysctl: name: kernel.dmesg_restrict value: 1 state: present reload: yes tags: - sysctl_kernel_dmesg_restrict - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27050-4 - NIST-800-53-SI-11 - NIST-800-171-3.1.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") combine_ovals.py from SCAP Security Guide ssg: [0, 1, 43], python: 2.7.5 5.11 2019-06-12T16:10:38 CentOS 6 Red Hat Enterprise Linux 7 The operating system installed on the system is CentOS 6 CentOS 7 Red Hat Enterprise Linux 7 The operating system installed on the system is CentOS 7 CentOS 8 Red Hat Enterprise Linux 7 The operating system installed on the system is CentOS 8 Debian 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Debian 8 Installed operating system is Fedora Red Hat Enterprise Linux 7 The operating system installed on the system is Fedora Oracle Linux 6 Red Hat Enterprise Linux 7 The operating system installed on the system is Oracle Linux 6 Oracle Linux 7 Red Hat Enterprise Linux 7 The operating system installed on the system is Oracle Linux 7 Oracle Linux 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Oracle Linux 8 openSUSE Red Hat Enterprise Linux 7 The operating system installed on the system is openSUSE. openSUSE Leap 15 Red Hat Enterprise Linux 7 The operating system installed on the system is openSUSE Leap 15. openSUSE Leap 42 Red Hat Enterprise Linux 7 The operating system installed on the system is openSUSE Leap 42. Installed operating system is part of the Unix family Red Hat Enterprise Linux 7 The operating system installed on the system is part of the Unix OS family Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Enterprise Linux 8 Red Hat Virtualization 4 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Virtualization Host 4 or Red Hat Enterprise Host. Scientific Linux 6 Red Hat Enterprise Linux 7 The operating system installed on the system is Scientific Linux 6 Scientific Linux 7 Red Hat Enterprise Linux 7 The operating system installed on the system is Scientific Linux 7 Scientific Linux 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Scientific Linux 8 SUSE Linux Enterprise 11 Red Hat Enterprise Linux 7 The operating system installed on the system is SUSE Linux Enterprise 11. SUSE Linux Enterprise 12 Red Hat Enterprise Linux 7 The operating system installed on the system is SUSE Linux Enterprise 12. Ubuntu Red Hat Enterprise Linux 7 The operating system installed is an Ubuntu System Ubuntu 1404 Red Hat Enterprise Linux 7 The operating system installed on the system is Ubuntu 1404 Ubuntu 1604 Red Hat Enterprise Linux 7 The operating system installed on the system is Ubuntu 1604 Ubuntu 1804 Red Hat Enterprise Linux 7 The operating system installed on the system is Ubuntu 1804 WRLinux Red Hat Enterprise Linux 7 The operating system installed on the system is Wind River Linux Red Hat OpenShift Container Platform Red Hat Enterprise Linux 7 The application installed installed on the system is OpenShift 3. Red Hat OpenStack Platform Red Hat Enterprise Linux 7 The application installed installed on the system is Red Hat OpenStack Platform 13. Red Hat Virtualization 4 Red Hat Enterprise Linux 7 The application installed installed on the system is Red Hat Virtualization 4. Package gdm is installed Red Hat Enterprise Linux 7 Checks if package gdm is installed. Package libuser is installed Red Hat Enterprise Linux 7 Checks if package libuser is installed. Package nss-pam-ldapd is installed Red Hat Enterprise Linux 7 Checks if package nss-pam-ldapd is installed. Package pam is installed Red Hat Enterprise Linux 7 Checks if package pam is installed. Package shadow-utils is installed Red Hat Enterprise Linux 7 Checks if package shadow-utils is installed. Package systemd is installed Red Hat Enterprise Linux 7 Checks if package systemd is installed. Package yum is installed Red Hat Enterprise Linux 7 Checks if package yum is installed. Check if the scan target is a container Red Hat Enterprise Linux 7 Check if file /.dockerenv exists, if it does then we consider to be a docker filesystem. Check if the scan target is a machine Red Hat Enterprise Linux 7 Check if file /.dockerenv exists, if it doesn't then we consider to be host filesystem or virtual machine. centos-release centos-release centos-release /etc/debian_version /etc/debian_version ^8.[0-9]+$ 1 fedora-release /etc/system-release-cpe ^cpe:\/o:fedoraproject:fedora:[\d]+$ 1 oraclelinux-release oraclelinux-release oraclelinux-release openSUSE-release openSUSE-release openSUSE-release redhat-release-client redhat-release-workstation redhat-release-server redhat-release-computenode redhat-release-client redhat-release-workstation redhat-release-server redhat-release-computenode redhat-release-virtualization-host /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1 redhat-release redhat-release-virtualization-host /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1 sl-release sl-release sl-release sled-release sles-release sled-release sles-release /etc/lsb-release /etc/lsb-release ^DISTRIB_ID=Ubuntu$ 1 /etc/lsb-release ^DISTRIB_CODENAME=trusty$ 1 /etc/lsb-release ^DISTRIB_CODENAME=xenial$ 1 /etc/lsb-release ^DISTRIB_CODENAME=bionic$ 1 /etc/wrlinux-release atomic-openshift atomic-openshift-node atomic-openshift-hyperkube rhosp-release rhvm-appliance gdm libuser nss-pam-ldapd pam shadow-utils systemd yum /.dockerenv /.dockerenv ^6.*$ ^7.*$ ^8.*$ ^6Server$ ^7.*$ ^8.*$ openSUSE-release ^15.*$ ^42.*$ unix ^6.*$ ^6.*$ ^6.*$ ^6.*$ unix ^7.*$ ^7.*$ ^7.*$ ^7.*$ 7 unix ^8.*$ ^4.*$ 7 ^6.*$ ^7.*$ ^8.*$ unix ^11.*$ ^11.*$ unix ^12.*$ ^12.*$ unix ^3.*$ ^3.*$ ^3.*$ ^13.*$ ^4.*$ Red Hat Enterprise Linux 7 oval:ssg-installed_OS_is_rhel7:def:1 Red Hat Enterprise Linux 7 Server oval:ssg-installed_OS_is_rhel7:def:1 Red Hat Enterprise Linux 7 Client oval:ssg-installed_OS_is_rhel7:def:1 Red Hat Enterprise Linux 7 ComputeNode oval:ssg-installed_OS_is_rhel7:def:1 Red Hat Enterprise Linux 7 Workstation oval:ssg-installed_OS_is_rhel7:def:1 CentOS 7 oval:ssg-installed_OS_is_centos7:def:1 Scientific Linux 7 oval:ssg-installed_OS_is_sl7:def:1 Container oval:ssg-installed_env_is_a_container:def:1 Bare-metal or Virtual Machine oval:ssg-installed_env_is_a_machine:def:1 Package gdm is installed oval:ssg-installed_env_has_gdm_package:def:1 Package libuser is installed oval:ssg-installed_env_has_libuser_package:def:1 Package nss-pam-ldapd is installed oval:ssg-installed_env_has_nss-pam-ldapd_package:def:1 Package pam is installed oval:ssg-installed_env_has_pam_package:def:1 Package shadow-utils is installed oval:ssg-installed_env_has_shadow-utils_package:def:1 Package systemd is installed oval:ssg-installed_env_has_systemd_package:def:1 Package yum is installed oval:ssg-installed_env_has_yum_package:def:1 combine_ovals.py from SCAP Security Guide ssg: [0, 1, 43], python: 2.7.5 5.11 2019-06-12T16:10:38 Ensure Users Re-Authenticate for Privilege Escalation - sudo Red Hat Enterprise Linux 7 Checks sudo usage without password Ensure !authenticate Is Not Used in Sudo Red Hat Enterprise Linux 7 Checks sudo usage without authentication Ensure NOPASSWD Is Used Only for the VDSM User in Sudo Red Hat Enterprise Linux 7 Checks sudo usage for the vdsm user without a password Ensure NOPASSWD Is Not Used in Sudo Red Hat Enterprise Linux 7 Checks sudo usage without password Implement Local DB for DConf User Profile Red Hat Enterprise Linux 7 The DConf User profile should have the local DB configured. The dconf databases are up-to-date. Red Hat Enterprise Linux 7 Make sure that the dconf databases are up-to-date with regards to respective keyfiles. Force dconf to use the textfiles instead of a binary DB Red Hat Enterprise Linux 7 dconf should use text files instead of the binary database. Disable Geolocation in GNOME3 Red Hat Enterprise Linux 7 Disable GNOME3 Geolocation for the clock and system. Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 Red Hat Enterprise Linux 7 Disable the GNOME3 ctrl-alt-del reboot key sequence in GNOME3. Disable User Administration in GNOME3 Red Hat Enterprise Linux 7 Disable GNOME3's ability to give users some administrative rights. Disable Power Settings in GNOME3 Red Hat Enterprise Linux 7 Disable GNOME3 power settings. Require Encryption for Remote Access in GNOME3 Red Hat Enterprise Linux 7 Configure GNOME3 to require encryption for remote access connections. Require Credential Prompting for Remote Access in GNOME3 Red Hat Enterprise Linux 7 Configure GNOME3 to require credential prompting for remote access. Disable WIFI Network Notification in GNOME3 Red Hat Enterprise Linux 7 Disable the GNOME3 wireless network notification. Disable WIFI Network Connection Creation in GNOME3 Red Hat Enterprise Linux 7 Disable the GNOME3 wireless network creation settings. Enable the GNOME3 Login Smartcard Authentication Red Hat Enterprise Linux 7 Enable smartcard authentication in the GNOME3 Login GUI. Set the GNOME3 Login Number of Failures Red Hat Enterprise Linux 7 Set the GNOME3 number of login failure attempts. Disable the GNOME3 Login User List Red Hat Enterprise Linux 7 Disable the GNOME3 GUI listing of all known users on the login screen. Disable GDM Automatic Login Red Hat Enterprise Linux 7 Disable the GNOME Display Manager (GDM) ability to allow users to automatically login. Disable GDM Guest Login Red Hat Enterprise Linux 7 Disable the GNOME Display Manager (GDM) ability to allow guest users to login. Disable the GNOME3 Login Restart and Shutdown Buttons Red Hat Enterprise Linux 7 Disable the GNOME3 Login GUI Restart and Shutdown buttons to all users on the login screen. Enable GNOME3 Screensaver Lock Delay After Idle Period Red Hat Enterprise Linux 7 Idle activation of the screen lock should be enabled immediately or after a delay. Ensure Users Cannot Change GNOME3 Session Idle Settings Red Hat Enterprise Linux 7 Ensure that users cannot change GNOME3 session idle settings. Enable GNOME3 Screensaver Lock After Idle Period Red Hat Enterprise Linux 7 Idle activation of the screen lock should be enabled. Disable Full User Name on Splash Shield Red Hat Enterprise Linux 7 GNOME3 screen splash shield should not display full name of logged in user. Ensure Users Cannot Change GNOME3 Screensaver Lock Delay Settings Red Hat Enterprise Linux 7 Ensure that users cannot change GNOME3 screensaver idle and lock settings. Configure the GNOME3 GUI Screen locking Red Hat Enterprise Linux 7 The allowed period of inactivity before the screensaver is activated. Implement Blank Screensaver Red Hat Enterprise Linux 7 The GNOME3 screensaver should be blank. Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period Red Hat Enterprise Linux 7 Idle activation of the screen lock should not be changed by users. Ensure Users Cannot Change GNOME3 Screensaver Idle Activation Red Hat Enterprise Linux 7 Idle activation of the screen saver should not be changed by users. Enable GNOME3 Screensaver Idle Activation Red Hat Enterprise Linux 7 Idle activation of the screen saver should be enabled. Disable All GNOME3 Thumbnailers Red Hat Enterprise Linux 7 The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. Disable the execution of these thumbnail applications within GNOME3. Disable GNOME3 Automounting Red Hat Enterprise Linux 7 The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount and autorun within GNOME3. Disable Prelinking Red Hat Enterprise Linux 7 The prelinking feature can interfere with the operation of checksum integrity tools (e.g. AIDE), mitigates the protection provided by ASLR, and requires additional CPU cycles by software upgrades. Verify File Hashes with RPM Red Hat Enterprise Linux 7 Verify the RPM digests of system binaries using the RPM database. Verify File Permissions Using RPM Red Hat Enterprise Linux 7 Verify the permissions of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Verify File Ownership Using RPM Red Hat Enterprise Linux 7 Verify ownership of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Configure Periodic Execution of AIDE Red Hat Enterprise Linux 7 By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Configure AIDE to Verify Extended Attributes Red Hat Enterprise Linux 7 AIDE should be configured to verify extended file attributes. Aide Database Must Exist Red Hat Enterprise Linux 7 The aide database must be initialized. Configure Notification of Post-AIDE Scan Details Red Hat Enterprise Linux 7 AIDE should notify appropriate personnel of the details of a scan after the scan has been run. Configure AIDE to Use FIPS 140-2 for Validating Hashes Red Hat Enterprise Linux 7 AIDE should be configured to use the FIPS 140-2 cryptographic hashes. Configure AIDE to Verify Access Control Lists (ACLs) Red Hat Enterprise Linux 7 AIDE should be configured to verify Access Control Lists (ACLs). Package dracut-fips Installed Red Hat Enterprise Linux 7 The RPM package dracut-fips should be installed. Enable FIPS Mode in GRUB2 Red Hat Enterprise Linux 7 Look for argument fips=1 in the kernel line in /etc/default/grub. Vendor Supported Operating System Red Hat Enterprise Linux 7 The operating system installed on the system is supported by a vendor that provides security patches. FIPS 140-2 Certified Operating System Red Hat Enterprise Linux 7 The operating system installed on the system is a certified operating system that meets FIPS 140-2 requirements. Package Antivirus Installed Red Hat Enterprise Linux 7 Antivirus software should be installed. Install Intrusion Detection Software Red Hat Enterprise Linux 7 Intrusion detection software or SELinux should be installed and enabled. Package McAfeeVSEForLinux Installed Red Hat Enterprise Linux 7 McAfee Antivirus software should be installed. Install the McAfee Runtime Libraries and Linux Agent Red Hat Enterprise Linux 7 Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma). McAfee AntiVirus Definitions Updated Red Hat Enterprise Linux 7 Verify that McAfee AntiVirus definitions have been updated. Install the Host Intrusion Prevention System (HIPS) Module Red Hat Enterprise Linux 7 Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module. Install the Policy Auditor (PA) Module Red Hat Enterprise Linux 7 Install the Policy Auditor (PA) Module. Install the Asset Configuration Compliance Module (ACCM) Red Hat Enterprise Linux 7 Install the Asset Configuration Compliance Module (ACCM). Ensure gpgcheck Enabled for Repository Metadata Red Hat Enterprise Linux 7 The repo_gpgcheck option should be used to ensure that checking of repository metadata always occurs. Ensure YUM Removes Previous Package Versions Red Hat Enterprise Linux 7 The clean_requirements_on_remove option should be used to ensure that old versions of software components are removed after updating. Ensure gpgcheck Enabled For All Yum or Dnf Package Repositories Red Hat Enterprise Linux 7 Ensure all yum or dnf repositories utilize signature checking. Red Hat Release and Auxiliary gpg-pubkey Packages Installed Red Hat Enterprise Linux 7 The Red Hat release and auxiliary key packages are required to be installed. Ensure gpgcheck Enabled for Local Packages Red Hat Enterprise Linux 7 The localpkg_gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. Ensure yum gpgcheck Globally Activated Red Hat Enterprise Linux 7 The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. Force IOMMU usage in GRUB2 Red Hat Enterprise Linux 7 Look for argument iommu=force in the kernel line in /etc/default/grub. File /boot/efi/EFI/redhat/grub.cfg Permissions Red Hat Enterprise Linux 7 File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 0700 (or stronger). Set the UEFI Boot Loader Password Red Hat Enterprise Linux 7 The UEFI grub2 boot loader should have password protection enabled. Set Boot Loader Password Red Hat Enterprise Linux 7 The grub2 boot loader should have password protection enabled. Enable SELinux Red Hat Enterprise Linux 7 The SELinux policy should be set appropriately. Enable SELinux in the GRUB2 Bootloader" Red Hat Enterprise Linux 7 Check if selinux=0 OR enforcing=0 within the GRUB2 configuration files, fail if found. SELinux Enforcing Red Hat Enterprise Linux 7 The SELinux state should be enforcing the local policy. Ensure No Daemons are Unconfined by SELinux Red Hat Enterprise Linux 7 All pids in /proc should be assigned an SELinux security context other than 'initrc_t'. Device Files Have Proper SELinux Context Red Hat Enterprise Linux 7 All device files in /dev should be assigned an SELinux security context other than 'device_t'. Disable Kernel Support for USB via Bootloader Configuration Red Hat Enterprise Linux 7 Look for 'nousb' argument in the kernel line in /etc/default/grub Set Daemon umask Red Hat Enterprise Linux 7 The daemon umask should be set as appropriate Package kernel-PAE Installed Red Hat Enterprise Linux 7 The RPM package kernel-PAE should be installed on 32-bit systems. Kernel Runtime Parameter "kernel.exec-shield" Check Red Hat Enterprise Linux 7 The kernel runtime parameter "kernel.exec-shield" should not be disabled and set to 1 on 32-bit systems. Disable Core Dumps Red Hat Enterprise Linux 7 Core dumps for all users should be disabled Add nodev Option to Non-Root Local Partitions Red Hat Enterprise Linux 7 The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist in the /dev directory on the root partition or within chroot jails built for system services. All other locations should not allow character and block devices. Bind Mount /var/tmp To /tmp Red Hat Enterprise Linux 7 The /var/tmp directory should be bind mounted to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp. Find world writable directories not owned by a system account Red Hat Enterprise Linux 7 All world writable directories should be owned by a system user. Find setgid files system packages Red Hat Enterprise Linux 7 All files with setgid should be owned by a base system package Find setuid files from system packages Red Hat Enterprise Linux 7 All files with setuid should be owned by a base system package Find files unowned by a group Red Hat Enterprise Linux 7 All files should be owned by a group Find files unowned by a user Red Hat Enterprise Linux 7 All files should be owned by a user Find Unauthorized World-Writable Files Red Hat Enterprise Linux 7 The world-write permission should be disabled for all files. Verify that All World-Writable Directories Have Sticky Bits Set Red Hat Enterprise Linux 7 The sticky bit should be set for all world-writable directories. Verify that System.map files are readable only by root Red Hat Enterprise Linux 7 Checks that /boot/System.map-* are only readable by root. Verify that Shared Library Files Have Restrictive Permissions Red Hat Enterprise Linux 7 Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are not group-writable or world-writable. Verify that System Executables Have Root Ownership Red Hat Enterprise Linux 7 Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, /usr/libexec, and objects therein, are owned by root. Verify that System Executables Have Restrictive Permissions Red Hat Enterprise Linux 7 Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, and /usr/libexec are not group-writable or world-writable. Verify that Shared Library Files Have Root Ownership Red Hat Enterprise Linux 7 Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are owned by root. System Login Banner Compliance Red Hat Enterprise Linux 7 The system login banner text should be set correctly. Enable GUI Warning Banner Red Hat Enterprise Linux 7 Enable the GUI warning banner. Enable GNOME3 Login Warning Banner Red Hat Enterprise Linux 7 Enable the GNOME3 Login warning banner. Disable Ctrl-Alt-Del Burst Action Red Hat Enterprise Linux 7 Configure the CtrlAltDelBurstAction setting in /etc/systemd/system.conf to none to prevent a reboot if Ctrl-Alt-Delete is pressed more than 7 times in 2 seconds. Verify that Interactive Boot is Disabled Red Hat Enterprise Linux 7 The ability for users to perform interactive startups should be disabled. Disable Ctrl-Alt-Del Reboot Activation Red Hat Enterprise Linux 7 By default, the system will reboot when the Ctrl-Alt-Del key sequence is pressed. Require Authentication for Single-User Mode Red Hat Enterprise Linux 7 The requirement for a password to boot into single-user mode should be configured correctly. Force opensc To Use Defined Smart Card Driver Red Hat Enterprise Linux 7 Force opensc to use the organization's smart card driver so that only the smart card in use by the organization will be recognized by the system. Enable Smart Card Login Red Hat Enterprise Linux 7 Enable Smart Card logins Configure opensc Smart Card Drivers Red Hat Enterprise Linux 7 Configure the organization's smart card driver so that only the smart card in use by the organization will be recognized by the system. Verify that Interactive Boot is Disabled Red Hat Enterprise Linux 7 The ability for users to perform interactive startups should be disabled. Install needed packages for smartcard use. Red Hat Enterprise Linux 7 The RPM packages esc pam_pkcs11 and authconfig-gtk must be installed. Set Password Expiration Parameters Red Hat Enterprise Linux 7 The password expiration warning age should be set appropriately. Set Password Expiration Parameters Red Hat Enterprise Linux 7 The maximum password age policy should meet minimum requirements. Set Password Expiration Parameters Red Hat Enterprise Linux 7 The password minimum length should be set appropriately. Set Password Expiration Parameters Red Hat Enterprise Linux 7 The minimum password age policy should be set appropriately. Set Accounts to Expire Following Password Expiration Red Hat Enterprise Linux 7 The accounts should be configured to expire automatically following password expiration. Set All Accounts To Have Unique Names Red Hat Enterprise Linux 7 All accounts on the system should have unique names for proper accountability. All GIDs Are Present In /etc/group Red Hat Enterprise Linux 7 All GIDs referenced in /etc/passwd must be defined in /etc/group. All Password Hashes Shadowed Red Hat Enterprise Linux 7 All password hashes should be shadowed. No nullok Option in /etc/pam.d/system-auth Red Hat Enterprise Linux 7 The file /etc/pam.d/system-auth should not contain the nullok option Verify No netrc Files Exist Red Hat Enterprise Linux 7 The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. Restrict Serial Port Root Logins Red Hat Enterprise Linux 7 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the system using the root account. Restrict Virtual Console Root Logins Red Hat Enterprise Linux 7 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. UID 0 Belongs Only To Root Red Hat Enterprise Linux 7 Only the root account should be assigned a user id of 0. Direct root Logins Not Allowed Red Hat Enterprise Linux 7 Preventing direct root logins help ensure accountability for actions taken on the system using the root account. System Accounts Do Not Run a Shell Red Hat Enterprise Linux 7 The root account is the only system account that should have a login shell. Set Last Login/Access Notification Red Hat Enterprise Linux 7 Configure the system to notify users of last login/access using pam_lastlog. Set Password retry Requirements Red Hat Enterprise Linux 7 The password retry should meet minimum requirements Lock out account after failed login attempts Red Hat Enterprise Linux 7 The number of allowed failed logins should be set correctly. Lock out account after failed login attempts Red Hat Enterprise Linux 7 The number of allowed failed logins should be set correctly. Lock out account after failed login attempts Red Hat Enterprise Linux 7 The number of allowed failed logins should be set correctly. Lock out the root account after failed login attempts Red Hat Enterprise Linux 7 The root account should be configured to deny access after the number of defined failed attempts has been reached. Limit Password Reuse Red Hat Enterprise Linux 7 The passwords to remember should be set correctly. Set SHA512 Password Hashing Algorithm in /etc/libuser.conf Red Hat Enterprise Linux 7 The password hashing algorithm should be set correctly in /etc/libuser.conf. Set SHA512 Password Hashing Algorithm in /etc/login.defs Red Hat Enterprise Linux 7 The password hashing algorithm should be set correctly in /etc/login.defs. Set Password Hashing Algorithm in /etc/pam.d/system-auth Red Hat Enterprise Linux 7 The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. Set Interactive Session Timeout Red Hat Enterprise Linux 7 Checks interactive shell timeout Proper Permissions User Home Directories Red Hat Enterprise Linux 7 File permissions should be set correctly for the home directories for all user accounts. Ensure new users receive home directories Red Hat Enterprise Linux 7 CREATE_HOME should be enabled Set Maximum Number of Concurrent Login Sessions Per User Red Hat Enterprise Linux 7 The maximum number of concurrent login sessions per user should meet minimum requirements. Ensure that FAIL_DELAY is Configured in /etc/login.defs Red Hat Enterprise Linux 7 The delay between failed authentication attempts should be set for all users specified in /etc/login.defs Ensure that Users Have Sensible Umask Values in /etc/profile Red Hat Enterprise Linux 7 The default umask for all users should be set correctly Ensure that Users Have Sensible Umask Values set for csh Red Hat Enterprise Linux 7 The default umask for users of the csh shell Ensure that Users Have Sensible Umask Values set for bash Red Hat Enterprise Linux 7 The default umask for users of the bash shell Ensure that Users Have Sensible Umask Values in /etc/login.defs Red Hat Enterprise Linux 7 The default umask for all users specified in /etc/login.defs Ensure that No Dangerous Directories Exist in Root's Path Red Hat Enterprise Linux 7 The environment variable PATH should be set correctly for the root user. Write permissions are disabled for group and other in all directories in Root's Path Red Hat Enterprise Linux 7 Check each directory in root's path and make use it does not grant write permission to group and other Set Enterprise Application to travel mode Red Hat Enterprise Linux 7 Travel mode should be enabled when operating outiside of intranet. Verify /var/log/audit Ownership Red Hat Enterprise Linux 7 Checks that all /var/log/audit files and directories are owned by the root user and group. Verify /var/log/audit Directory Permissions Red Hat Enterprise Linux 7 Checks for correct permissions for /var/log/audit. Audit Information Export To Media Red Hat Enterprise Linux 7 Audit rules that detect the mounting of filesystems should be enabled. Audit System Administrator Actions Red Hat Enterprise Linux 7 Audit actions taken by system administrators on the system. Shutdown System When Auditing Failures Occur Red Hat Enterprise Linux 7 The system will shutdown when auditing fails. Record Attempts to Alter Process and Session Initiation Information Red Hat Enterprise Linux 7 Audit rules should capture information about session initiation. Record Events that Modify the System's Network Environment Red Hat Enterprise Linux 7 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. Make Audit Configuration Immutable Red Hat Enterprise Linux 7 Force a reboot to change audit rules is enabled Record Events that Modify the System's Mandatory Access Controls Red Hat Enterprise Linux 7 Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. Verify /var/log/audit Permissions Red Hat Enterprise Linux 7 Checks for correct permissions for all log files in /var/log/audit. Audit User/Group Modification Red Hat Enterprise Linux 7 Audit rules should detect modification to system files that hold information about users and groups. Ensure auditd Collects Information Read Access to /var/log/audit Red Hat Enterprise Linux 7 Audit rules about the read events to /var/log/audit Audit Kernel Module Loading and Unloading - init_module Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - modprobe Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - insmod Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - delete_module Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - create_module Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - finit_module Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - rmmod Red Hat Enterprise Linux 7 The audit rules should be configured to log information about kernel module loading and unloading. Record Attempts to Alter Time Through Stime Red Hat Enterprise Linux 7 Record attempts to alter time through stime. Note that on 64-bit architectures the stime system call is not defined in the audit system calls lookup table. Record Attempts to Alter Time Through Clock_settime Red Hat Enterprise Linux 7 Record attempts to alter time through clock_settime. Record Attempts to Alter Time Through Settimeofday Red Hat Enterprise Linux 7 Record attempts to alter time through settimeofday. Record Attempts to Alter Time Through Adjtimex Red Hat Enterprise Linux 7 Record attempts to alter time through adjtimex. Record Attempts to Alter Time Through the Localtime File Red Hat Enterprise Linux 7 Record attempts to alter time through /etc/localtime. Ensure auditd Collects Information on the Use of Privileged Commands Red Hat Enterprise Linux 7 Audit rules about the information on the use of privileged commands are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Audit File Deletion Events Red Hat Enterprise Linux 7 Audit files deletion events. Record Attempts to Alter Login and Logout Events Red Hat Enterprise Linux 7 Audit rules should be configured to log successful and unsuccessful login and logout events. Auditd priority for flushing data to disk Red Hat Enterprise Linux 7 The setting for flush in /etc/audit/auditd.conf Auditd Action to Take When Disk Errors Red Hat Enterprise Linux 7 disk_error_action setting in /etc/audit/auditd.conf is set to a certain action Configure audispd Plugin Remote Server IP address or Hostname Red Hat Enterprise Linux 7 remote_server setting in /etc/audisp/audisp-remote.conf is set to a certain IP address or hostname Kerberos 5 Authentication and Encryption in Audit Event Multiplexor (audispd) Is Activated Red Hat Enterprise Linux 7 enable_krb5 setting in /etc/audisp/audisp-remote.conf is set to 'yes' Auditd Email Account to Notify Upon Action Red Hat Enterprise Linux 7 action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account Auditd Maximum Number of Logs to Retain Red Hat Enterprise Linux 7 num_logs setting in /etc/audit/auditd.conf is set to at least a certain value Auditd Action to Take When Disk Is Full Red Hat Enterprise Linux 7 disk_full_action setting in /etc/audit/auditd.conf is set to a certain action Auditd Action to Take When Disk Starting to Run Low on Space Red Hat Enterprise Linux 7 space_left_action setting in /etc/audit/auditd.conf is set to a certain action The syslog Plugin Of the Audit Event Multiplexor (audispd) Is Activated Red Hat Enterprise Linux 7 active setting in /etc/audisp/plugins.d/syslog.conf is set to 'yes' Auditd Action to Take When Disk is Low on Space Red Hat Enterprise Linux 7 admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action Auditd Action to Take When Maximum Log Size Reached Red Hat Enterprise Linux 7 max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action Auditd Maximum Log File Size Red Hat Enterprise Linux 7 max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value Configure auditd space_left on Low Disk Space Red Hat Enterprise Linux 7 space_left setting in /etc/audit/auditd.conf is set to at least a certain value Disable the network sniffer Red Hat Enterprise Linux 7 Disable the network sniffer Disable Client Dynamic DNS Updates Red Hat Enterprise Linux 7 Clients should not automatically update their own DNS record. Configure Multiple DNS Servers in /etc/resolv.conf Red Hat Enterprise Linux 7 Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. Disable Zeroconf Networking Red Hat Enterprise Linux 7 Disable Zeroconf automatic route assignment in the 169.254.0.0 subnet. Change the default firewalld zone to drop Red Hat Enterprise Linux 7 Change the default firewalld zone to drop. Configure the Firewalld Ports Red Hat Enterprise Linux 7 Configure the firewalld ports to allow approved services to have access to the system. Disable Support for RPC IPv6 Red Hat Enterprise Linux 7 Disable ipv6 based rpc services Disable IPv6 Kernel Module Functionality via Disable Option Red Hat Enterprise Linux 7 The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack. Manually Assign Global IPv6 Address Red Hat Enterprise Linux 7 Manually configure addresses for IPv6 Enable Privacy Extensions for IPv6 Red Hat Enterprise Linux 7 Enable privacy extensions for IPv6 Manually Assign IPv6 Router Address Red Hat Enterprise Linux 7 Define default gateways for IPv6 traffic Deactivate Wireless Interfaces Red Hat Enterprise Linux 7 All wireless interfaces should be disabled. Ensure the logrotate utility performs the automatic rotation of log files on daily basis Red Hat Enterprise Linux 7 The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily Disable Rsyslogd from Accepting Remote Messages on Loghosts Only Red Hat Enterprise Linux 7 rsyslogd should reject remote messages Send Logs to a Remote Loghost Red Hat Enterprise Linux 7 Syslog logs should be sent to a remote loghost Confirm Existence and Permissions of System Log Files Red Hat Enterprise Linux 7 All syslog log files should be owned by the appropriate group. Verify Cron is Logging to Rsyslog Red Hat Enterprise Linux 7 Rsyslog should be configured to capture cron messages. Confirm Existence and Permissions of System Log Files Red Hat Enterprise Linux 7 All syslog log files should be owned by the appropriate user. Confirm Existence and Permissions of System Log Files Red Hat Enterprise Linux 7 File permissions for all syslog log files should be set correctly. Ensure Logwatch HostLimit Configured Red Hat Enterprise Linux 7 Test if HostLimit line in logwatch.conf is set appropriately. Ensure Logwatch SplitHosts Configured Red Hat Enterprise Linux 7 Check if SplitHosts line in logwatch.conf is set appropriately. Disable X Windows Startup By Setting Default SystemD Target Red Hat Enterprise Linux 7 Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target. Disable Printer Browsing Entirely if Possible Red Hat Enterprise Linux 7 The CUPS print service can be configured to broadcast a list of available printers to the network. Other machines on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the machine will no longer generate or receive such broadcasts. Disable Printer Server if Possible Red Hat Enterprise Linux 7 By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive. Verify Permissions On Apache Web Server Configuration Files Red Hat Enterprise Linux 7 The /etc/httpd/conf.modules.d/* files should have the appropriate permissions (0640 or stronger). Directory /var/log/httpd/ Permissions Red Hat Enterprise Linux 7 Directory permissions for /var/log/httpd should be set to 0700 (or stronger). Verify Permissions On Apache Web Server Configuration Files Red Hat Enterprise Linux 7 The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger). Directory /etc/httpd/conf/ Permissions Red Hat Enterprise Linux 7 Directory permissions for /etc/httpd/conf/ should be set to 0750 (or stronger). Verify Permissions On Apache Web Server Configuration Files Red Hat Enterprise Linux 7 The /etc/httpd/conf.d/* files should have the appropriate permissions (0640 or stronger). Require Client SMB Packet Signing, if using mount.cifs Red Hat Enterprise Linux 7 Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are used. Require Client SMB Packet Signing in smb.conf Red Hat Enterprise Linux 7 Require samba clients which use smb.conf, such as smbclient, to use packet signing. A Samba client should only communicate with servers who can support SMB packet signing. Disallow inbound firewall access to the SSH Server port Red Hat Enterprise Linux 7 If inbound SSH access is not needed, the firewall should disallow or reject access to the SSH port (22). Disable Empty Passwords Red Hat Enterprise Linux 7 Remote connections from accounts with empty passwords should be disabled (and dependencies are met) Disable .rhosts Files Red Hat Enterprise Linux 7 Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) Use Only Approved Ciphers Red Hat Enterprise Linux 7 Limit the ciphers to those which are FIPS-approved. Disable Kerberos Authentication Red Hat Enterprise Linux 7 Unless needed, disable the Kerberos authentication option for the SSH Server. Disable root Login via SSH Red Hat Enterprise Linux 7 Root login via SSH should be disabled (and dependencies are met) Disable Compression Or Set Compression to delayed Red Hat Enterprise Linux 7 SSH should either have compression disabled or set to delayed. Do Not Allow Users to Set Environment Options Red Hat Enterprise Linux 7 PermitUserEnvironment should be disabled Set OpenSSH authentication attempt limit (MaxAuthTries) Red Hat Enterprise Linux 7 The SSH MaxAuthTries should be set to an appropriate value. Disable SSH Support for Rhosts RSA Authentication Red Hat Enterprise Linux 7 SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. Ensure Only Protocol 2 Connections Allowed Red Hat Enterprise Linux 7 The OpenSSH daemon should be running protocol 2. Disable SSH Support for User Known Hosts Red Hat Enterprise Linux 7 SSH can allow system users host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled. Enable SSH Server's Strict Mode Red Hat Enterprise Linux 7 Enable StrictMode to check users home directory permissions and configurations. Disable Host-Based Authentication Red Hat Enterprise Linux 7 SSH host-based authentication should be disabled. Use Only FIPS MACs Red Hat Enterprise Linux 7 Limit the Message Authentication Codes (MACs) to those which are FIPS-approved. Disable GSSAPI Authentication Red Hat Enterprise Linux 7 Unless needed, disable the GSSAPI authentication option for the SSH Server. Enable X11 Forwarding Red Hat Enterprise Linux 7 Enable X11Forwarding to encrypt X11 remote connections over SSH. Allow inbound firewall access to the SSH Server port Red Hat Enterprise Linux 7 If inbound SSH access is needed, the firewall should allow access to the SSH port (22). Use Priviledge Separation Red Hat Enterprise Linux 7 Use priviledge separation to cause the SSH process to drop root privileges when not needed. Enable Print Last Log Red Hat Enterprise Linux 7 Enable PrintLastLog to display user's last login time and date. Use Only Strong MACs Red Hat Enterprise Linux 7 Only use strong MACs. Set ClientAliveCountMax for User Logins Red Hat Enterprise Linux 7 The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met) Set OpenSSH Idle Timeout Interval Red Hat Enterprise Linux 7 The SSH idle timeout interval should be set to an appropriate value. Set OpenSSH LogLevel to INFO Red Hat Enterprise Linux 7 The SSH LogLevel should be set to INFO. Enable a Warning Banner Red Hat Enterprise Linux 7 SSH warning banner should be enabled (and dependencies are met) Use Only Strong Ciphers Red Hat Enterprise Linux 7 Only use strong ciphers. Ensure insecure_locks is disabled Red Hat Enterprise Linux 7 Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. Use Kerberos Security on All Exports Red Hat Enterprise Linux 7 Using Kerberos Security allows to cryptography authenticate a valid user to an NFS share. Mount Remote Filesystems with Kerberos Security Red Hat Enterprise Linux 7 The Kerberos security option should be enabled for all NFS mounts in /etc/fstab. Verify user who owns 'cron.allow' file Red Hat Enterprise Linux 7 The /etc/cron.allow file should be owned by the appropriate user. Verify group who owns 'cron.allow' file Red Hat Enterprise Linux 7 The /etc/cron.allow file should be owned by the appropriate group. Postfix network listening should be disabled Red Hat Enterprise Linux 7 Postfix network listening should be disabled Configure Postfix Against Unnecessary Release of Information Red Hat Enterprise Linux 7 Protect against unnecessary release of information. Disable DHCP Client Red Hat Enterprise Linux 7 DHCP configuration should be static for all interfaces. Ensure SELinux support is enabled in Docker Red Hat Enterprise Linux 7 The Docker daemon should be configured to start with --selinux-enabled option to enable SELinux for the daemon. Use direct-lvm with device mapper storage driver Red Hat Enterprise Linux 7 To use Docker in production with the device mapper storage driver, the Docker daemon should be configured to use direct-lvm instead of loopback device as a storage. Specify a Remote ntpd NTP Server for Time Data Red Hat Enterprise Linux 7 A remote ntpd NTP Server for time synchronization should be specified (and dependencies are met) Configure Time Service Maxpoll Interval Red Hat Enterprise Linux 7 Configure the maxpoll setting in /etc/ntp.conf or chrony.conf to continuously poll the time source servers. Specify Multiple Remote chronyd Or ntpd NTP Servers for Time Data Red Hat Enterprise Linux 7 Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met) Service chronyd Or Service ntpd Enabled Red Hat Enterprise Linux 7 At least one of the chronyd or ntpd services should be enabled if possible. Specify Multiple Remote ntpd NTP Server for Time Data Red Hat Enterprise Linux 7 Multiple ntpd NTP Servers for time synchronization should be specified. Specify Remote NTP chronyd Or ntpd Server for Time Data Red Hat Enterprise Linux 7 A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met) TFTP Daemon Uses Secure Mode Red Hat Enterprise Linux 7 The TFTP daemon should use secure mode. No .shosts file deployed on the system Red Hat Enterprise Linux 7 There should not be any .shosts files on the system. No shosts.equiv file deployed on the system Red Hat Enterprise Linux 7 There should not be any shosts.equiv files on the system. No Legacy .rhosts Or hosts.equiv Files Red Hat Enterprise Linux 7 There should not be any .rhosts or hosts.equiv files on the system. SNMP use newer protocols Red Hat Enterprise Linux 7 SNMP version 1 and 2c must not be enabled. SNMP default communities disabled Red Hat Enterprise Linux 7 SNMP default communities must be removed. Banner for FTP Users Red Hat Enterprise Linux 7 This setting will cause the system greeting banner to be used for FTP connections as well. Banner for FTP Users Red Hat Enterprise Linux 7 To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the FTP server are logged using the verbose vsftpd log format. Enable SSL in Dovecot Red Hat Enterprise Linux 7 SSL capabilities should be enabled for the mail server. Disable Plaintext Authentication in Dovecot Red Hat Enterprise Linux 7 Plaintext authentication of mail clients should be disabled. Configure SSSD to Expire Offline Credentials Red Hat Enterprise Linux 7 SSSD should be configured to expire offline credentials after 1 day. Configure PAM in SSSD Services Red Hat Enterprise Linux 7 SSSD should be configured to run SSSD PAM services. Configure SSSD's Memory Cache to Expire Red Hat Enterprise Linux 7 SSSD's memory cache should be configured to set to expire records after 1 day. Configure SSSD to Expire SSH Known Hosts Red Hat Enterprise Linux 7 SSSD should be configured to expire keys from known SSH hosts after 1 day. Enable Smartcards in SSSD Red Hat Enterprise Linux 7 SSSD should be configured to authenticate access to the system using smart cards. Configure SSSD LDAP Backend to Use TLS For All Transactions Red Hat Enterprise Linux 7 LDAP should be used for authentication and use STARTTLS Configure SSSD LDAP Backend Client CA Certificate Location Red Hat Enterprise Linux 7 Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. Enable the LDAP Client For Use in Authconfig Red Hat Enterprise Linux 7 Enable LDAP in authconfig. Configure LDAP CA Certificate Path Red Hat Enterprise Linux 7 Require the use of TLS for ldap clients. Configure LDAP to Use TLS for All Transactions Red Hat Enterprise Linux 7 Require the use of TLS for ldap clients. Set Password dcredit Requirements Red Hat Enterprise Linux 7 The password dcredit should meet minimum requirements Set Password difok Requirements Red Hat Enterprise Linux 7 The password difok should meet minimum requirements Set Password lcredit Requirements Red Hat Enterprise Linux 7 The password lcredit should meet minimum requirements Set Password maxclassrepeat Requirements Red Hat Enterprise Linux 7 The password maxclassrepeat should meet minimum requirements Set Password maxrepeat Requirements Red Hat Enterprise Linux 7 The password maxrepeat should meet minimum requirements Set Password minclass Requirements Red Hat Enterprise Linux 7 The password minclass should meet minimum requirements Set Password minlen Requirements Red Hat Enterprise Linux 7 The password minlen should meet minimum requirements Set Password ocredit Requirements Red Hat Enterprise Linux 7 The password ocredit should meet minimum requirements Set Password ucredit Requirements Red Hat Enterprise Linux 7 The password ucredit should meet minimum requirements Verify /boot/efi/EFI/redhat/grub.cfg Group Owner Red Hat Enterprise Linux 7 This test makes sure that /boot/efi/EFI/redhat/grub.cfg is group owned by 0. Verify /etc/group Group Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/group is group owned by 0. Verify /etc/gshadow Group Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/gshadow is group owned by 0. Verify /etc/passwd Group Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/passwd is group owned by 0. Verify /etc/shadow Group Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/shadow is group owned by 0. Verify /boot/grub2/grub.cfg Group Owner Red Hat Enterprise Linux 7 This test makes sure that /boot/grub2/grub.cfg is group owned by 0. Verify /boot/efi/EFI/redhat/grub.cfg Owner Red Hat Enterprise Linux 7 This test makes sure that /boot/efi/EFI/redhat/grub.cfg is owned by 0. Verify /etc/group Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/group is owned by 0. Verify /etc/gshadow Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/gshadow is owned by 0. Verify /etc/passwd Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/passwd is owned by 0. Verify /etc/shadow Owner Red Hat Enterprise Linux 7 This test makes sure that /etc/shadow is owned by 0. Verify /boot/grub2/grub.cfg Owner Red Hat Enterprise Linux 7 This test makes sure that /boot/grub2/grub.cfg is owned by 0. Verify /etc/cron.allow Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/cron.allow has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/group Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/group has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/gshadow Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/gshadow has mode 0000. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/passwd Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/passwd has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/shadow Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/shadow has mode 0000. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /boot/grub2/grub.cfg Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /boot/grub2/grub.cfg has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/httpd/conf.modules.d/^.*$ Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/httpd/conf.modules.d/^.*$ has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/ssh/^.*_key$ Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/ssh/^.*_key$ has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/ssh/^.*.pub$ Mode Permissions Red Hat Enterprise Linux 7 This test makes sure that /etc/ssh/^.*.pub$ has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Disable bluetooth Kernel Module Red Hat Enterprise Linux 7 The kernel module bluetooth should be disabled. Disable cramfs Kernel Module Red Hat Enterprise Linux 7 The kernel module cramfs should be disabled. Disable dccp Kernel Module Red Hat Enterprise Linux 7 The kernel module dccp should be disabled. Disable freevxfs Kernel Module Red Hat Enterprise Linux 7 The kernel module freevxfs should be disabled. Disable hfs Kernel Module Red Hat Enterprise Linux 7 The kernel module hfs should be disabled. Disable hfsplus Kernel Module Red Hat Enterprise Linux 7 The kernel module hfsplus should be disabled. Disable jffs2 Kernel Module Red Hat Enterprise Linux 7 The kernel module jffs2 should be disabled. Disable sctp Kernel Module Red Hat Enterprise Linux 7 The kernel module sctp should be disabled. Disable squashfs Kernel Module Red Hat Enterprise Linux 7 The kernel module squashfs should be disabled. Disable udf Kernel Module Red Hat Enterprise Linux 7 The kernel module udf should be disabled. Disable usb-storage Kernel Module Red Hat Enterprise Linux 7 The kernel module usb-storage should be disabled. Add nodev Option to /dev/shm Red Hat Enterprise Linux 7 /dev/shm should be mounted with mount option nodev. Add noexec Option to /dev/shm Red Hat Enterprise Linux 7 /dev/shm should be mounted with mount option noexec. Add nosuid Option to /dev/shm Red Hat Enterprise Linux 7 /dev/shm should be mounted with mount option nosuid. Add nodev Option to /home Red Hat Enterprise Linux 7 /home should be mounted with mount option nodev. Add nosuid Option to /home Red Hat Enterprise Linux 7 /home should be mounted with mount option nosuid. Add nodev Option to /tmp Red Hat Enterprise Linux 7 /tmp should be mounted with mount option nodev. Add noexec Option to /tmp Red Hat Enterprise Linux 7 /tmp should be mounted with mount option noexec. Add nosuid Option to /tmp Red Hat Enterprise Linux 7 /tmp should be mounted with mount option nosuid. Add nodev Option to /var/tmp Red Hat Enterprise Linux 7 /var/tmp should be mounted with mount option nodev. Add noexec Option to /var/tmp Red Hat Enterprise Linux 7 /var/tmp should be mounted with mount option noexec. Add nosuid Option to /var/tmp Red Hat Enterprise Linux 7 /var/tmp should be mounted with mount option nosuid. Package abrt Removed Red Hat Enterprise Linux 7 The RPM package abrt should be removed. Package acpid Removed Red Hat Enterprise Linux 7 The RPM package acpid should be removed. Package aide Installed Red Hat Enterprise Linux 7 The RPM package aide should be installed. Package at Removed Red Hat Enterprise Linux 7 The RPM package at should be removed. Package audit Installed Red Hat Enterprise Linux 7 The RPM package audit should be installed. Package authconfig-gtk Installed Red Hat Enterprise Linux 7 The RPM package authconfig-gtk should be installed. Package autofs Removed Red Hat Enterprise Linux 7 The RPM package autofs should be removed. Package avahi Removed Red Hat Enterprise Linux 7 The RPM package avahi should be removed. Package bind Removed Red Hat Enterprise Linux 7 The RPM package bind should be removed. Package bluez Removed Red Hat Enterprise Linux 7 The RPM package bluez should be removed. Package certmonger Removed Red Hat Enterprise Linux 7 The RPM package certmonger should be removed. Package chrony Installed Red Hat Enterprise Linux 7 The RPM package chrony should be installed. Package cronie Installed Red Hat Enterprise Linux 7 The RPM package cronie should be installed. Package cups Removed Red Hat Enterprise Linux 7 The RPM package cups should be removed. Package cyrus-sasl Removed Red Hat Enterprise Linux 7 The RPM package cyrus-sasl should be removed. Package dbus Removed Red Hat Enterprise Linux 7 The RPM package dbus should be removed. Package dconf Installed Red Hat Enterprise Linux 7 The RPM package dconf should be installed. Package dhcp Removed Red Hat Enterprise Linux 7 The RPM package dhcp should be removed. Package docker Installed Red Hat Enterprise Linux 7 The RPM package docker should be installed. Package dovecot Removed Red Hat Enterprise Linux 7 The RPM package dovecot should be removed. Package esc Installed Red Hat Enterprise Linux 7 The RPM package esc should be installed. Package firewalld Installed Red Hat Enterprise Linux 7 The RPM package firewalld should be installed. Package gdm Installed Red Hat Enterprise Linux 7 The RPM package gdm should be installed. Package gdm Removed Red Hat Enterprise Linux 7 The RPM package gdm should be removed. Package httpd Removed Red Hat Enterprise Linux 7 The RPM package httpd should be removed. Package iputils Removed Red Hat Enterprise Linux 7 The RPM package iputils should be removed. Package irqbalance Installed Red Hat Enterprise Linux 7 The RPM package irqbalance should be installed. Package kernel-tools Removed Red Hat Enterprise Linux 7 The RPM package kernel-tools should be removed. Package kexec-tools Removed Red Hat Enterprise Linux 7 The RPM package kexec-tools should be removed. Package libcgroup-tools Removed Red Hat Enterprise Linux 7 The RPM package libcgroup-tools should be removed. Package libcgroup Removed Red Hat Enterprise Linux 7 The RPM package libcgroup should be removed. Package libreswan Installed Red Hat Enterprise Linux 7 The RPM package libreswan should be installed. Package mcstrans Removed Red Hat Enterprise Linux 7 The RPM package mcstrans should be removed. Package mdadm Removed Red Hat Enterprise Linux 7 The RPM package mdadm should be removed. Package net-snmp Removed Red Hat Enterprise Linux 7 The RPM package net-snmp should be removed. Package nfs-utils Removed Red Hat Enterprise Linux 7 The RPM package nfs-utils should be removed. Package ntp Installed Red Hat Enterprise Linux 7 The RPM package ntp should be installed. Package ntp Removed Red Hat Enterprise Linux 7 The RPM package ntp should be removed. Package ntpdate Removed Red Hat Enterprise Linux 7 The RPM package ntpdate should be removed. Package oddjob Removed Red Hat Enterprise Linux 7 The RPM package oddjob should be removed. Package openldap-servers Removed Red Hat Enterprise Linux 7 The RPM package openldap-servers should be removed. Package opensc Installed Red Hat Enterprise Linux 7 The RPM package opensc should be installed. Package openssh-server Installed Red Hat Enterprise Linux 7 The RPM package openssh-server should be installed. Package openssh-server Removed Red Hat Enterprise Linux 7 The RPM package openssh-server should be removed. Package pam_pkcs11 Installed Red Hat Enterprise Linux 7 The RPM package pam_pkcs11 should be installed. Package pcsc-lite Installed Red Hat Enterprise Linux 7 The RPM package pcsc-lite should be installed. Package policycoreutils Installed Red Hat Enterprise Linux 7 The RPM package policycoreutils should be installed. Package portreserve Removed Red Hat Enterprise Linux 7 The RPM package portreserve should be removed. Package postfix Installed Red Hat Enterprise Linux 7 The RPM package postfix should be installed. Package prelink Removed Red Hat Enterprise Linux 7 The RPM package prelink should be removed. Package psacct Installed Red Hat Enterprise Linux 7 The RPM package psacct should be installed. Package qpid-cpp-server Removed Red Hat Enterprise Linux 7 The RPM package qpid-cpp-server should be removed. Package quagga Removed Red Hat Enterprise Linux 7 The RPM package quagga should be removed. Package quota-nld Removed Red Hat Enterprise Linux 7 The RPM package quota-nld should be removed. Package rhnsd Removed Red Hat Enterprise Linux 7 The RPM package rhnsd should be removed. Package rsh-server Removed Red Hat Enterprise Linux 7 The RPM package rsh-server should be removed. Package rsh Removed Red Hat Enterprise Linux 7 The RPM package rsh should be removed. Package rsyslog Installed Red Hat Enterprise Linux 7 The RPM package rsyslog should be installed. Package samba-common Removed Red Hat Enterprise Linux 7 The RPM package samba-common should be removed. Package samba Removed Red Hat Enterprise Linux 7 The RPM package samba should be removed. Package screen Installed Red Hat Enterprise Linux 7 The RPM package screen should be installed. Package sendmail Removed Red Hat Enterprise Linux 7 The RPM package sendmail should be removed. Package setroubleshoot Removed Red Hat Enterprise Linux 7 The RPM package setroubleshoot should be removed. Package smartmontools Removed Red Hat Enterprise Linux 7 The RPM package smartmontools should be removed. Package squid Removed Red Hat Enterprise Linux 7 The RPM package squid should be removed. Package sssd Installed Red Hat Enterprise Linux 7 The RPM package sssd should be installed. Package sssd Removed Red Hat Enterprise Linux 7 The RPM package sssd should be removed. Package subscription-manager Removed Red Hat Enterprise Linux 7 The RPM package subscription-manager should be removed. Package sysstat Removed Red Hat Enterprise Linux 7 The RPM package sysstat should be removed. Package systemd Installed Red Hat Enterprise Linux 7 The RPM package systemd should be installed. Package systemd Removed Red Hat Enterprise Linux 7 The RPM package systemd should be removed. Package talk-server Removed Red Hat Enterprise Linux 7 The RPM package talk-server should be removed. Package talk Removed Red Hat Enterprise Linux 7 The RPM package talk should be removed. Package tcp_wrappers Installed Red Hat Enterprise Linux 7 The RPM package tcp_wrappers should be installed. Package telnet-server Removed Red Hat Enterprise Linux 7 The RPM package telnet-server should be removed. Package telnet Removed Red Hat Enterprise Linux 7 The RPM package telnet should be removed. Package tftp-server Removed Red Hat Enterprise Linux 7 The RPM package tftp-server should be removed. Package tftp Removed Red Hat Enterprise Linux 7 The RPM package tftp should be removed. Package vsftpd Installed Red Hat Enterprise Linux 7 The RPM package vsftpd should be installed. Package vsftpd Removed Red Hat Enterprise Linux 7 The RPM package vsftpd should be removed. Package xinetd Installed Red Hat Enterprise Linux 7 The RPM package xinetd should be installed. Package xinetd Removed Red Hat Enterprise Linux 7 The RPM package xinetd should be removed. Package xorg-x11-server-common Removed Red Hat Enterprise Linux 7 The RPM package xorg-x11-server-common should be removed. Package ypbind Removed Red Hat Enterprise Linux 7 The RPM package ypbind should be removed. Package ypserv Removed Red Hat Enterprise Linux 7 The RPM package ypserv should be removed. Ensure /home Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /home. If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /tmp Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /tmp. If /tmp will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /var. If /var will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var/log Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /var/log. If /var/log will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var/log/audit Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /var/log/audit. If /var/log/audit will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var/tmp Located On Separate Partition Red Hat Enterprise Linux 7 If stored locally, create a separate partition for /var/tmp. If /var/tmp will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure Correct Mode, Owner, Group Owner for /etc/cron.allow Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/cron.allow. Ensure Correct Mode, Owner, Group Owner for /boot/efi/EFI/redhat/grub.cfg Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /boot/efi/EFI/redhat/grub.cfg. Ensure Correct Mode, Owner, Group Owner for /etc/group Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/group. Ensure Correct Mode, Owner, Group Owner for /etc/gshadow Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/gshadow. Ensure Correct Mode, Owner, Group Owner for /etc/passwd Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/passwd. Ensure Correct Mode, Owner, Group Owner for /etc/shadow Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/shadow. Ensure Correct Mode, Owner, Group Owner for /boot/grub2/grub.cfg Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /boot/grub2/grub.cfg. Ensure Correct Mode, Owner, Group Owner for /etc/httpd/conf.d/^.*$ Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/httpd/conf.d/^.*$. Ensure Correct Mode, Owner, Group Owner for /etc/httpd/conf/^.*$ Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/httpd/conf/^.*$. Ensure Correct Mode, Owner, Group Owner for /etc/httpd/conf.modules.d/^.*$ Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/httpd/conf.modules.d/^.*$. Ensure Correct Mode, Owner, Group Owner for /etc/ssh/^.*_key$ Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/ssh/^.*_key$. Ensure Correct Mode, Owner, Group Owner for /etc/ssh/^.*.pub$ Red Hat Enterprise Linux 7 Checks for correct UNIX permissions on /etc/ssh/^.*.pub$. SELinux "SELinux" Boolean Check Red Hat Enterprise Linux 7 The SELinux "SELinux" boolean should be set in the system configuration. SELinux "abrt_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "abrt_anon_write" boolean should be set in the system configuration. SELinux "abrt_handle_event" Boolean Check Red Hat Enterprise Linux 7 The SELinux "abrt_handle_event" boolean should be set in the system configuration. SELinux "abrt_upload_watch_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "abrt_upload_watch_anon_write" boolean should be set in the system configuration. SELinux "antivirus_can_scan_system" Boolean Check Red Hat Enterprise Linux 7 The SELinux "antivirus_can_scan_system" boolean should be set in the system configuration. SELinux "antivirus_use_jit" Boolean Check Red Hat Enterprise Linux 7 The SELinux "antivirus_use_jit" boolean should be set in the system configuration. SELinux "auditadm_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "auditadm_exec_content" boolean should be set in the system configuration. SELinux "authlogin_nsswitch_use_ldap" Boolean Check Red Hat Enterprise Linux 7 The SELinux "authlogin_nsswitch_use_ldap" boolean should be set in the system configuration. SELinux "authlogin_radius" Boolean Check Red Hat Enterprise Linux 7 The SELinux "authlogin_radius" boolean should be set in the system configuration. SELinux "authlogin_yubikey" Boolean Check Red Hat Enterprise Linux 7 The SELinux "authlogin_yubikey" boolean should be set in the system configuration. SELinux "awstats_purge_apache_log_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "awstats_purge_apache_log_files" boolean should be set in the system configuration. SELinux "boinc_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "boinc_execmem" boolean should be set in the system configuration. SELinux "cdrecord_read_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cdrecord_read_content" boolean should be set in the system configuration. SELinux "cluster_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cluster_can_network_connect" boolean should be set in the system configuration. SELinux "cluster_manage_all_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cluster_manage_all_files" boolean should be set in the system configuration. SELinux "cluster_use_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cluster_use_execmem" boolean should be set in the system configuration. SELinux "cobbler_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cobbler_anon_write" boolean should be set in the system configuration. SELinux "cobbler_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cobbler_can_network_connect" boolean should be set in the system configuration. SELinux "cobbler_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cobbler_use_cifs" boolean should be set in the system configuration. SELinux "cobbler_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cobbler_use_nfs" boolean should be set in the system configuration. SELinux "collectd_tcp_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "collectd_tcp_network_connect" boolean should be set in the system configuration. SELinux "condor_tcp_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "condor_tcp_network_connect" boolean should be set in the system configuration. SELinux "conman_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "conman_can_network" boolean should be set in the system configuration. SELinux "container_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "container_connect_any" boolean should be set in the system configuration. SELinux "cron_can_relabel" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cron_can_relabel" boolean should be set in the system configuration. SELinux "cron_system_cronjob_use_shares" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cron_system_cronjob_use_shares" boolean should be set in the system configuration. SELinux "cron_userdomain_transition" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cron_userdomain_transition" boolean should be set in the system configuration. SELinux "cups_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cups_execmem" boolean should be set in the system configuration. SELinux "cvs_read_shadow" Boolean Check Red Hat Enterprise Linux 7 The SELinux "cvs_read_shadow" boolean should be set in the system configuration. SELinux "daemons_dump_core" Boolean Check Red Hat Enterprise Linux 7 The SELinux "daemons_dump_core" boolean should be set in the system configuration. SELinux "daemons_enable_cluster_mode" Boolean Check Red Hat Enterprise Linux 7 The SELinux "daemons_enable_cluster_mode" boolean should be set in the system configuration. SELinux "daemons_use_tcp_wrapper" Boolean Check Red Hat Enterprise Linux 7 The SELinux "daemons_use_tcp_wrapper" boolean should be set in the system configuration. SELinux "daemons_use_tty" Boolean Check Red Hat Enterprise Linux 7 The SELinux "daemons_use_tty" boolean should be set in the system configuration. SELinux "dbadm_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "dbadm_exec_content" boolean should be set in the system configuration. SELinux "dbadm_manage_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "dbadm_manage_user_files" boolean should be set in the system configuration. SELinux "dbadm_read_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "dbadm_read_user_files" boolean should be set in the system configuration. SELinux "deny_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "deny_execmem" boolean should be set in the system configuration. SELinux "deny_ptrace" Boolean Check Red Hat Enterprise Linux 7 The SELinux "deny_ptrace" boolean should be set in the system configuration. SELinux "dhcpc_exec_iptables" Boolean Check Red Hat Enterprise Linux 7 The SELinux "dhcpc_exec_iptables" boolean should be set in the system configuration. SELinux "dhcpd_use_ldap" Boolean Check Red Hat Enterprise Linux 7 The SELinux "dhcpd_use_ldap" boolean should be set in the system configuration. SELinux "domain_fd_use" Boolean Check Red Hat Enterprise Linux 7 The SELinux "domain_fd_use" boolean should be set in the system configuration. SELinux "domain_kernel_load_modules" Boolean Check Red Hat Enterprise Linux 7 The SELinux "domain_kernel_load_modules" boolean should be set in the system configuration. SELinux "entropyd_use_audio" Boolean Check Red Hat Enterprise Linux 7 The SELinux "entropyd_use_audio" boolean should be set in the system configuration. SELinux "exim_can_connect_db" Boolean Check Red Hat Enterprise Linux 7 The SELinux "exim_can_connect_db" boolean should be set in the system configuration. SELinux "exim_manage_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "exim_manage_user_files" boolean should be set in the system configuration. SELinux "exim_read_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "exim_read_user_files" boolean should be set in the system configuration. SELinux "fcron_crond" Boolean Check Red Hat Enterprise Linux 7 The SELinux "fcron_crond" boolean should be set in the system configuration. SELinux "fenced_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "fenced_can_network_connect" boolean should be set in the system configuration. SELinux "fenced_can_ssh" Boolean Check Red Hat Enterprise Linux 7 The SELinux "fenced_can_ssh" boolean should be set in the system configuration. SELinux "fips_mode" Boolean Check Red Hat Enterprise Linux 7 The SELinux "fips_mode" boolean should be set in the system configuration. SELinux "ftpd_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_anon_write" boolean should be set in the system configuration. SELinux "ftpd_connect_all_unreserved" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_connect_all_unreserved" boolean should be set in the system configuration. SELinux "ftpd_connect_db" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_connect_db" boolean should be set in the system configuration. SELinux "ftpd_full_access" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_full_access" boolean should be set in the system configuration. SELinux "ftpd_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_use_cifs" boolean should be set in the system configuration. SELinux "ftpd_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_use_fusefs" boolean should be set in the system configuration. SELinux "ftpd_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_use_nfs" boolean should be set in the system configuration. SELinux "ftpd_use_passive_mode" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ftpd_use_passive_mode" boolean should be set in the system configuration. SELinux "git_cgi_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_cgi_enable_homedirs" boolean should be set in the system configuration. SELinux "git_cgi_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_cgi_use_cifs" boolean should be set in the system configuration. SELinux "git_cgi_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_cgi_use_nfs" boolean should be set in the system configuration. SELinux "git_session_bind_all_unreserved_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_session_bind_all_unreserved_ports" boolean should be set in the system configuration. SELinux "git_session_users" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_session_users" boolean should be set in the system configuration. SELinux "git_system_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_system_enable_homedirs" boolean should be set in the system configuration. SELinux "git_system_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_system_use_cifs" boolean should be set in the system configuration. SELinux "git_system_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "git_system_use_nfs" boolean should be set in the system configuration. SELinux "gitosis_can_sendmail" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gitosis_can_sendmail" boolean should be set in the system configuration. SELinux "glance_api_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "glance_api_can_network" boolean should be set in the system configuration. SELinux "glance_use_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "glance_use_execmem" boolean should be set in the system configuration. SELinux "glance_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "glance_use_fusefs" boolean should be set in the system configuration. SELinux "global_ssp" Boolean Check Red Hat Enterprise Linux 7 The SELinux "global_ssp" boolean should be set in the system configuration. SELinux "gluster_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gluster_anon_write" boolean should be set in the system configuration. SELinux "gluster_export_all_ro" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gluster_export_all_ro" boolean should be set in the system configuration. SELinux "gluster_export_all_rw" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gluster_export_all_rw" boolean should be set in the system configuration. SELinux "gpg_web_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gpg_web_anon_write" boolean should be set in the system configuration. SELinux "gssd_read_tmp" Boolean Check Red Hat Enterprise Linux 7 The SELinux "gssd_read_tmp" boolean should be set in the system configuration. SELinux "guest_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "guest_exec_content" boolean should be set in the system configuration. SELinux "haproxy_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "haproxy_connect_any" boolean should be set in the system configuration. SELinux "httpd_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_anon_write" boolean should be set in the system configuration. SELinux "httpd_builtin_scripting" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_builtin_scripting" boolean should be set in the system configuration. SELinux "httpd_can_check_spam" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_check_spam" boolean should be set in the system configuration. SELinux "httpd_can_connect_ftp" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_connect_ftp" boolean should be set in the system configuration. SELinux "httpd_can_connect_ldap" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_connect_ldap" boolean should be set in the system configuration. SELinux "httpd_can_connect_mythtv" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_connect_mythtv" boolean should be set in the system configuration. SELinux "httpd_can_connect_zabbix" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_connect_zabbix" boolean should be set in the system configuration. SELinux "httpd_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_network_connect" boolean should be set in the system configuration. SELinux "httpd_can_network_connect_cobbler" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_network_connect_cobbler" boolean should be set in the system configuration. SELinux "httpd_can_network_connect_db" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_network_connect_db" boolean should be set in the system configuration. SELinux "httpd_can_network_memcache" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_network_memcache" boolean should be set in the system configuration. SELinux "httpd_can_network_relay" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_network_relay" boolean should be set in the system configuration. SELinux "httpd_can_sendmail" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_can_sendmail" boolean should be set in the system configuration. SELinux "httpd_dbus_avahi" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_dbus_avahi" boolean should be set in the system configuration. SELinux "httpd_dbus_sssd" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_dbus_sssd" boolean should be set in the system configuration. SELinux "httpd_dontaudit_search_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_dontaudit_search_dirs" boolean should be set in the system configuration. SELinux "httpd_enable_cgi" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_enable_cgi" boolean should be set in the system configuration. SELinux "httpd_enable_ftp_server" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_enable_ftp_server" boolean should be set in the system configuration. SELinux "httpd_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_enable_homedirs" boolean should be set in the system configuration. SELinux "httpd_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_execmem" boolean should be set in the system configuration. SELinux "httpd_graceful_shutdown" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_graceful_shutdown" boolean should be set in the system configuration. SELinux "httpd_manage_ipa" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_manage_ipa" boolean should be set in the system configuration. SELinux "httpd_mod_auth_ntlm_winbind" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_mod_auth_ntlm_winbind" boolean should be set in the system configuration. SELinux "httpd_mod_auth_pam" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_mod_auth_pam" boolean should be set in the system configuration. SELinux "httpd_read_user_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_read_user_content" boolean should be set in the system configuration. SELinux "httpd_run_ipa" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_run_ipa" boolean should be set in the system configuration. SELinux "httpd_run_preupgrade" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_run_preupgrade" boolean should be set in the system configuration. SELinux "httpd_run_stickshift" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_run_stickshift" boolean should be set in the system configuration. SELinux "httpd_serve_cobbler_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_serve_cobbler_files" boolean should be set in the system configuration. SELinux "httpd_setrlimit" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_setrlimit" boolean should be set in the system configuration. SELinux "httpd_ssi_exec" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_ssi_exec" boolean should be set in the system configuration. SELinux "httpd_sys_script_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_sys_script_anon_write" boolean should be set in the system configuration. SELinux "httpd_tmp_exec" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_tmp_exec" boolean should be set in the system configuration. SELinux "httpd_tty_comm" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_tty_comm" boolean should be set in the system configuration. SELinux "httpd_unified" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_unified" boolean should be set in the system configuration. SELinux "httpd_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_cifs" boolean should be set in the system configuration. SELinux "httpd_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_fusefs" boolean should be set in the system configuration. SELinux "httpd_use_gpg" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_gpg" boolean should be set in the system configuration. SELinux "httpd_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_nfs" boolean should be set in the system configuration. SELinux "httpd_use_openstack" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_openstack" boolean should be set in the system configuration. SELinux "httpd_use_sasl" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_use_sasl" boolean should be set in the system configuration. SELinux "httpd_verify_dns" Boolean Check Red Hat Enterprise Linux 7 The SELinux "httpd_verify_dns" boolean should be set in the system configuration. SELinux "icecast_use_any_tcp_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "icecast_use_any_tcp_ports" boolean should be set in the system configuration. SELinux "irc_use_any_tcp_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "irc_use_any_tcp_ports" boolean should be set in the system configuration. SELinux "irssi_use_full_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "irssi_use_full_network" boolean should be set in the system configuration. SELinux "kdumpgui_run_bootloader" Boolean Check Red Hat Enterprise Linux 7 The SELinux "kdumpgui_run_bootloader" boolean should be set in the system configuration. SELinux "kerberos_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "kerberos_enabled" boolean should be set in the system configuration. SELinux "ksmtuned_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ksmtuned_use_cifs" boolean should be set in the system configuration. SELinux "ksmtuned_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ksmtuned_use_nfs" boolean should be set in the system configuration. SELinux "logadm_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logadm_exec_content" boolean should be set in the system configuration. SELinux "logging_syslogd_can_sendmail" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logging_syslogd_can_sendmail" boolean should be set in the system configuration. SELinux "logging_syslogd_run_nagios_plugins" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logging_syslogd_run_nagios_plugins" boolean should be set in the system configuration. SELinux "logging_syslogd_use_tty" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logging_syslogd_use_tty" boolean should be set in the system configuration. SELinux "login_console_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "login_console_enabled" boolean should be set in the system configuration. SELinux "logrotate_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logrotate_use_nfs" boolean should be set in the system configuration. SELinux "logwatch_can_network_connect_mail" Boolean Check Red Hat Enterprise Linux 7 The SELinux "logwatch_can_network_connect_mail" boolean should be set in the system configuration. SELinux "lsmd_plugin_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "lsmd_plugin_connect_any" boolean should be set in the system configuration. SELinux "mailman_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mailman_use_fusefs" boolean should be set in the system configuration. SELinux "mcelog_client" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mcelog_client" boolean should be set in the system configuration. SELinux "mcelog_exec_scripts" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mcelog_exec_scripts" boolean should be set in the system configuration. SELinux "mcelog_foreground" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mcelog_foreground" boolean should be set in the system configuration. SELinux "mcelog_server" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mcelog_server" boolean should be set in the system configuration. SELinux "minidlna_read_generic_user_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "minidlna_read_generic_user_content" boolean should be set in the system configuration. SELinux "mmap_low_allowed" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mmap_low_allowed" boolean should be set in the system configuration. SELinux "mock_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mock_enable_homedirs" boolean should be set in the system configuration. SELinux "mount_anyfile" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mount_anyfile" boolean should be set in the system configuration. SELinux "mozilla_plugin_bind_unreserved_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_plugin_bind_unreserved_ports" boolean should be set in the system configuration. SELinux "mozilla_plugin_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_plugin_can_network_connect" boolean should be set in the system configuration. SELinux "mozilla_plugin_use_bluejeans" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_plugin_use_bluejeans" boolean should be set in the system configuration. SELinux "mozilla_plugin_use_gps" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_plugin_use_gps" boolean should be set in the system configuration. SELinux "mozilla_plugin_use_spice" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_plugin_use_spice" boolean should be set in the system configuration. SELinux "mozilla_read_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mozilla_read_content" boolean should be set in the system configuration. SELinux "mpd_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mpd_enable_homedirs" boolean should be set in the system configuration. SELinux "mpd_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mpd_use_cifs" boolean should be set in the system configuration. SELinux "mpd_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mpd_use_nfs" boolean should be set in the system configuration. SELinux "mplayer_execstack" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mplayer_execstack" boolean should be set in the system configuration. SELinux "mysql_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "mysql_connect_any" boolean should be set in the system configuration. SELinux "nagios_run_pnp4nagios" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nagios_run_pnp4nagios" boolean should be set in the system configuration. SELinux "nagios_run_sudo" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nagios_run_sudo" boolean should be set in the system configuration. SELinux "named_tcp_bind_http_port" Boolean Check Red Hat Enterprise Linux 7 The SELinux "named_tcp_bind_http_port" boolean should be set in the system configuration. SELinux "named_write_master_zones" Boolean Check Red Hat Enterprise Linux 7 The SELinux "named_write_master_zones" boolean should be set in the system configuration. SELinux "neutron_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "neutron_can_network" boolean should be set in the system configuration. SELinux "nfs_export_all_ro" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nfs_export_all_ro" boolean should be set in the system configuration. SELinux "nfs_export_all_rw" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nfs_export_all_rw" boolean should be set in the system configuration. SELinux "nfsd_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nfsd_anon_write" boolean should be set in the system configuration. SELinux "nis_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nis_enabled" boolean should be set in the system configuration. SELinux "nscd_use_shm" Boolean Check Red Hat Enterprise Linux 7 The SELinux "nscd_use_shm" boolean should be set in the system configuration. SELinux "openshift_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "openshift_use_nfs" boolean should be set in the system configuration. SELinux "openvpn_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "openvpn_can_network_connect" boolean should be set in the system configuration. SELinux "openvpn_enable_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "openvpn_enable_homedirs" boolean should be set in the system configuration. SELinux "openvpn_run_unconfined" Boolean Check Red Hat Enterprise Linux 7 The SELinux "openvpn_run_unconfined" boolean should be set in the system configuration. SELinux "pcp_bind_all_unreserved_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "pcp_bind_all_unreserved_ports" boolean should be set in the system configuration. SELinux "pcp_read_generic_logs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "pcp_read_generic_logs" boolean should be set in the system configuration. SELinux "piranha_lvs_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "piranha_lvs_can_network_connect" boolean should be set in the system configuration. SELinux "polipo_connect_all_unreserved" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polipo_connect_all_unreserved" boolean should be set in the system configuration. SELinux "polipo_session_bind_all_unreserved_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polipo_session_bind_all_unreserved_ports" boolean should be set in the system configuration. SELinux "polipo_session_users" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polipo_session_users" boolean should be set in the system configuration. SELinux "polipo_use_cifs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polipo_use_cifs" boolean should be set in the system configuration. SELinux "polipo_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polipo_use_nfs" boolean should be set in the system configuration. SELinux "polyinstantiation_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "polyinstantiation_enabled" boolean should be set in the system configuration. SELinux "postfix_local_write_mail_spool" Boolean Check Red Hat Enterprise Linux 7 The SELinux "postfix_local_write_mail_spool" boolean should be set in the system configuration. SELinux "postgresql_can_rsync" Boolean Check Red Hat Enterprise Linux 7 The SELinux "postgresql_can_rsync" boolean should be set in the system configuration. SELinux "postgresql_selinux_transmit_client_label" Boolean Check Red Hat Enterprise Linux 7 The SELinux "postgresql_selinux_transmit_client_label" boolean should be set in the system configuration. SELinux "postgresql_selinux_unconfined_dbadm" Boolean Check Red Hat Enterprise Linux 7 The SELinux "postgresql_selinux_unconfined_dbadm" boolean should be set in the system configuration. SELinux "postgresql_selinux_users_ddl" Boolean Check Red Hat Enterprise Linux 7 The SELinux "postgresql_selinux_users_ddl" boolean should be set in the system configuration. SELinux "pppd_can_insmod" Boolean Check Red Hat Enterprise Linux 7 The SELinux "pppd_can_insmod" boolean should be set in the system configuration. SELinux "pppd_for_user" Boolean Check Red Hat Enterprise Linux 7 The SELinux "pppd_for_user" boolean should be set in the system configuration. SELinux "privoxy_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "privoxy_connect_any" boolean should be set in the system configuration. SELinux "prosody_bind_http_port" Boolean Check Red Hat Enterprise Linux 7 The SELinux "prosody_bind_http_port" boolean should be set in the system configuration. SELinux "puppetagent_manage_all_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "puppetagent_manage_all_files" boolean should be set in the system configuration. SELinux "puppetmaster_use_db" Boolean Check Red Hat Enterprise Linux 7 The SELinux "puppetmaster_use_db" boolean should be set in the system configuration. SELinux "racoon_read_shadow" Boolean Check Red Hat Enterprise Linux 7 The SELinux "racoon_read_shadow" boolean should be set in the system configuration. SELinux "rsync_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "rsync_anon_write" boolean should be set in the system configuration. SELinux "rsync_client" Boolean Check Red Hat Enterprise Linux 7 The SELinux "rsync_client" boolean should be set in the system configuration. SELinux "rsync_export_all_ro" Boolean Check Red Hat Enterprise Linux 7 The SELinux "rsync_export_all_ro" boolean should be set in the system configuration. SELinux "rsync_full_access" Boolean Check Red Hat Enterprise Linux 7 The SELinux "rsync_full_access" boolean should be set in the system configuration. SELinux "samba_create_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_create_home_dirs" boolean should be set in the system configuration. SELinux "samba_domain_controller" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_domain_controller" boolean should be set in the system configuration. SELinux "samba_enable_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_enable_home_dirs" boolean should be set in the system configuration. SELinux "samba_export_all_ro" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_export_all_ro" boolean should be set in the system configuration. SELinux "samba_export_all_rw" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_export_all_rw" boolean should be set in the system configuration. SELinux "samba_load_libgfapi" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_load_libgfapi" boolean should be set in the system configuration. SELinux "samba_portmapper" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_portmapper" boolean should be set in the system configuration. SELinux "samba_run_unconfined" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_run_unconfined" boolean should be set in the system configuration. SELinux "samba_share_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_share_fusefs" boolean should be set in the system configuration. SELinux "samba_share_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "samba_share_nfs" boolean should be set in the system configuration. SELinux "sanlock_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sanlock_use_fusefs" boolean should be set in the system configuration. SELinux "sanlock_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sanlock_use_nfs" boolean should be set in the system configuration. SELinux "sanlock_use_samba" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sanlock_use_samba" boolean should be set in the system configuration. SELinux "saslauthd_read_shadow" Boolean Check Red Hat Enterprise Linux 7 The SELinux "saslauthd_read_shadow" boolean should be set in the system configuration. SELinux "secadm_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "secadm_exec_content" boolean should be set in the system configuration. SELinux "secure_mode" Boolean Check Red Hat Enterprise Linux 7 The SELinux "secure_mode" boolean should be set in the system configuration. SELinux "secure_mode_insmod" Boolean Check Red Hat Enterprise Linux 7 The SELinux "secure_mode_insmod" boolean should be set in the system configuration. SELinux "secure_mode_policyload" Boolean Check Red Hat Enterprise Linux 7 The SELinux "secure_mode_policyload" boolean should be set in the system configuration. SELinux "selinuxuser_direct_dri_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_direct_dri_enabled" boolean should be set in the system configuration. SELinux "selinuxuser_execheap" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_execheap" boolean should be set in the system configuration. SELinux "selinuxuser_execmod" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_execmod" boolean should be set in the system configuration. SELinux "selinuxuser_execstack" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_execstack" boolean should be set in the system configuration. SELinux "selinuxuser_mysql_connect_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_mysql_connect_enabled" boolean should be set in the system configuration. SELinux "selinuxuser_ping" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_ping" boolean should be set in the system configuration. SELinux "selinuxuser_postgresql_connect_enabled" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_postgresql_connect_enabled" boolean should be set in the system configuration. SELinux "selinuxuser_rw_noexattrfile" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_rw_noexattrfile" boolean should be set in the system configuration. SELinux "selinuxuser_share_music" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_share_music" boolean should be set in the system configuration. SELinux "selinuxuser_tcp_server" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_tcp_server" boolean should be set in the system configuration. SELinux "selinuxuser_udp_server" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_udp_server" boolean should be set in the system configuration. SELinux "selinuxuser_use_ssh_chroot" Boolean Check Red Hat Enterprise Linux 7 The SELinux "selinuxuser_use_ssh_chroot" boolean should be set in the system configuration. SELinux "sge_domain_can_network_connect" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sge_domain_can_network_connect" boolean should be set in the system configuration. SELinux "sge_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sge_use_nfs" boolean should be set in the system configuration. SELinux "smartmon_3ware" Boolean Check Red Hat Enterprise Linux 7 The SELinux "smartmon_3ware" boolean should be set in the system configuration. SELinux "smbd_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "smbd_anon_write" boolean should be set in the system configuration. SELinux "spamassassin_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "spamassassin_can_network" boolean should be set in the system configuration. SELinux "spamd_enable_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "spamd_enable_home_dirs" boolean should be set in the system configuration. SELinux "squid_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "squid_connect_any" boolean should be set in the system configuration. SELinux "squid_use_tproxy" Boolean Check Red Hat Enterprise Linux 7 The SELinux "squid_use_tproxy" boolean should be set in the system configuration. SELinux "ssh_chroot_rw_homedirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ssh_chroot_rw_homedirs" boolean should be set in the system configuration. SELinux "ssh_keysign" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ssh_keysign" boolean should be set in the system configuration. SELinux "ssh_sysadm_login" Boolean Check Red Hat Enterprise Linux 7 The SELinux "ssh_sysadm_login" boolean should be set in the system configuration. SELinux "staff_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "staff_exec_content" boolean should be set in the system configuration. SELinux "staff_use_svirt" Boolean Check Red Hat Enterprise Linux 7 The SELinux "staff_use_svirt" boolean should be set in the system configuration. SELinux "swift_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "swift_can_network" boolean should be set in the system configuration. SELinux "sysadm_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "sysadm_exec_content" boolean should be set in the system configuration. SELinux "telepathy_connect_all_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "telepathy_connect_all_ports" boolean should be set in the system configuration. SELinux "telepathy_tcp_connect_generic_network_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "telepathy_tcp_connect_generic_network_ports" boolean should be set in the system configuration. SELinux "tftp_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tftp_anon_write" boolean should be set in the system configuration. SELinux "tftp_home_dir" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tftp_home_dir" boolean should be set in the system configuration. SELinux "tmpreaper_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tmpreaper_use_nfs" boolean should be set in the system configuration. SELinux "tmpreaper_use_samba" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tmpreaper_use_samba" boolean should be set in the system configuration. SELinux "tor_bind_all_unreserved_ports" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tor_bind_all_unreserved_ports" boolean should be set in the system configuration. SELinux "tor_can_network_relay" Boolean Check Red Hat Enterprise Linux 7 The SELinux "tor_can_network_relay" boolean should be set in the system configuration. SELinux "unconfined_chrome_sandbox_transition" Boolean Check Red Hat Enterprise Linux 7 The SELinux "unconfined_chrome_sandbox_transition" boolean should be set in the system configuration. SELinux "unconfined_login" Boolean Check Red Hat Enterprise Linux 7 The SELinux "unconfined_login" boolean should be set in the system configuration. SELinux "unconfined_mozilla_plugin_transition" Boolean Check Red Hat Enterprise Linux 7 The SELinux "unconfined_mozilla_plugin_transition" boolean should be set in the system configuration. SELinux "unprivuser_use_svirt" Boolean Check Red Hat Enterprise Linux 7 The SELinux "unprivuser_use_svirt" boolean should be set in the system configuration. SELinux "use_ecryptfs_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "use_ecryptfs_home_dirs" boolean should be set in the system configuration. SELinux "use_fusefs_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "use_fusefs_home_dirs" boolean should be set in the system configuration. SELinux "use_lpd_server" Boolean Check Red Hat Enterprise Linux 7 The SELinux "use_lpd_server" boolean should be set in the system configuration. SELinux "use_nfs_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "use_nfs_home_dirs" boolean should be set in the system configuration. SELinux "use_samba_home_dirs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "use_samba_home_dirs" boolean should be set in the system configuration. SELinux "user_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "user_exec_content" boolean should be set in the system configuration. SELinux "varnishd_connect_any" Boolean Check Red Hat Enterprise Linux 7 The SELinux "varnishd_connect_any" boolean should be set in the system configuration. SELinux "virt_read_qemu_ga_data" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_read_qemu_ga_data" boolean should be set in the system configuration. SELinux "virt_rw_qemu_ga_data" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_rw_qemu_ga_data" boolean should be set in the system configuration. SELinux "virt_sandbox_use_all_caps" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_sandbox_use_all_caps" boolean should be set in the system configuration. SELinux "virt_sandbox_use_audit" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_sandbox_use_audit" boolean should be set in the system configuration. SELinux "virt_sandbox_use_mknod" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_sandbox_use_mknod" boolean should be set in the system configuration. SELinux "virt_sandbox_use_netlink" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_sandbox_use_netlink" boolean should be set in the system configuration. SELinux "virt_sandbox_use_sys_admin" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_sandbox_use_sys_admin" boolean should be set in the system configuration. SELinux "virt_transition_userdomain" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_transition_userdomain" boolean should be set in the system configuration. SELinux "virt_use_comm" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_comm" boolean should be set in the system configuration. SELinux "virt_use_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_execmem" boolean should be set in the system configuration. SELinux "virt_use_fusefs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_fusefs" boolean should be set in the system configuration. SELinux "virt_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_nfs" boolean should be set in the system configuration. SELinux "virt_use_rawip" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_rawip" boolean should be set in the system configuration. SELinux "virt_use_samba" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_samba" boolean should be set in the system configuration. SELinux "virt_use_sanlock" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_sanlock" boolean should be set in the system configuration. SELinux "virt_use_usb" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_usb" boolean should be set in the system configuration. SELinux "virt_use_xserver" Boolean Check Red Hat Enterprise Linux 7 The SELinux "virt_use_xserver" boolean should be set in the system configuration. SELinux "webadm_manage_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "webadm_manage_user_files" boolean should be set in the system configuration. SELinux "webadm_read_user_files" Boolean Check Red Hat Enterprise Linux 7 The SELinux "webadm_read_user_files" boolean should be set in the system configuration. SELinux "wine_mmap_zero_ignore" Boolean Check Red Hat Enterprise Linux 7 The SELinux "wine_mmap_zero_ignore" boolean should be set in the system configuration. SELinux "xdm_bind_vnc_tcp_port" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xdm_bind_vnc_tcp_port" boolean should be set in the system configuration. SELinux "xdm_exec_bootloader" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xdm_exec_bootloader" boolean should be set in the system configuration. SELinux "xdm_sysadm_login" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xdm_sysadm_login" boolean should be set in the system configuration. SELinux "xdm_write_home" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xdm_write_home" boolean should be set in the system configuration. SELinux "xen_use_nfs" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xen_use_nfs" boolean should be set in the system configuration. SELinux "xend_run_blktap" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xend_run_blktap" boolean should be set in the system configuration. SELinux "xend_run_qemu" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xend_run_qemu" boolean should be set in the system configuration. SELinux "xguest_connect_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xguest_connect_network" boolean should be set in the system configuration. SELinux "xguest_exec_content" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xguest_exec_content" boolean should be set in the system configuration. SELinux "xguest_mount_media" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xguest_mount_media" boolean should be set in the system configuration. SELinux "xguest_use_bluetooth" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xguest_use_bluetooth" boolean should be set in the system configuration. SELinux "xserver_clients_write_xshm" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xserver_clients_write_xshm" boolean should be set in the system configuration. SELinux "xserver_execmem" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xserver_execmem" boolean should be set in the system configuration. SELinux "xserver_object_manager" Boolean Check Red Hat Enterprise Linux 7 The SELinux "xserver_object_manager" boolean should be set in the system configuration. SELinux "zabbix_can_network" Boolean Check Red Hat Enterprise Linux 7 The SELinux "zabbix_can_network" boolean should be set in the system configuration. SELinux "zarafa_setrlimit" Boolean Check Red Hat Enterprise Linux 7 The SELinux "zarafa_setrlimit" boolean should be set in the system configuration. SELinux "zebra_write_config" Boolean Check Red Hat Enterprise Linux 7 The SELinux "zebra_write_config" boolean should be set in the system configuration. SELinux "zoneminder_anon_write" Boolean Check Red Hat Enterprise Linux 7 The SELinux "zoneminder_anon_write" boolean should be set in the system configuration. SELinux "zoneminder_run_sudo" Boolean Check Red Hat Enterprise Linux 7 The SELinux "zoneminder_run_sudo" boolean should be set in the system configuration. Service abrtd Disabled Red Hat Enterprise Linux 7 The abrtd service should be disabled if possible. Service acpid Disabled Red Hat Enterprise Linux 7 The acpid service should be disabled if possible. Service atd Disabled Red Hat Enterprise Linux 7 The atd service should be disabled if possible. Service auditd Enabled Red Hat Enterprise Linux 7 The auditd service should be enabled if possible. Service autofs Disabled Red Hat Enterprise Linux 7 The autofs service should be disabled if possible. Service avahi-daemon Disabled Red Hat Enterprise Linux 7 The avahi-daemon service should be disabled if possible. Service bluetooth Disabled Red Hat Enterprise Linux 7 The bluetooth service should be disabled if possible. Service certmonger Disabled Red Hat Enterprise Linux 7 The certmonger service should be disabled if possible. Service cgconfig Disabled Red Hat Enterprise Linux 7 The cgconfig service should be disabled if possible. Service cgred Disabled Red Hat Enterprise Linux 7 The cgred service should be disabled if possible. Service chronyd Enabled Red Hat Enterprise Linux 7 The chronyd service should be enabled if possible. Service cpupower Disabled Red Hat Enterprise Linux 7 The cpupower service should be disabled if possible. Service crond Enabled Red Hat Enterprise Linux 7 The crond service should be enabled if possible. Service cups Disabled Red Hat Enterprise Linux 7 The cups service should be disabled if possible. Service debug-shell Disabled Red Hat Enterprise Linux 7 The debug-shell service should be disabled if possible. Service dhcpd Disabled Red Hat Enterprise Linux 7 The dhcpd service should be disabled if possible. Service docker Enabled Red Hat Enterprise Linux 7 The docker service should be enabled if possible. Service dovecot Disabled Red Hat Enterprise Linux 7 The dovecot service should be disabled if possible. Service firewalld Enabled Red Hat Enterprise Linux 7 The firewalld service should be enabled if possible. Service httpd Disabled Red Hat Enterprise Linux 7 The httpd service should be disabled if possible. Service irqbalance Enabled Red Hat Enterprise Linux 7 The irqbalance service should be enabled if possible. Service kdump Disabled Red Hat Enterprise Linux 7 The kdump service should be disabled if possible. Service mdmonitor Disabled Red Hat Enterprise Linux 7 The mdmonitor service should be disabled if possible. Service messagebus Disabled Red Hat Enterprise Linux 7 The messagebus service should be disabled if possible. Service named Disabled Red Hat Enterprise Linux 7 The named service should be disabled if possible. Service nfs Disabled Red Hat Enterprise Linux 7 The nfs service should be disabled if possible. Service nfslock Disabled Red Hat Enterprise Linux 7 The nfslock service should be disabled if possible. Service ntpd Disabled Red Hat Enterprise Linux 7 The ntpd service should be disabled if possible. Service ntpd Enabled Red Hat Enterprise Linux 7 The ntpd service should be enabled if possible. Service ntpdate Disabled Red Hat Enterprise Linux 7 The ntpdate service should be disabled if possible. Service oddjobd Disabled Red Hat Enterprise Linux 7 The oddjobd service should be disabled if possible. Service pcscd Enabled Red Hat Enterprise Linux 7 The pcscd service should be enabled if possible. Service portreserve Disabled Red Hat Enterprise Linux 7 The portreserve service should be disabled if possible. Service postfix Enabled Red Hat Enterprise Linux 7 The postfix service should be enabled if possible. Service psacct Enabled Red Hat Enterprise Linux 7 The psacct service should be enabled if possible. Service qpidd Disabled Red Hat Enterprise Linux 7 The qpidd service should be disabled if possible. Service quota_nld Disabled Red Hat Enterprise Linux 7 The quota_nld service should be disabled if possible. Service rdisc Disabled Red Hat Enterprise Linux 7 The rdisc service should be disabled if possible. Service rexec Disabled Red Hat Enterprise Linux 7 The rexec service should be disabled if possible. Service rhnsd Disabled Red Hat Enterprise Linux 7 The rhnsd service should be disabled if possible. Service rhsmcertd Disabled Red Hat Enterprise Linux 7 The rhsmcertd service should be disabled if possible. Service rlogin Disabled Red Hat Enterprise Linux 7 The rlogin service should be disabled if possible. Service rpcbind Disabled Red Hat Enterprise Linux 7 The rpcbind service should be disabled if possible. Service rpcgssd Disabled Red Hat Enterprise Linux 7 The rpcgssd service should be disabled if possible. Service rpcidmapd Disabled Red Hat Enterprise Linux 7 The rpcidmapd service should be disabled if possible. Service rpcsvcgssd Disabled Red Hat Enterprise Linux 7 The rpcsvcgssd service should be disabled if possible. Service rsh Disabled Red Hat Enterprise Linux 7 The rsh service should be disabled if possible. Service rsyslog Enabled Red Hat Enterprise Linux 7 The rsyslog service should be enabled if possible. Service saslauthd Disabled Red Hat Enterprise Linux 7 The saslauthd service should be disabled if possible. Service smartd Disabled Red Hat Enterprise Linux 7 The smartd service should be disabled if possible. Service smb Disabled Red Hat Enterprise Linux 7 The smb service should be disabled if possible. Service snmpd Disabled Red Hat Enterprise Linux 7 The snmpd service should be disabled if possible. Service squid Disabled Red Hat Enterprise Linux 7 The squid service should be disabled if possible. Service sshd Disabled Red Hat Enterprise Linux 7 The sshd service should be disabled if possible. Service sshd Enabled Red Hat Enterprise Linux 7 The sshd service should be enabled if possible. Service sssd Disabled Red Hat Enterprise Linux 7 The sssd service should be disabled if possible. Service sssd Enabled Red Hat Enterprise Linux 7 The sssd service should be enabled if possible. Service sysstat Disabled Red Hat Enterprise Linux 7 The sysstat service should be disabled if possible. Service telnet Disabled Red Hat Enterprise Linux 7 The telnet service should be disabled if possible. Service tftp Disabled Red Hat Enterprise Linux 7 The tftp service should be disabled if possible. Service vsftpd Disabled Red Hat Enterprise Linux 7 The vsftpd service should be disabled if possible. Service xinetd Disabled Red Hat Enterprise Linux 7 The xinetd service should be disabled if possible. Service ypbind Disabled Red Hat Enterprise Linux 7 The ypbind service should be disabled if possible. Service zebra Disabled Red Hat Enterprise Linux 7 The zebra service should be disabled if possible. Kernel "fs.suid_dumpable" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "fs.suid_dumpable" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.dmesg_restrict" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "kernel.dmesg_restrict" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.kexec_load_disabled" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "kernel.kexec_load_disabled" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.kptr_restrict" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "kernel.kptr_restrict" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.randomize_va_space" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "kernel.randomize_va_space" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.yama.ptrace_scope" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "kernel.yama.ptrace_scope" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.accept_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.accept_source_route" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.log_martians" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.log_martians" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.rp_filter" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.rp_filter" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.secure_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.secure_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.send_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.all.send_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.accept_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.accept_source_route" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.log_martians" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.log_martians" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.rp_filter" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.rp_filter" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.secure_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.secure_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.send_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.conf.default.send_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.ip_forward" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.ip_forward" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.tcp_syncookies" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv4.tcp_syncookies" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.accept_ra" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.all.accept_ra" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.accept_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.all.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.accept_source_route" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.all.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.all.disable_ipv6" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.forwarding" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.all.forwarding" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.default.accept_ra" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.default.accept_ra" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.default.accept_redirects" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.default.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.default.accept_source_route" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "net.ipv6.conf.default.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "fs.suid_dumpable" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "fs.suid_dumpable" parameter should be set to "0" in system runtime. Kernel "kernel.dmesg_restrict" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "kernel.dmesg_restrict" parameter should be set to "1" in system runtime. Kernel "kernel.kexec_load_disabled" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "kernel.kexec_load_disabled" parameter should be set to "1" in system runtime. Kernel "kernel.kptr_restrict" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "kernel.kptr_restrict" parameter should be set to "1" in system runtime. Kernel "kernel.randomize_va_space" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "kernel.randomize_va_space" parameter should be set to "2" in system runtime. Kernel "kernel.yama.ptrace_scope" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "kernel.yama.ptrace_scope" parameter should be set to "1" in system runtime. Kernel "net.ipv4.conf.all.accept_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.accept_source_route" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.log_martians" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.log_martians" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.rp_filter" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.rp_filter" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.secure_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.secure_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.send_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.send_redirects" parameter should be set to "0" in system runtime. Kernel "net.ipv4.conf.default.accept_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.accept_source_route" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.log_martians" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.log_martians" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.rp_filter" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.rp_filter" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.secure_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.secure_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.send_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.send_redirects" parameter should be set to "0" in system runtime. Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.icmp_echo_ignore_broadcasts" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.icmp_ignore_bogus_error_responses" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.ip_forward" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.ip_forward" parameter should be set to "0" in system runtime. Kernel "net.ipv4.tcp_syncookies" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.tcp_syncookies" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.accept_ra" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_ra" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.accept_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.accept_source_route" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in system runtime. Kernel "net.ipv6.conf.all.forwarding" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.forwarding" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.default.accept_ra" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_ra" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.default.accept_redirects" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.default.accept_source_route" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "fs.suid_dumpable" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "fs.suid_dumpable" parameter should be set to "0" in the system configuration. Kernel "kernel.dmesg_restrict" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "kernel.dmesg_restrict" parameter should be set to "1" in the system configuration. Kernel "kernel.kexec_load_disabled" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "kernel.kexec_load_disabled" parameter should be set to "1" in the system configuration. Kernel "kernel.kptr_restrict" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "kernel.kptr_restrict" parameter should be set to "1" in the system configuration. Kernel "kernel.randomize_va_space" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "kernel.randomize_va_space" parameter should be set to "2" in the system configuration. Kernel "kernel.yama.ptrace_scope" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "kernel.yama.ptrace_scope" parameter should be set to "1" in the system configuration. Kernel "net.ipv4.conf.all.accept_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.accept_source_route" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.accept_source_route" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.log_martians" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.log_martians" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.rp_filter" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.rp_filter" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.secure_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.secure_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.send_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.all.send_redirects" parameter should be set to "0" in the system configuration. Kernel "net.ipv4.conf.default.accept_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.accept_source_route" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.accept_source_route" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.log_martians" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.log_martians" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.rp_filter" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.rp_filter" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.secure_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.secure_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.send_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.conf.default.send_redirects" parameter should be set to "0" in the system configuration. Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.icmp_echo_ignore_broadcasts" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.icmp_ignore_bogus_error_responses" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.ip_forward" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.ip_forward" parameter should be set to "0" in the system configuration. Kernel "net.ipv4.tcp_syncookies" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv4.tcp_syncookies" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.accept_ra" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_ra" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.accept_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.accept_source_route" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.accept_source_route" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in the system configuration. Kernel "net.ipv6.conf.all.forwarding" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.all.forwarding" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.default.accept_ra" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_ra" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.default.accept_redirects" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.default.accept_source_route" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "net.ipv6.conf.default.accept_source_route" parameter should be set to the appropriate value in the system configuration. Check pam_pwquality Existence in system-auth Red Hat Enterprise Linux 7 Check that pam_pwquality.so exists in system-auth Record Any Attempts to Run semanage Red Hat Enterprise Linux 7 Test if auditctl is in use for audit rules. Record Any Attempts to Run semanage Red Hat Enterprise Linux 7 Test if augenrules is enabled for audit rules. Record Events that Modify the System's Network Environment Red Hat Enterprise Linux 7 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. Record Events that Modify the System's Network Environment Red Hat Enterprise Linux 7 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. 'log_group' Not Set To 'root' In /etc/audit/auditd.conf Red Hat Enterprise Linux 7 Verify 'log_group' is not set to 'root' in /etc/audit/auditd.conf. Verify GRUB_DISABLE_RECOVERY Set to true Red Hat Enterprise Linux 7 GRUB_DISABLE_RECOVERY set to 'true' in /etc/default/grub Specify Multiple Remote chronyd NTP Servers for Time Data Red Hat Enterprise Linux 7 Multiple chronyd NTP Servers for time synchronization should be specified. Specify a Remote NTP Server for Time Data Red Hat Enterprise Linux 7 A remote NTP Server for time synchronization should be specified (and dependencies are met) GRUB_CMDLINE_LINUX_DEFAULT existance check Red Hat Enterprise Linux 7 Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub. Install McAfee Host-Based Intrusion Detection Software (HBSS) Red Hat Enterprise Linux 7 McAfee Host-Based Intrusion Detection Software (HBSS) software should be installed. CentOS 6 Red Hat Enterprise Linux 7 The operating system installed on the system is CentOS 6 CentOS 7 Red Hat Enterprise Linux 7 The operating system installed on the system is CentOS 7 CentOS 8 Red Hat Enterprise Linux 7 The operating system installed on the system is CentOS 8 Debian 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Debian 8 Installed operating system is Fedora Red Hat Enterprise Linux 7 The operating system installed on the system is Fedora Oracle Linux 6 Red Hat Enterprise Linux 7 The operating system installed on the system is Oracle Linux 6 Oracle Linux 7 Red Hat Enterprise Linux 7 The operating system installed on the system is Oracle Linux 7 Oracle Linux 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Oracle Linux 8 openSUSE Red Hat Enterprise Linux 7 The operating system installed on the system is openSUSE. openSUSE Leap 15 Red Hat Enterprise Linux 7 The operating system installed on the system is openSUSE Leap 15. openSUSE Leap 42 Red Hat Enterprise Linux 7 The operating system installed on the system is openSUSE Leap 42. Installed operating system is part of the Unix family Red Hat Enterprise Linux 7 The operating system installed on the system is part of the Unix OS family Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Enterprise Linux 8 Red Hat Virtualization 4 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Virtualization Host 4 or Red Hat Enterprise Host. Scientific Linux 6 Red Hat Enterprise Linux 7 The operating system installed on the system is Scientific Linux 6 Scientific Linux 7 Red Hat Enterprise Linux 7 The operating system installed on the system is Scientific Linux 7 Scientific Linux 8 Red Hat Enterprise Linux 7 The operating system installed on the system is Scientific Linux 8 SUSE Linux Enterprise 11 Red Hat Enterprise Linux 7 The operating system installed on the system is SUSE Linux Enterprise 11. SUSE Linux Enterprise 12 Red Hat Enterprise Linux 7 The operating system installed on the system is SUSE Linux Enterprise 12. Ubuntu Red Hat Enterprise Linux 7 The operating system installed is an Ubuntu System Ubuntu 1404 Red Hat Enterprise Linux 7 The operating system installed on the system is Ubuntu 1404 Ubuntu 1604 Red Hat Enterprise Linux 7 The operating system installed on the system is Ubuntu 1604 Ubuntu 1804 Red Hat Enterprise Linux 7 The operating system installed on the system is Ubuntu 1804 WRLinux Red Hat Enterprise Linux 7 The operating system installed on the system is Wind River Linux Red Hat OpenShift Container Platform Red Hat Enterprise Linux 7 The application installed installed on the system is OpenShift 3. Red Hat OpenStack Platform Red Hat Enterprise Linux 7 The application installed installed on the system is Red Hat OpenStack Platform 13. Red Hat Virtualization 4 Red Hat Enterprise Linux 7 The application installed installed on the system is Red Hat Virtualization 4. Package gdm is installed Red Hat Enterprise Linux 7 Checks if package gdm is installed. Package libuser is installed Red Hat Enterprise Linux 7 Checks if package libuser is installed. Package nss-pam-ldapd is installed Red Hat Enterprise Linux 7 Checks if package nss-pam-ldapd is installed. Package pam is installed Red Hat Enterprise Linux 7 Checks if package pam is installed. Package shadow-utils is installed Red Hat Enterprise Linux 7 Checks if package shadow-utils is installed. Package systemd is installed Red Hat Enterprise Linux 7 Checks if package systemd is installed. Package yum is installed Red Hat Enterprise Linux 7 Checks if package yum is installed. Check if the scan target is a container Red Hat Enterprise Linux 7 Check if file /.dockerenv exists, if it does then we consider to be a docker filesystem. Check if the scan target is a machine Red Hat Enterprise Linux 7 Check if file /.dockerenv exists, if it doesn't then we consider to be host filesystem or virtual machine. No CD/DVD drive is configured to automount in /etc/fstab Red Hat Enterprise Linux 7 Check the /etc/fstab and check if a CD/DVD drive is not configured for automount. Device Files for Removable Media Partitions Does Not Exist on the System Red Hat Enterprise Linux 7 Verify if device file representing removable partitions exist on the system SSHD is not required to be installed or requirement not set Red Hat Enterprise Linux 7 If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good. SSHD is required to be installed or requirement not set Red Hat Enterprise Linux 7 If SSHD is required, we check it is installed. If SSH requirement is unset, we are good. It doesn't matter if sshd is installed or not Red Hat Enterprise Linux 7 Test if value sshd_required is 0. OpenSSH Server is 7.4 or newer Red Hat Enterprise Linux 7 Check if version of OpenSSH Server is equal or higher than 7.4 Verify The SSSD Configuration File Exists Red Hat Enterprise Linux 7 The /etc/sssd/sssd.conf file should exist if it is in use. Kernel Runtime Parameter IPv6 Check Red Hat Enterprise Linux 7 Disables IPv6 for all network interfaces. Test for 64-bit Architecture Red Hat Enterprise Linux 7 Generic test for 64-bit architectures to be used by other tests Test for aarch_64 Architecture Red Hat Enterprise Linux 7 Generic test for aarch_64 architecture to be used by other tests Test for PPC and PPCLE Architecture Red Hat Enterprise Linux 7 Generic test for PPC PPC64LE architecture to be used by other tests Test for x86 Architecture Red Hat Enterprise Linux 7 Generic test for x86 architecture to be used by other tests Test for x86_64 Architecture Red Hat Enterprise Linux 7 Generic test for x86_64 architecture to be used by other tests Value of 'var_accounts_user_umask' variable represented as octal number Red Hat Enterprise Linux 7 Value of 'var_accounts_user_umask' variable represented as octal number Value of 'var_removable_partition' variable is set to '/dev/cdrom' Red Hat Enterprise Linux 7 Verify if value of 'var_removable_partition' variable is set to '/dev/cdrom' Value of 'var_umask_for_daemons' variable represented as octal number Red Hat Enterprise Linux 7 Value of 'var_umask_for_daemons' variable represented as octal number Audit Discretionary Access Control Modification Events - chmod Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - chown Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fchmod Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fchmodat Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fchown Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fchownat Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fremovexattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - fsetxattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - lchown Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - lremovexattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - lsetxattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - removexattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Audit Discretionary Access Control Modification Events - setxattr Red Hat Enterprise Linux 7 The changing of file permissions and attributes should be audited. Ensure auditd Collects Write Events to /etc/group Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/group Ensure auditd Collects Write Events to /etc/group Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/group Ensure auditd Collects Write Events to /etc/group Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/group Ensure auditd Collects Write Events to /etc/passwd Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/passwd Ensure auditd Collects Write Events to /etc/passwd Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/passwd Ensure auditd Collects Write Events to /etc/passwd Red Hat Enterprise Linux 7 Audit rules about the write events to /etc/passwd Record Any Attempts to Run chcon Red Hat Enterprise Linux 7 Audit rules about the information on the use of chcon is enabled. Record Any Attempts to Run restorecon Red Hat Enterprise Linux 7 Audit rules about the information on the use of restorecon is enabled. Record Any Attempts to Run semanage Red Hat Enterprise Linux 7 Audit rules about the information on the use of semanage is enabled. Record Any Attempts to Run setfiles Red Hat Enterprise Linux 7 Audit rules about the information on the use of setfiles is enabled. Record Any Attempts to Run setsebool Red Hat Enterprise Linux 7 Audit rules about the information on the use of setsebool is enabled. Record Any Attempts to Run seunshare Red Hat Enterprise Linux 7 Audit rules about the information on the use of seunshare is enabled. Audit File Deletion Events - rename Red Hat Enterprise Linux 7 The deletion of files should be audited. Audit File Deletion Events - renameat Red Hat Enterprise Linux 7 The deletion of files should be audited. Audit File Deletion Events - rmdir Red Hat Enterprise Linux 7 The deletion of files should be audited. Audit File Deletion Events - unlink Red Hat Enterprise Linux 7 The deletion of files should be audited. Audit File Deletion Events - unlinkat Red Hat Enterprise Linux 7 The deletion of files should be audited. Record Attempts to Alter Login and Logout Events - faillock Red Hat Enterprise Linux 7 Audit rules should be configured to log successful and unsuccessful login and logout events. Record Attempts to Alter Login and Logout Events - lastlog Red Hat Enterprise Linux 7 Audit rules should be configured to log successful and unsuccessful login and logout events. Record Attempts to Alter Login and Logout Events - tallylog Red Hat Enterprise Linux 7 Audit rules should be configured to log successful and unsuccessful login and logout events. Ensure auditd Collects Information on the Use of Privileged Commands - at Red Hat Enterprise Linux 7 Audit rules about the information on the use of at is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - chage Red Hat Enterprise Linux 7 Audit rules about the information on the use of chage is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - chsh Red Hat Enterprise Linux 7 Audit rules about the information on the use of chsh is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - crontab Red Hat Enterprise Linux 7 Audit rules about the information on the use of crontab is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd Red Hat Enterprise Linux 7 Audit rules about the information on the use of gpasswd is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - mount Red Hat Enterprise Linux 7 Audit rules about the information on the use of mount is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap Red Hat Enterprise Linux 7 Audit rules about the information on the use of newgidmap is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Red Hat Enterprise Linux 7 Audit rules about the information on the use of newgrp is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap Red Hat Enterprise Linux 7 Audit rules about the information on the use of newuidmap is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Red Hat Enterprise Linux 7 Audit rules about the information on the use of pam_timestamp_check is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - passwd Red Hat Enterprise Linux 7 Audit rules about the information on the use of passwd is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - postdrop Red Hat Enterprise Linux 7 Audit rules about the information on the use of postdrop is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - postqueue Red Hat Enterprise Linux 7 Audit rules about the information on the use of postqueue is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown Red Hat Enterprise Linux 7 Audit rules about the information on the use of pt_chown is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - ssh_keysign Red Hat Enterprise Linux 7 Audit rules about the information on the use of ssh_keysign is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - su Red Hat Enterprise Linux 7 Audit rules about the information on the use of su is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - sudo Red Hat Enterprise Linux 7 Audit rules about the information on the use of sudo is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit Red Hat Enterprise Linux 7 Audit rules about the information on the use of sudoedit is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - umount Red Hat Enterprise Linux 7 Audit rules about the information on the use of umount is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Red Hat Enterprise Linux 7 Audit rules about the information on the use of unix_chkpwd is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - userhelper Red Hat Enterprise Linux 7 Audit rules about the information on the use of userhelper is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl Red Hat Enterprise Linux 7 Audit rules about the information on the use of usernetctl is enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - chmod Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - chown Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - creat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchmod Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchmodat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchown Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchownat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fremovexattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fsetxattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - ftruncate Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - lchown Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - lremovexattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - lsetxattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - open Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open_by_handle_at o_creat Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open_by_handle_at O_CREAT is enabled. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open_by_handle_at o_trunc Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open_by_handle_at O_TRUNC is enabled. Ensure auditd Rules For Unauthorized Attempts To open_by_handle_at Are Ordered Correctly Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open_by_handle_at is configured in the proper rule order. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_creat Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open O_CREAT is enabled. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_trunc Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled. Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of open is configured in the proper rule order. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - openat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - openat o_creat Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of openat O_CREAT is enabled. Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - openat o_trunc Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of openat O_TRUNC is enabled. Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly Red Hat Enterprise Linux 7 Audit rules about the information on the unsuccessful use of openat is configured in the proper rule order. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - removexattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - rename Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - renameat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - setxattr Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - truncate Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - unlink Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - unlinkat Red Hat Enterprise Linux 7 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Audit User/Group Modification - group Red Hat Enterprise Linux 7 Audit user/group modification. Audit User/Group Modification - gshadow Red Hat Enterprise Linux 7 Audit user/group modification. Audit User/Group Modification - opasswd Red Hat Enterprise Linux 7 Audit user/group modification. Audit User/Group Modification - passwd Red Hat Enterprise Linux 7 Audit user/group modification. Audit User/Group Modification - shadow Red Hat Enterprise Linux 7 Audit user/group modification. Ensure GRUB 2 is configured to run Linux operating system with argument audit=1 Red Hat Enterprise Linux 7 Look for argument audit=1 in the kernel line in /etc/default/grub. Ensure GRUB 2 is configured to run Linux operating system with argument audit_backlog_limit=8192 Red Hat Enterprise Linux 7 Look for argument audit_backlog_limit=8192 in the kernel line in /etc/default/grub. Ensure GRUB 2 is configured to run Linux operating system with argument page_poison=1 Red Hat Enterprise Linux 7 Look for argument page_poison=1 in the kernel line in /etc/default/grub. Ensure GRUB 2 is configured to run Linux operating system with argument slub_debug=P Red Hat Enterprise Linux 7 Look for argument slub_debug=P in the kernel line in /etc/default/grub. Ensure GRUB 2 is configured to run Linux operating system with argument vsyscall=none Red Hat Enterprise Linux 7 Look for argument vsyscall=none in the kernel line in /etc/default/grub. Mount Remote Filesystems with nodev Red Hat Enterprise Linux 7 The nodev option should be enabled for all NFS mounts in /etc/fstab. Add nodev Option to Removable Media Partitions Red Hat Enterprise Linux 7 The nodev option should be enabled for all removable devices mounts in /etc/fstab. Mount Remote Filesystems with noexec Red Hat Enterprise Linux 7 The noexec option should be enabled for all NFS mounts in /etc/fstab. Add noexec Option to Removable Media Partitions Red Hat Enterprise Linux 7 The noexec option should be enabled for all removable devices mounts in /etc/fstab. Mount Remote Filesystems with nosuid Red Hat Enterprise Linux 7 The nosuid option should be enabled for all NFS mounts in /etc/fstab. Add nosuid Option to Removable Media Partitions Red Hat Enterprise Linux 7 The nosuid option should be enabled for all removable devices mounts in /etc/fstab. Package nss-pam-ldapd Removed Red Hat Enterprise Linux 7 The RPM package nss-pam-ldapd should be removed. Package samba-common Installed Red Hat Enterprise Linux 7 The RPM package samba-common should be installed. /etc/sudoers ^(?!#).*[\s]+\!authenticate.*$ 1 /etc/sudoers.d ^.*$ ^(?!#).*[\s]+\!authenticate.*$ 1 /etc/sudoers ^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/sudoers.d ^.*$ ^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/sudoers ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/sudoers.d ^.*$ ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/dconf/profile/user ^user-db:user\nsystem-db:local$ 1 /etc/dconf/db/gdm ^/etc/dconf/db/gdm.d/.* oval:ssg-var_dconf_gdm_db_modified_time:var:1 /etc/dconf/db/local ^/etc/dconf/db/local.d/.* oval:ssg-var_dconf_local_db_modified_time:var:1 /etc/dconf/profile/user ^(.*)$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/system/location]([^\n]*\n+)+?enabled=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/system/location/enabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/clocks]([^\n]*\n+)+?geolocation=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/clocks/geolocation$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/settings-daemon/plugins/media-keys]([^\n]*\n+)+?logout=[\s]''$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/settings-daemon/plugins/media-keys/logout$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/lockdown]([^\n]*\n+)+?user-administration-disabled=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/lockdown/user-administration-disabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/settings-daemon/plugins/power]([^\n]*\n+)+?active=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/settings-daemon/plugins/power/active$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/Vino]([^\n]*\n+)+?require-encryption=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/Vino/require-encryption$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/Vino]([^\n]*\n+)+?authentication-methods=\['vnc'\]$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/Vino/authentication-methods$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/nm-applet]([^\n]*\n+)+?suppress-wireless-networks-available=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/nm-applet/suppress-wireless-networks-available$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/nm-applet]([^\n]*\n+)+?disable-wifi-create=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/nm-applet/disable-wifi-create$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?enable-smartcard-authentication=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/enable-smartcard-authentication$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?allowed-failures=3$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/allowed-failures$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?disable-user-list=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/disable-user-list$ 1 /etc/gdm/custom.conf ^\[daemon]([^\n]*\n+)+?AutomaticLoginEnable=[Ff]alse$ 1 /etc/gdm/custom.conf ^\[daemon]([^\n]*\n+)+?TimedLoginEnable=[Ff]alse$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?disable-restart-buttons=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/disable-restart-buttons$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-delay=uint32[\s][0-9]*$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^lock-delay[\s=]*uint32[\s]([^=\s]*) 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/session/idle-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-enabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?show-full-name-in-top-bar=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/session]([^\n]*\n+)+?idle-delay=uint32[\s][0-9]*$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/session/idle-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^idle-delay[\s=]*uint32[\s]([^=\s]*) 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=(string[\s])?\'\'$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/picture-uri$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-enabled$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/idle-activation-enabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/idle-activation-enabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/thumbnailers]([^\n]*\n+)+?disable-all=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/thumbnailers/disable-all$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/automount$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/automount-open$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/autorun-never$ 1 /etc/sysconfig/prelink ^[\s]*PRELINKING=no[\s]* 1 .* .* .* .* .* ^/(bin|sbin|lib|lib64|usr)/.+$ oval:ssg-state_files_fail_md5_hash:ste:1 .* .* .* .* .* .* oval:ssg-state_files_fail_mode:ste:1 .* .* .* .* .* .* oval:ssg-state_files_fail_user_ownership:ste:1 .* .* .* .* .* .* oval:ssg-state_files_fail_group_ownership:ste:1 /etc/crontab ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 /etc/cron.d ^.*$ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 /var/spool/cron/root ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 ^/etc/cron.(daily|weekly|monthly)$ ^.*$ ^\s*/usr/sbin/aide[\s]*\-\-check.*$ 1 /etc/aide.conf ^(?!ALLXTRAHASHES)[A-Z]*[\s]*=[\s]*([a-z0-9\+]*)$ 1 /etc/aide.conf ^@@define[\s]DBDIR[\s]+(/.*)$ 1 /etc/aide.conf ^database_out=file:@@{DBDIR}/([a-z.]+)$ 1 /etc/aide.conf ^database=file:@@{DBDIR}/([a-z.]+)$ 1 /etc/crontab ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 /var/spool/cron/root ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 ^/etc/cron.(d|daily|weekly|monthly)$ ^.*$ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 /etc/aide.conf ^[A-Z]*[\s]*=[\s]*.*(sha1|rmd160|sha256|whirlpool|tiger|haval|gost|crc32).*$ 0 /etc/aide.conf ^[A-Z]*[\s]*=[\s]*([a-z0-9\+]*)$ 1 /etc/aide.conf ^(?!ALLXTRAHASHES)[A-Z]*[\s]*=[\s]*([a-z0-9\+]*)$ 1 dracut-fips /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/selinux/config ^[\s]*SELINUX[\s]*=[\s]*enforcing[\s]*$ 1 McAfeeVSEForLinux MFErt MFEcma /opt/NAI/LinuxShield/engine/dat ^.*\.dat$ oval:ssg-variable_mcafee_dat_files_mtime:var:1 MFEhiplsm /opt/McAfee/auditengine/bin auditmanager /opt/McAfee/accm/bin accm /etc/yum.conf ^\s*repo_gpgcheck\s*=\s*(1|True|yes)\s*$ 1 /etc/yum.conf ^\s*clean_requirements_on_remove\s*=\s*(1|True|yes)\s*$ 1 /etc/yum.repos.d .* ^\s*gpgcheck\s*=\s*0\s*$ 1 gpg-pubkey /etc/yum.conf ^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$ 1 /etc/yum.conf ^\s*gpgcheck\s*=\s*1\s*$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /boot/efi/EFI/redhat/grub.cfg ^/boot/efi/EFI/(redhat|fedora)/grub.cfg$ ^/boot/efi/EFI/(redhat|fedora)/grub.cfg$ ^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$ 1 ^/boot/efi/EFI/(redhat|fedora)/user.cfg$ ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ 1 ^/boot/efi/EFI/(redhat|fedora)/grub.cfg$ ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1 /boot/grub2/grub.cfg /boot/grub2/grub.cfg ^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$ 1 /boot/grub2/user.cfg ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ 1 /boot/grub2/grub.cfg ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1 /etc/selinux/config ^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*) 1 /etc/default/grub ^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$ 1 /etc/grub2.cfg ^.*(selinux|enforcing)=0.*$ 1 /etc/grub.d ^.*$ ^.*(selinux|enforcing)=0.*$ 1 /etc/selinux/config ^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$ 1 /proc ^.*$ oval:ssg-state_selinux_confinement_of_daemons:ste:1 /dev ^.*$ oval:ssg-state_selinux_all_devicefiles_labeled:ste:1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/init.d/functions ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 oval:ssg-var_etc_init_d_functions_umask_as_number:var:1 kernel-PAE /proc/cpuinfo ^flags[\s]+:.*[\s]+pae[\s]+.*[\s]+nx[\s]+.*$ 1 /etc/sysconfig/kernel ^\s*DEFAULTKERNEL[\s]*=[\s]*kernel-PAE$ 1 /etc/sysctl.conf ^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$ 1 kernel.exec-shield /boot/grub2/grub.cfg [\s]*noexec[\s]*=[\s]*off 1 /etc/security/limits.conf ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:hard|-)[\s]+core 1 ^/\w.*$ oval:ssg-state_local_nodev:ste:1 /etc/fstab ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1 ^/var/tmp$ /etc/mtab ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1 ^/tmp$ / oval:ssg-state_gid_is_user_and_world_writable:ste:1 / ^.*$ oval:ssg-state_file_permissions_unauthorized_sgid:ste:1 oval:ssg-state_sgid_whitelist:ste:1 / ^.*$ oval:ssg-state_file_permissions_unauthorized_suid:ste:1 oval:ssg-state_suid_whitelist:ste:1 / .* oval:ssg-state_file_permissions_ungroupowned:ste:1 /etc/group ^[^:]+:[^:]*:([\d]+):[^:]*$ 1 .* / .* oval:ssg-file_permissions_unowned_userid_list_match:ste:1 / ^.*$ oval:ssg-state_file_permissions_unauthorized_world_write:ste:1 oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1 oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1 oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1 / oval:ssg-state_world_writable_and_not_sticky:ste:1 /boot ^System\.map.*$ ^\/lib(|64)|^\/usr\/lib(|64) oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1 oval:ssg-perms_state_symlink:ste:1 ^\/lib(|64)|^\/usr\/lib(|64) ^.*$ oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1 oval:ssg-perms_state_symlink:ste:1 ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec oval:ssg-state_owner_binaries_not_root:ste:1 ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec ^.*$ oval:ssg-state_owner_binaries_not_root:ste:1 ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec ^.*$ oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1 oval:ssg-state_perms_binary_files_symlink:ste:1 ^\/lib(|64)\/|^\/usr\/lib(|64)\/ oval:ssg-state_owner_libraries_not_root:ste:1 ^\/lib(|64)\/|^\/usr\/lib(|64)\/ ^.*$ oval:ssg-state_owner_libraries_not_root:ste:1 /etc/issue 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/banner-message-text$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^banner-message-text=[\s]*'*(.*?)'$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/banner-message-enable$ 1 /etc/systemd/system.conf ^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ 1 /etc/systemd/system/ctrl-alt-del.target /usr/lib/systemd/system/rescue.service ^ExecStart=\-.*/sbin/sulogin 1 /usr/lib/systemd/system/runlevel1.target ^Requires=.*rescue.service 1 /etc/systemd/system ^rescue.service$ /etc/systemd/system ^runlevel1.target$ ^/etc/opensc.*.conf$ ^[\s]+force_card_driver[\s]+=[\s]+(\S+);$ 1 /etc/pam_pkcs11/pam_pkcs11.conf ^[\s]*cert_policy[ ]=(.*)$ 1 /etc/pam.d/system-auth 1 /etc/pam.d/system-auth 1 /etc/pam.d/smartcard-auth 1 ^/etc/opensc.*.conf$ ^[\s]+card_drivers[\s]+=[\s]+(\S+);$ 1 /etc/pki/nssdb/pkcs11.txt ^library=opensc.*.so$ 1 /etc/login.defs .*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_warn_age_instance_value:var:1 /etc/login.defs .*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_max_days_instance_value:var:1 /etc/login.defs .*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_min_len_instance_value:var:1 /etc/login.defs .*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_min_days_instance_value:var:1 /etc/default/useradd ^\s*INACTIVE\s*=\s*(\d+)\s*$ 1 /etc/passwd ^([^:]+):.*$ 1 oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1 /etc/group ^.*:x:([0-9]+): 1 /etc/passwd ^.*:[0-9]+:([0-9]+): 1 .* /etc/pam.d/system-auth \s*nullok\s* 1 /home ^\.netrc$ /etc/securetty ^ttyS[0-9]+$ 1 /etc/securetty ^vc/[0-9]+$ 1 /etc/passwd ^(?!root:)[^:]*:[^:]*:0 1 /etc/securetty ^.*$ 1 /etc/securetty ^$ 1 /etc/login.defs .*\n(?!#|SYS_)(UID_MIN[\s]+[\d]+)\s*\n 1 /etc/login.defs .*\n[^#]*(SYS_UID_MIN[\s]+[\d]+)\s*\n 1 /etc/login.defs .*\n[^#]*(SYS_UID_MAX[\s]+[\d]+)\s*\n 1 /etc/passwd ^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$ 1 oval:ssg-variable_default_range_quad_expr:var:1 oval:ssg-variable_reserved_range_quad_expr:var:1 oval:ssg-variable_dynalloc_range_quad_expr:var:1 /etc/pam.d/postlogin [\n][\s]*session[\s]+\[default=1\][\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*\n[\s]*session[\s]+optional[\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*[\n] 1 /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*account\s+required\s+pam_faillock\.so.*$ 1 /etc/pam.d/system-auth ^\s*account\s+required\s+pam_faillock\.so.*$ 1 /etc/pam.d/system-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=([a-z0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=([a-z0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=([a-z0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=([a-z0-9]*).*$ 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+\[.*default=([0-9]+).*\][\s]+pam_unix\.so 1 /etc/pam.d/system-auth 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+\[[^\]]*default=([0-9]+)[^\]]*\][\s]+pam_unix\.so 1 /etc/pam.d/password-auth 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[^\]]*\]))[^\n]+pam_unix\.so(?:.*[\n])*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[^\n]+deny=([0-9]+) 1 /etc/pam.d/system-auth [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[[^\]]*\]))[\s]+pam_unix\.so(?:.*[\n])*[^\n]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+) 1 /etc/pam.d/password-auth [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] 1 /etc/pam.d/system-auth ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*remember=([0-9]*).*$ 1 /etc/libuser.conf ^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$ 1 /etc/login.defs .*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n 1 oval:ssg-variable_last_encrypt_method_instance_value:var:1 /etc/pam.d/system-auth ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ 1 /etc/profile ^[\s]*TMOUT[\s]*=[\s]*(.*)[\s]*$ 1 /etc/profile.d ^.*\.sh$ ^[\s]*TMOUT[\s]*=[\s]*(.*)[\s]*$ 1 /home oval:ssg-state_home_dirs_home_itself:ste:1 oval:ssg-state_home_dirs_wrong_perm:ste:1 /etc/login.defs ^[\s]*(?i)CREATE_HOME(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/security/limits.conf ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins 1 /etc/login.defs ^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*) 1 /etc/profile ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 oval:ssg-var_etc_profile_umask_as_number:var:1 /etc/csh.cshrc ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1 /etc/bashrc ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 oval:ssg-var_etc_bashrc_umask_as_number:var:1 /etc/login.defs ^[\s]*UMASK[\s]+([^#\s]*) 1 oval:ssg-var_etc_login_defs_umask_as_number:var:1 PATH PATH oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1 oval:ssg-state_accounts_root_path_dirs_symlink:ste:1 /etc/enterprise_app/app.conf ^[\s]*mode (.*) 1 /var/log/audit oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 /var/log/audit ^.*$ oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 /var/log/audit oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 /var/log/audit ^.*$ oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 /var/log/audit ^.*$ oval:ssg-state_not_mode_0750:ste:1 /var/log/audit ^.*$ oval:ssg-state_not_mode_0700:ste:1 ^/etc/audit/rules\.d/.*\.rules$ ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-f\s+2\s*$ 1 /etc/audit/audit.rules ^\-f\s+2\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-e\s+2\s*$ 1 /etc/audit/audit.rules ^\-e\s+2\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /var/log/audit ^.*$ oval:ssg-state_not_mode_0640:ste:1 /var/log/audit ^.*$ oval:ssg-state_not_mode_0600:ste:1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s+]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/usr/sbin/modprobe[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/usr/sbin/modprobe[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/usr/sbin/insmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/usr/sbin/insmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/usr/sbin/rmmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/usr/sbin/rmmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 / [a-z]+ oval:ssg-state_setuid_or_setgid_set:ste:1 oval:ssg-state_dev_proc_sys_dirs:ste:1 oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1 /etc/audit/audit.rules ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1 /etc/audit/auditd.conf ^[ ]*flush[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audisp/audisp-remote.conf ^[ ]*remote_server[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audisp/audisp-remote.conf ^[ ]*enable_krb5[ ]+=[ ]+yes[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*num_logs[ ]+=[ ]+(\d+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audisp/plugins.d/syslog.conf ^[ ]*active[ ]+=[ ]+yes[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$ 1 /etc/audit/auditd.conf ^[\s]*space_left[\s]+=[\s]+(\d+)[\s]*$ 1 ^.*$ oval:ssg-state_promisc:ste:1 /etc/sysconfig/network-scripts ifcfg-.* ^[\s]*DHCP_HOSTNAME[\s]*=.*$ 1 ^/etc/dhclient.*\.conf$ ^[\s]*send[\s]+host-name.*$ 1 /etc/dhcp ^.*$ ^[\s]*send[\s]+host-name.*$ 1 /etc/resolv.conf ^[\s]*nameserver[\s]+([0-9\.]+)$ 1 /etc/sysconfig/network ^[\s]*NOZEROCONF[\s]*=[\s]*yes 1 /etc/firewalld/firewalld.conf ^DefaultZone=drop$ 1 /etc/netconfig ^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$ 1 /etc/netconfig ^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*options\s+ipv6\s+.*disable=1.*$ 1 /etc/sysconfig/network-scripts ifcfg-.* ^IPV6ADDR=.+$ 1 /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_PRIVACY=rfc3041$ 1 /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_DEFAULTGW=.+$ 1 /proc/net/wireless ^\s*[-\w]+: 1 /etc/logrotate.conf (?:daily)*.*(?=[\n][\s]*daily)(.*)$ 1 oval:ssg-state_another_rotate_interval_after_daily:ste:1 /etc/cron.daily/logrotate ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ 1 /etc/rsyslog.conf ^[\s]*\$(?:Input(?:TCP|RELP)|UDP)ServerRun 1 /etc/rsyslog.conf ^\*\.\*[\s]+(?:@|\:omrelp\:) 1 /etc/rsyslog.d .* ^\*\.\*[\s]+(?:@|\:omrelp\:) 1 /etc/rsyslog.conf ^\$IncludeConfig[\s]+([^\s;]+) 1 ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 /etc/rsyslog.conf ^[\s]*cron\.\*[\s]+/var/log/cron$ 1 /etc/rsyslog.d ^.*$ ^[\s]*cron\.\*[\s]+/var/log/cron$ 1 /etc/rsyslog.conf ^\$IncludeConfig[\s]+([^\s;]+) 1 ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 /etc/rsyslog.conf ^\$IncludeConfig[\s]+([^\s;]+) 1 ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 /etc/logwatch/conf/logwatch.conf ^[\s]HostLimit[\s]*=[\s]*no[\s]*$ 1 /etc/logwatch/conf/logwatch.conf ^[\s]SplitHosts[\s]*=[\s]*yes[\s]*$ 1 /etc/systemd/system/default.target /etc/cups/cupsd.conf ^[\s]*Browsing[\s]+(?:Off|No) 1 /etc/cups/cupsd.conf ^[\s]*BrowseAllow[\s]+(?:none) 1 /etc/cups/cupsd.conf ^[\s]*Port[\s]+(\d)+ 1 /etc/cups/cupsd.conf ^[\s]*Listen[\s]+(?:localhost|127\.0\.0\.1|::1):(\d)+ 1 /etc/httpd/conf.modules.d/ ^.*$ /var/log/httpd /etc/httpd/conf ^.*$ /etc/httpd/conf /etc/httpd/conf.d/ ^.*$ /etc/fstab ^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+) 1 /etc/mtab ^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+) 1 /etc/samba/smb.conf ^[\s]*client[\s]+signing[\s]*=[\s]*mandatory 1 /etc/firewalld/services ^.*\.xml$ /service/service[@name='ssh'] /etc/firewalld/services ^.*\.xml$ /service/port[@port='22'] /etc/firewalld/zones ^.*\.xml$ /zone/service[@name='ssh'] /etc/firewalld/zones ^.*\.xml$ /zone/port[@port='22'] /etc/ssh/sshd_config ^[\s]*(?i)PermitEmptyPasswords(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)IgnoreRhosts(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Ciphers(?-i)[\s]+((aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|aes192-cbc|aes256-cbc|3des-cbc|rijndael-cbc@lysator\.liu\.se),?)+[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)KerberosAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Compression(?-i)[\s]+(no|delayed)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PermitUserEnvironment(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)RhostsRSAAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)IgnoreUserKnownHosts(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)StrictModes(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 oval:ssg-var_sshd_config_macs:var:1 /etc/ssh/sshd_config ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)GSSAPIAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)X11Forwarding(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/firewalld/services ^.*\.xml$ /service/service[@name='ssh'] /etc/firewalld/services ^.*\.xml$ <port.*port="(\d+)" 1 /etc/firewalld/zones ^.*\.xml$ /zone/service[@name='ssh'] /etc/firewalld/zones ^.*\.xml$ <port.*port="(\d+)" 1 /etc/firewalld/zones /zone/service[@name='ssh'] /etc/sysconfig/network-scripts ifcfg-.* ^ZONE=(.*)$ 1 /etc/ssh/sshd_config ^[\s]*(?i)UsePrivilegeSeparation(?-i)[\s]+sandbox[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PrintLastLog(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)MACs(?-i)[\s]+((hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|hmac-ripemd160),?)+[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)LogLevel(?-i)[\s]+INFO[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Ciphers(?-i)[\s]+((chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)+[\s]*(?:|(?:#.*))?$ 1 /etc/exports ^(.*?(\binsecure_locks\b)[^$]*)$ 1 /etc/exports ^\/.*\((\S+)\)$ 0 /etc/exports ^\/.*$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 /etc/cron.allow /etc/cron.allow /etc/postfix/main.cf ^[\s]*inet_interfaces[\s]*=[\s]*localhost[\s]*$ 1 /etc/postfix/main.cf ^[\s]*smtpd_banner[\s]*=[\s]*\$myhostname[\s]+ESMTP[\s]*$ 1 /etc/sysconfig/network-scripts ifcfg-.* ^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*) 1 /etc/sysconfig/docker ^(?!#)\s*OPTIONS\s*=.*[\s'](--selinux-enabled)[\s'].*$ 1 /etc/docker/daemon.json ^(?!#)\s*"selinux-enabled":[\s]+true(|,)[\s]*$ 1 ^(?!#).*(?:--storage-opt[\s=]dm\.thinpooldev=([^\s]*)).*$ 1 ^(?!#)\s*STORAGE_DRIVER\s*=\s*"?([a-z]*)"?\s*$ 1 /etc/ntp.conf ^[\s]*server[\s]+.+$ 1 /etc/ntp.conf ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) 1 /etc/chrony.conf ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) 1 /etc/ntp.conf ^server[\s]+[\S]+[\s]+(.*) 1 /etc/chrony.conf ^server[\s]+[\S]+[\s]+(.*) 1 /etc/ntp.conf ^([\s]*server[\s]+.+$){2,}$ 1 /etc/xinetd.d/tftp ^[\s]*server_args[\s]+=.*[\s]+\-s[\s]+.+$ 1 / \.shosts / shosts\.equiv$ /root ^\.(r|s)hosts$ /home ^\.(r|s)hosts$ /etc ^s?hosts\.equiv$ /etc/snmp/snmpd.conf ^[\s]*(com2se|rocommunity|rwcommunity) 1 /etc/snmp/snmpd.conf ^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private) 1 /etc/vsftpd/vsftpd.conf ^[\s]*banner_file=/etc/issue[\s]*$ 1 /etc/vsftpd/vsftpd.conf ^[\s]*xferlog_enable[\s]*=[\s]*YES$ 1 /etc/vsftpd/vsftpd.conf ^[\s]*xferlog_std_format[\s]*=[\s]*NO$ 1 /etc/vsftpd/vsftpd.conf ^[\s]*log_ftp_protocol[\s]*=[\s]*YES$ 1 /etc/dovecot/conf.d/10-ssl.conf ^[\s]*ssl[\s]*=[\s]*(yes|required)[\s]*$ 1 /etc/dovecot/conf.d/10-auth.conf ^[\s]*disable_plaintext_auth[\s]*=[\s]*yes[\s]*$ 1 /etc/sssd/sssd.conf ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1$ 1 /etc/sssd/sssd.conf ^[\s]*\[sssd]([^\n\[\]]*\n+)+?[\s]*services.*pam.*$ 1 /etc/sssd/sssd.conf ^[\s]*\[nss](?:[^\n\[]*\n+)+?[\s]*memcache_timeout[\s]*=[\s]*(\d+)$ 1 /etc/sssd/sssd.conf ^[\s]*\[ssh](?:[^\n\[]*\n+)+?[\s]*ssh_known_hosts_timeout[\s]*=[\s]*(\d+)$ 1 /etc/sssd/sssd.conf ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*pam_cert_auth[\s]*=[\s]*true$ 1 /etc/sysconfig/authconfig ^USELDAPAUTH=((?i)yes)[ ]*$ 1 /etc/sssd/sssd.conf ^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_id_use_start_tls[ ]*=[ ]*((?i)true)[ ]*$ 1 /etc/sssd/sssd.conf ^[\s]*\[domain\/[^]]*](?:[^\n[\]]*\n+)+?[\s]*ldap_tls_cacertdir[\s]+=[\s]+([^\s]+)[\s]*$ 1 /etc/sysconfig/authconfig ^[\s]*USELDAPAUTH=yes[\s]*$ 1 /etc/nslcd.conf ^[\s]*tls_cacertdir[\s]+/etc/pki/tls/CA$ 1 /etc/nslcd.conf ^[\s]*tls_cacertfile[\s]+/etc/pki/tls/CA/.*\.(pem|crt)$ 1 /etc/nslcd.conf ^[\s]*ssl[\s]+start_tls[\s]*$ 1 /etc/security/pwquality.conf ^dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^difok[\s]*=[\s]*(\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^maxclassrepeat[\s]*=[\s]*(\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^maxrepeat[\s]*=[\s]*(\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^minclass[\s]*=[\s]*(\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^minlen[\s]*=[\s]*(\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^ucredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 /boot/efi/EFI/redhat grub.cfg /etc group /etc gshadow /etc passwd /etc shadow /boot/grub2 grub.cfg /boot/efi/EFI/redhat grub.cfg /etc group /etc gshadow /etc passwd /etc shadow /boot/grub2 grub.cfg /etc cron.allow /etc group /etc gshadow /etc passwd /etc shadow /boot/grub2 grub.cfg /etc/httpd/conf.modules.d ^.*$ /etc/ssh ^.*_key$ /etc/ssh ^.*.pub$ /etc/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /dev/shm /dev/shm /dev/shm /home /home /tmp /tmp /tmp /var/tmp /var/tmp /var/tmp abrt acpid aide at audit authconfig-gtk autofs avahi bind bluez certmonger chrony cronie cups cyrus-sasl dbus dconf dhcp docker dovecot esc firewalld gdm gdm httpd iputils irqbalance kernel-tools kexec-tools libcgroup-tools libcgroup libreswan mcstrans mdadm net-snmp nfs-utils ntp ntp ntpdate oddjob openldap-servers opensc openssh-server openssh-server pam_pkcs11 pcsc-lite policycoreutils portreserve postfix prelink psacct qpid-cpp-server quagga quota-nld rhnsd rsh-server rsh rsyslog samba-common samba screen sendmail setroubleshoot smartmontools squid sssd sssd subscription-manager sysstat systemd systemd talk-server talk tcp_wrappers telnet-server telnet tftp-server tftp vsftpd vsftpd xinetd xinetd xorg-x11-server-common ypbind ypserv /home /tmp /var /var/log /var/log/audit /var/tmp SELinux abrt_anon_write abrt_handle_event abrt_upload_watch_anon_write antivirus_can_scan_system antivirus_use_jit auditadm_exec_content authlogin_nsswitch_use_ldap authlogin_radius authlogin_yubikey awstats_purge_apache_log_files boinc_execmem cdrecord_read_content cluster_can_network_connect cluster_manage_all_files cluster_use_execmem cobbler_anon_write cobbler_can_network_connect cobbler_use_cifs cobbler_use_nfs collectd_tcp_network_connect condor_tcp_network_connect conman_can_network container_connect_any cron_can_relabel cron_system_cronjob_use_shares cron_userdomain_transition cups_execmem cvs_read_shadow daemons_dump_core daemons_enable_cluster_mode daemons_use_tcp_wrapper daemons_use_tty dbadm_exec_content dbadm_manage_user_files dbadm_read_user_files deny_execmem deny_ptrace dhcpc_exec_iptables dhcpd_use_ldap domain_fd_use domain_kernel_load_modules entropyd_use_audio exim_can_connect_db exim_manage_user_files exim_read_user_files fcron_crond fenced_can_network_connect fenced_can_ssh fips_mode ftpd_anon_write ftpd_connect_all_unreserved ftpd_connect_db ftpd_full_access ftpd_use_cifs ftpd_use_fusefs ftpd_use_nfs ftpd_use_passive_mode git_cgi_enable_homedirs git_cgi_use_cifs git_cgi_use_nfs git_session_bind_all_unreserved_ports git_session_users git_system_enable_homedirs git_system_use_cifs git_system_use_nfs gitosis_can_sendmail glance_api_can_network glance_use_execmem glance_use_fusefs global_ssp gluster_anon_write gluster_export_all_ro gluster_export_all_rw gpg_web_anon_write gssd_read_tmp guest_exec_content haproxy_connect_any httpd_anon_write httpd_builtin_scripting httpd_can_check_spam httpd_can_connect_ftp httpd_can_connect_ldap httpd_can_connect_mythtv httpd_can_connect_zabbix httpd_can_network_connect httpd_can_network_connect_cobbler httpd_can_network_connect_db httpd_can_network_memcache httpd_can_network_relay httpd_can_sendmail httpd_dbus_avahi httpd_dbus_sssd httpd_dontaudit_search_dirs httpd_enable_cgi httpd_enable_ftp_server httpd_enable_homedirs httpd_execmem httpd_graceful_shutdown httpd_manage_ipa httpd_mod_auth_ntlm_winbind httpd_mod_auth_pam httpd_read_user_content httpd_run_ipa httpd_run_preupgrade httpd_run_stickshift httpd_serve_cobbler_files httpd_setrlimit httpd_ssi_exec httpd_sys_script_anon_write httpd_tmp_exec httpd_tty_comm httpd_unified httpd_use_cifs httpd_use_fusefs httpd_use_gpg httpd_use_nfs httpd_use_openstack httpd_use_sasl httpd_verify_dns icecast_use_any_tcp_ports irc_use_any_tcp_ports irssi_use_full_network kdumpgui_run_bootloader kerberos_enabled ksmtuned_use_cifs ksmtuned_use_nfs logadm_exec_content logging_syslogd_can_sendmail logging_syslogd_run_nagios_plugins logging_syslogd_use_tty login_console_enabled logrotate_use_nfs logwatch_can_network_connect_mail lsmd_plugin_connect_any mailman_use_fusefs mcelog_client mcelog_exec_scripts mcelog_foreground mcelog_server minidlna_read_generic_user_content mmap_low_allowed mock_enable_homedirs mount_anyfile mozilla_plugin_bind_unreserved_ports mozilla_plugin_can_network_connect mozilla_plugin_use_bluejeans mozilla_plugin_use_gps mozilla_plugin_use_spice mozilla_read_content mpd_enable_homedirs mpd_use_cifs mpd_use_nfs mplayer_execstack mysql_connect_any nagios_run_pnp4nagios nagios_run_sudo named_tcp_bind_http_port named_write_master_zones neutron_can_network nfs_export_all_ro nfs_export_all_rw nfsd_anon_write nis_enabled nscd_use_shm openshift_use_nfs openvpn_can_network_connect openvpn_enable_homedirs openvpn_run_unconfined pcp_bind_all_unreserved_ports pcp_read_generic_logs piranha_lvs_can_network_connect polipo_connect_all_unreserved polipo_session_bind_all_unreserved_ports polipo_session_users polipo_use_cifs polipo_use_nfs polyinstantiation_enabled postfix_local_write_mail_spool postgresql_can_rsync postgresql_selinux_transmit_client_label postgresql_selinux_unconfined_dbadm postgresql_selinux_users_ddl pppd_can_insmod pppd_for_user privoxy_connect_any prosody_bind_http_port puppetagent_manage_all_files puppetmaster_use_db racoon_read_shadow rsync_anon_write rsync_client rsync_export_all_ro rsync_full_access samba_create_home_dirs samba_domain_controller samba_enable_home_dirs samba_export_all_ro samba_export_all_rw samba_load_libgfapi samba_portmapper samba_run_unconfined samba_share_fusefs samba_share_nfs sanlock_use_fusefs sanlock_use_nfs sanlock_use_samba saslauthd_read_shadow secadm_exec_content secure_mode secure_mode_insmod secure_mode_policyload selinuxuser_direct_dri_enabled selinuxuser_execheap selinuxuser_execmod selinuxuser_execstack selinuxuser_mysql_connect_enabled selinuxuser_ping selinuxuser_postgresql_connect_enabled selinuxuser_rw_noexattrfile selinuxuser_share_music selinuxuser_tcp_server selinuxuser_udp_server selinuxuser_use_ssh_chroot sge_domain_can_network_connect sge_use_nfs smartmon_3ware smbd_anon_write spamassassin_can_network spamd_enable_home_dirs squid_connect_any squid_use_tproxy ssh_chroot_rw_homedirs ssh_keysign ssh_sysadm_login staff_exec_content staff_use_svirt swift_can_network sysadm_exec_content telepathy_connect_all_ports telepathy_tcp_connect_generic_network_ports tftp_anon_write tftp_home_dir tmpreaper_use_nfs tmpreaper_use_samba tor_bind_all_unreserved_ports tor_can_network_relay unconfined_chrome_sandbox_transition unconfined_login unconfined_mozilla_plugin_transition unprivuser_use_svirt use_ecryptfs_home_dirs use_fusefs_home_dirs use_lpd_server use_nfs_home_dirs use_samba_home_dirs user_exec_content varnishd_connect_any virt_read_qemu_ga_data virt_rw_qemu_ga_data virt_sandbox_use_all_caps virt_sandbox_use_audit virt_sandbox_use_mknod virt_sandbox_use_netlink virt_sandbox_use_sys_admin virt_transition_userdomain virt_use_comm virt_use_execmem virt_use_fusefs virt_use_nfs virt_use_rawip virt_use_samba virt_use_sanlock virt_use_usb virt_use_xserver webadm_manage_user_files webadm_read_user_files wine_mmap_zero_ignore xdm_bind_vnc_tcp_port xdm_exec_bootloader xdm_sysadm_login xdm_write_home xen_use_nfs xend_run_blktap xend_run_qemu xguest_connect_network xguest_exec_content xguest_mount_media xguest_use_bluetooth xserver_clients_write_xshm xserver_execmem xserver_object_manager zabbix_can_network zarafa_setrlimit zebra_write_config zoneminder_anon_write zoneminder_run_sudo multi-user.target multi-user.target abrtd\.(service|socket) ActiveState multi-user.target multi-user.target acpid\.(service|socket) ActiveState multi-user.target multi-user.target atd\.(service|socket) ActiveState multi-user.target multi-user.target auditd\.(socket|service) ActiveState multi-user.target multi-user.target autofs\.(service|socket) ActiveState multi-user.target multi-user.target avahi-daemon\.(service|socket) ActiveState multi-user.target multi-user.target bluetooth\.(service|socket) ActiveState multi-user.target multi-user.target certmonger\.(service|socket) ActiveState multi-user.target multi-user.target cgconfig\.(service|socket) ActiveState multi-user.target multi-user.target cgred\.(service|socket) ActiveState multi-user.target multi-user.target chronyd\.(socket|service) ActiveState multi-user.target multi-user.target cpupower\.(service|socket) ActiveState multi-user.target multi-user.target crond\.(socket|service) ActiveState multi-user.target multi-user.target cups\.(service|socket) ActiveState multi-user.target multi-user.target debug-shell\.(service|socket) ActiveState multi-user.target multi-user.target dhcpd\.(service|socket) ActiveState multi-user.target multi-user.target docker\.(socket|service) ActiveState multi-user.target multi-user.target dovecot\.(service|socket) ActiveState multi-user.target multi-user.target firewalld\.(socket|service) ActiveState multi-user.target multi-user.target httpd\.(service|socket) ActiveState multi-user.target multi-user.target irqbalance\.(socket|service) ActiveState multi-user.target multi-user.target kdump\.(service|socket) ActiveState multi-user.target multi-user.target mdmonitor\.(service|socket) ActiveState multi-user.target multi-user.target messagebus\.(service|socket) ActiveState multi-user.target multi-user.target nails\.(socket|service) ActiveState multi-user.target multi-user.target named\.(service|socket) ActiveState multi-user.target multi-user.target netconsole\.(service|socket) ActiveState multi-user.target multi-user.target nfs\.(service|socket) ActiveState multi-user.target multi-user.target nfslock\.(service|socket) ActiveState multi-user.target multi-user.target ntpd\.(service|socket) ActiveState multi-user.target multi-user.target ntpd\.(socket|service) ActiveState multi-user.target multi-user.target ntpdate\.(service|socket) ActiveState multi-user.target multi-user.target oddjobd\.(service|socket) ActiveState multi-user.target multi-user.target pcscd\.(socket|service) ActiveState multi-user.target multi-user.target portreserve\.(service|socket) ActiveState multi-user.target multi-user.target postfix\.(socket|service) ActiveState multi-user.target multi-user.target psacct\.(socket|service) ActiveState multi-user.target multi-user.target qpidd\.(service|socket) ActiveState multi-user.target multi-user.target quota_nld\.(service|socket) ActiveState multi-user.target multi-user.target rdisc\.(service|socket) ActiveState multi-user.target multi-user.target rexec\.(service|socket) ActiveState multi-user.target multi-user.target rhnsd\.(service|socket) ActiveState multi-user.target multi-user.target rhsmcertd\.(service|socket) ActiveState multi-user.target multi-user.target rlogin\.(service|socket) ActiveState multi-user.target multi-user.target rpcbind\.(service|socket) ActiveState multi-user.target multi-user.target rpcgssd\.(service|socket) ActiveState multi-user.target multi-user.target rpcidmapd\.(service|socket) ActiveState multi-user.target multi-user.target rpcsvcgssd\.(service|socket) ActiveState multi-user.target multi-user.target rsh\.(service|socket) ActiveState multi-user.target multi-user.target rsyslog\.(socket|service) ActiveState multi-user.target multi-user.target saslauthd\.(service|socket) ActiveState multi-user.target multi-user.target smartd\.(service|socket) ActiveState multi-user.target multi-user.target smb\.(service|socket) ActiveState multi-user.target multi-user.target snmpd\.(service|socket) ActiveState multi-user.target multi-user.target squid\.(service|socket) ActiveState multi-user.target multi-user.target sshd\.(service|socket) ActiveState multi-user.target multi-user.target sshd\.(socket|service) ActiveState multi-user.target multi-user.target sssd\.(service|socket) ActiveState multi-user.target multi-user.target sssd\.(socket|service) ActiveState multi-user.target multi-user.target sysstat\.(service|socket) ActiveState multi-user.target multi-user.target telnet\.(service|socket) ActiveState multi-user.target multi-user.target tftp\.(service|socket) ActiveState multi-user.target multi-user.target vsftpd\.(service|socket) ActiveState multi-user.target multi-user.target xinetd\.(service|socket) ActiveState multi-user.target multi-user.target ypbind\.(service|socket) ActiveState multi-user.target multi-user.target zebra\.(service|socket) ActiveState fs.suid_dumpable kernel.dmesg_restrict kernel.kexec_load_disabled kernel.kptr_restrict kernel.randomize_va_space kernel.yama.ptrace_scope net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.log_martians net.ipv4.conf.all.rp_filter net.ipv4.conf.all.secure_redirects net.ipv4.conf.all.send_redirects net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.log_martians net.ipv4.conf.default.rp_filter net.ipv4.conf.default.secure_redirects net.ipv4.conf.default.send_redirects net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_ignore_bogus_error_responses net.ipv4.ip_forward net.ipv4.tcp_syncookies net.ipv6.conf.all.accept_ra net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_source_route net.ipv6.conf.all.disable_ipv6 net.ipv6.conf.all.forwarding net.ipv6.conf.default.accept_ra net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_source_route /etc/sysctl.conf ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ 1 /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1 /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/augenrules.*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/auditd.conf ^[ ]*log_group[ ]+=[ ]+root[ ]*$ 1 /etc/default/grub ^\s*GRUB_DISABLE_RECOVERY=(.*)$ 1 /etc/chrony.conf ^([\s]*server[\s]+.+$){2,}$ 1 /etc/chrony.conf ^[\s]*server[\s]+.+$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT=.*$ 1 centos-release centos-release centos-release /etc/debian_version /etc/debian_version ^8.[0-9]+$ 1 fedora-release /etc/system-release-cpe ^cpe:\/o:fedoraproject:fedora:[\d]+$ 1 oraclelinux-release oraclelinux-release oraclelinux-release openSUSE-release openSUSE-release openSUSE-release redhat-release-client redhat-release-workstation redhat-release-server redhat-release-computenode redhat-release-client redhat-release-workstation redhat-release-server redhat-release-computenode redhat-release-virtualization-host /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1 redhat-release redhat-release-virtualization-host /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1 sl-release sl-release sl-release sled-release sles-release sled-release sles-release /etc/lsb-release /etc/lsb-release ^DISTRIB_ID=Ubuntu$ 1 /etc/lsb-release ^DISTRIB_CODENAME=trusty$ 1 /etc/lsb-release ^DISTRIB_CODENAME=xenial$ 1 /etc/lsb-release ^DISTRIB_CODENAME=bionic$ 1 /etc/wrlinux-release atomic-openshift atomic-openshift-node atomic-openshift-hyperkube rhosp-release rhvm-appliance gdm libuser nss-pam-ldapd pam shadow-utils systemd yum /.dockerenv /.dockerenv /etc/fstab 1 oval:ssg-sshd_required:var:1 oval:ssg-sshd_required:var:1 oval:ssg-sshd_required:var:1 openssh-server openssh-server /etc/sssd/sssd.conf oval:ssg-var_accounts_user_umask_umask_as_number:var:1 oval:ssg-var_removable_partition:var:1 oval:ssg-var_umask_for_daemons_umask_as_number:var:1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 /etc/fstab 1 ^.*$ oval:ssg-state_nodev_runtime_cd_dvd_drive:ste:1 /etc/fstab 1 ^.*$ oval:ssg-state_nodev_runtime_not_cd_dvd_drive:ste:1 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 /etc/fstab 1 ^.*$ oval:ssg-state_noexec_runtime_cd_dvd_drive:ste:1 /etc/fstab 1 ^.*$ oval:ssg-state_noexec_runtime_not_cd_dvd_drive:ste:1 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 /etc/fstab 1 ^.*$ oval:ssg-state_nosuid_runtime_cd_dvd_drive:ste:1 /etc/fstab 1 ^.*$ oval:ssg-state_nosuid_runtime_not_cd_dvd_drive:ste:1 nss-pam-ldapd samba-common service-db:keyfile/user fail fail fail fail ^.*xattrs.*$ ^.*sha512.*$ ^.*acl.*$ ^.*fips=1.*$ 4ae0493b fd431d51 45700c69 2fa658e0 53a7ff4b f4a80eb5 4e0fd3a3 c105b9de ^.*iommu=force.*$ false false false false false false initrc_t device_t ^.*nousb.*$ 1 0 0 0 ^/dev/.*$ nodev 1000 true true true regular true ^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$ ^/proc/.*$ ^/sys/.*$ false true 0 false false false false false false false false false false true true symbolic link 0 true true symbolic link 0 /etc/systemd/system/ctrl-alt-del.target /dev/null ^.*ocsp_on.*$ -1 x|\* 0 0 0 SHA512 /home true true true true true true true ^[:\.] :: \.\. [:\.]$ ^[^/] [^\\]:[^/] true true symbolic link travel 0 0 0 0 true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true ^\/(dev|proc|sys)\/.*$ PROMISC }[^{]+[\n][\s]*(weekly|monthly|yearly)|[\n][\s]*(weekly|monthly|yearly)[^}]+{ regular 0 regular 0 regular false false false false false false false /etc/systemd/system/default.target ^/lib/systemd/system/multi-user.target$ false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false 2 sec=(krb5i|ntlmv2i) 0 0 ^.*,sec=krb5\:krb5i\:krb5p.*$ ^.*sec=krb5:krb5i:krb5p.*$ 0 0 ^(static|none)$ devicemapper maxpoll \d+ 0 0 0 0 0 0 0 0 0 0 0 0 false false false true true false true false false true false false false false false true true false true false false true false false false false false false false false false false false false false false false false false true true false true false false true false false false false false false false false false false false false false false false false false true true false false false false false false false false false false true true false true false false false false false false false false true true false true false false false false false false false false true true false true false false true false false nodev noexec nosuid nodev nosuid nodev noexec nosuid nodev noexec nosuid SELinux abrt_anon_write abrt_handle_event abrt_upload_watch_anon_write antivirus_can_scan_system antivirus_use_jit auditadm_exec_content authlogin_nsswitch_use_ldap authlogin_radius authlogin_yubikey awstats_purge_apache_log_files boinc_execmem cdrecord_read_content cluster_can_network_connect cluster_manage_all_files cluster_use_execmem cobbler_anon_write cobbler_can_network_connect cobbler_use_cifs cobbler_use_nfs collectd_tcp_network_connect condor_tcp_network_connect conman_can_network container_connect_any cron_can_relabel cron_system_cronjob_use_shares cron_userdomain_transition cups_execmem cvs_read_shadow daemons_dump_core daemons_enable_cluster_mode daemons_use_tcp_wrapper daemons_use_tty dbadm_exec_content dbadm_manage_user_files dbadm_read_user_files deny_execmem deny_ptrace dhcpc_exec_iptables dhcpd_use_ldap domain_fd_use domain_kernel_load_modules entropyd_use_audio exim_can_connect_db exim_manage_user_files exim_read_user_files fcron_crond fenced_can_network_connect fenced_can_ssh fips_mode ftpd_anon_write ftpd_connect_all_unreserved ftpd_connect_db ftpd_full_access ftpd_use_cifs ftpd_use_fusefs ftpd_use_nfs ftpd_use_passive_mode git_cgi_enable_homedirs git_cgi_use_cifs git_cgi_use_nfs git_session_bind_all_unreserved_ports git_session_users git_system_enable_homedirs git_system_use_cifs git_system_use_nfs gitosis_can_sendmail glance_api_can_network glance_use_execmem glance_use_fusefs global_ssp gluster_anon_write gluster_export_all_ro gluster_export_all_rw gpg_web_anon_write gssd_read_tmp guest_exec_content haproxy_connect_any httpd_anon_write httpd_builtin_scripting httpd_can_check_spam httpd_can_connect_ftp httpd_can_connect_ldap httpd_can_connect_mythtv httpd_can_connect_zabbix httpd_can_network_connect httpd_can_network_connect_cobbler httpd_can_network_connect_db httpd_can_network_memcache httpd_can_network_relay httpd_can_sendmail httpd_dbus_avahi httpd_dbus_sssd httpd_dontaudit_search_dirs httpd_enable_cgi httpd_enable_ftp_server httpd_enable_homedirs httpd_execmem httpd_graceful_shutdown httpd_manage_ipa httpd_mod_auth_ntlm_winbind httpd_mod_auth_pam httpd_read_user_content httpd_run_ipa httpd_run_preupgrade httpd_run_stickshift httpd_serve_cobbler_files httpd_setrlimit httpd_ssi_exec httpd_sys_script_anon_write httpd_tmp_exec httpd_tty_comm httpd_unified httpd_use_cifs httpd_use_fusefs httpd_use_gpg httpd_use_nfs httpd_use_openstack httpd_use_sasl httpd_verify_dns icecast_use_any_tcp_ports irc_use_any_tcp_ports irssi_use_full_network kdumpgui_run_bootloader kerberos_enabled ksmtuned_use_cifs ksmtuned_use_nfs logadm_exec_content logging_syslogd_can_sendmail logging_syslogd_run_nagios_plugins logging_syslogd_use_tty login_console_enabled logrotate_use_nfs logwatch_can_network_connect_mail lsmd_plugin_connect_any mailman_use_fusefs mcelog_client mcelog_exec_scripts mcelog_foreground mcelog_server minidlna_read_generic_user_content mmap_low_allowed mock_enable_homedirs mount_anyfile mozilla_plugin_bind_unreserved_ports mozilla_plugin_can_network_connect mozilla_plugin_use_bluejeans mozilla_plugin_use_gps mozilla_plugin_use_spice mozilla_read_content mpd_enable_homedirs mpd_use_cifs mpd_use_nfs mplayer_execstack mysql_connect_any nagios_run_pnp4nagios nagios_run_sudo named_tcp_bind_http_port named_write_master_zones neutron_can_network nfs_export_all_ro nfs_export_all_rw nfsd_anon_write nis_enabled nscd_use_shm openshift_use_nfs openvpn_can_network_connect openvpn_enable_homedirs openvpn_run_unconfined pcp_bind_all_unreserved_ports pcp_read_generic_logs piranha_lvs_can_network_connect polipo_connect_all_unreserved polipo_session_bind_all_unreserved_ports polipo_session_users polipo_use_cifs polipo_use_nfs polyinstantiation_enabled postfix_local_write_mail_spool postgresql_can_rsync postgresql_selinux_transmit_client_label postgresql_selinux_unconfined_dbadm postgresql_selinux_users_ddl pppd_can_insmod pppd_for_user privoxy_connect_any prosody_bind_http_port puppetagent_manage_all_files puppetmaster_use_db racoon_read_shadow rsync_anon_write rsync_client rsync_export_all_ro rsync_full_access samba_create_home_dirs samba_domain_controller samba_enable_home_dirs samba_export_all_ro samba_export_all_rw samba_load_libgfapi samba_portmapper samba_run_unconfined samba_share_fusefs samba_share_nfs sanlock_use_fusefs sanlock_use_nfs sanlock_use_samba saslauthd_read_shadow secadm_exec_content secure_mode secure_mode_insmod secure_mode_policyload selinuxuser_direct_dri_enabled selinuxuser_execheap selinuxuser_execmod selinuxuser_execstack selinuxuser_mysql_connect_enabled selinuxuser_ping selinuxuser_postgresql_connect_enabled selinuxuser_rw_noexattrfile selinuxuser_share_music selinuxuser_tcp_server selinuxuser_udp_server selinuxuser_use_ssh_chroot sge_domain_can_network_connect sge_use_nfs smartmon_3ware smbd_anon_write spamassassin_can_network spamd_enable_home_dirs squid_connect_any squid_use_tproxy ssh_chroot_rw_homedirs ssh_keysign ssh_sysadm_login staff_exec_content staff_use_svirt swift_can_network sysadm_exec_content telepathy_connect_all_ports telepathy_tcp_connect_generic_network_ports tftp_anon_write tftp_home_dir tmpreaper_use_nfs tmpreaper_use_samba tor_bind_all_unreserved_ports tor_can_network_relay unconfined_chrome_sandbox_transition unconfined_login unconfined_mozilla_plugin_transition unprivuser_use_svirt use_ecryptfs_home_dirs use_fusefs_home_dirs use_lpd_server use_nfs_home_dirs use_samba_home_dirs user_exec_content varnishd_connect_any virt_read_qemu_ga_data virt_rw_qemu_ga_data virt_sandbox_use_all_caps virt_sandbox_use_audit virt_sandbox_use_mknod virt_sandbox_use_netlink virt_sandbox_use_sys_admin virt_transition_userdomain virt_use_comm virt_use_execmem virt_use_fusefs virt_use_nfs virt_use_rawip virt_use_samba virt_use_sanlock virt_use_usb virt_use_xserver webadm_manage_user_files webadm_read_user_files wine_mmap_zero_ignore xdm_bind_vnc_tcp_port xdm_exec_bootloader xdm_sysadm_login xdm_write_home xen_use_nfs xend_run_blktap xend_run_qemu xguest_connect_network xguest_exec_content xguest_mount_media xguest_use_bluetooth xserver_clients_write_xshm xserver_execmem xserver_object_manager zabbix_can_network zarafa_setrlimit zebra_write_config zoneminder_anon_write zoneminder_run_sudo abrtd.service abrtd.socket inactive acpid.service acpid.socket inactive atd.service atd.socket inactive auditd.service auditd.socket active autofs.service autofs.socket inactive avahi-daemon.service avahi-daemon.socket inactive bluetooth.service bluetooth.socket inactive certmonger.service certmonger.socket inactive cgconfig.service cgconfig.socket inactive cgred.service cgred.socket inactive chronyd.service chronyd.socket active cpupower.service cpupower.socket inactive crond.service crond.socket active cups.service cups.socket inactive debug-shell.service debug-shell.socket inactive dhcpd.service dhcpd.socket inactive docker.service docker.socket active dovecot.service dovecot.socket inactive firewalld.service firewalld.socket active httpd.service httpd.socket inactive irqbalance.service irqbalance.socket active kdump.service kdump.socket inactive mdmonitor.service mdmonitor.socket inactive messagebus.service messagebus.socket inactive nails.service nails.socket active named.service named.socket inactive netconsole.service netconsole.socket inactive nfs.service nfs.socket inactive nfslock.service nfslock.socket inactive ntpd.service ntpd.socket inactive ntpd.service ntpd.socket active ntpdate.service ntpdate.socket inactive oddjobd.service oddjobd.socket inactive pcscd.service pcscd.socket active portreserve.service portreserve.socket inactive postfix.service postfix.socket active psacct.service psacct.socket active qpidd.service qpidd.socket inactive quota_nld.service quota_nld.socket inactive rdisc.service rdisc.socket inactive rexec.service rexec.socket inactive rhnsd.service rhnsd.socket inactive rhsmcertd.service rhsmcertd.socket inactive rlogin.service rlogin.socket inactive rpcbind.service rpcbind.socket inactive rpcgssd.service rpcgssd.socket inactive rpcidmapd.service rpcidmapd.socket inactive rpcsvcgssd.service rpcsvcgssd.socket inactive rsh.service rsh.socket inactive rsyslog.service rsyslog.socket active saslauthd.service saslauthd.socket inactive smartd.service smartd.socket inactive smb.service smb.socket inactive snmpd.service snmpd.socket inactive squid.service squid.socket inactive sshd.service sshd.socket inactive sshd.service sshd.socket active sssd.service sssd.socket inactive sssd.service sssd.socket active sysstat.service sysstat.socket inactive telnet.service telnet.socket inactive tftp.service tftp.socket inactive vsftpd.service vsftpd.socket inactive xinetd.service xinetd.socket inactive ypbind.service ypbind.socket inactive zebra.service zebra.socket inactive 0 1 1 1 2 1 0 0 0 1 ^true|"true"$ ^6.*$ ^7.*$ ^8.*$ ^6Server$ ^7.*$ ^8.*$ openSUSE-release ^15.*$ ^42.*$ unix ^6.*$ ^6.*$ ^6.*$ ^6.*$ unix ^7.*$ ^7.*$ ^7.*$ ^7.*$ 7 unix ^8.*$ ^4.*$ 7 ^6.*$ ^7.*$ ^8.*$ unix ^11.*$ ^11.*$ unix ^12.*$ ^12.*$ unix ^3.*$ ^3.*$ ^3.*$ ^13.*$ ^4.*$ 1 2 0 0:7.4 0:7.4 aarch64 ppc64 ppc64le i686 x86_64 /dev/cdrom ^.*audit=1.*$ ^.*audit_backlog_limit=8192.*$ ^.*page_poison=1.*$ ^.*slub_debug=P.*$ ^.*vsyscall=none.*$ ^.*nodev.*$ ^.*,?nodev,?.*$ nodev ^.*,?nodev,?.* nodev ^.*noexec.*$ ^.*,?noexec,?.*$ noexec ^.*,?noexec,?.* noexec ^.*nosuid.*$ ^.*,?nosuid,?.*$ nosuid ^.*,?nosuid,?.* nosuid / / 64 8 /usr/bin/cgclassify /usr/bin/cgexec /usr/sbin/netreport /usr/lib/vte-2.90/gnome-pty-helper /usr/lib/vte-2.91/gnome-pty-helper /usr/lib64/vte/gnome-pty-helper /usr/lib64/vte-2.90/gnome-pty-helper /usr/lib64/vte-2.91/gnome-pty-helper /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache /usr/libexec/openssh/ssh-keysign /usr/bin/crontab /usr/bin/gnomine /usr/bin/iagno /usr/bin/locate /usr/bin/lockfile /usr/bin/same-gnome /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/bin/write /usr/lib/vte/gnome-pty-helper /usr/libexec/kde4/kdesud /usr/libexec/utempter/utempter /usr/lib/mailman/cgi-bin/admindb /usr/lib/mailman/cgi-bin/admin /usr/lib/mailman/cgi-bin/confirm /usr/lib/mailman/cgi-bin/create /usr/lib/mailman/cgi-bin/edithtml /usr/lib/mailman/cgi-bin/listinfo /usr/lib/mailman/cgi-bin/options /usr/lib/mailman/cgi-bin/private /usr/lib/mailman/cgi-bin/rmlist /usr/lib/mailman/cgi-bin/roster /usr/lib/mailman/cgi-bin/subscribe /usr/lib/mailman/mail/mailman /usr/sbin/lockdev /usr/sbin/postdrop /usr/sbin/postqueue /usr/sbin/sendmail.sendmail /usr/bin/abrt-action-install-debuginfo-to-abrt-cache /usr/bin/at /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/crontab /usr/bin/fusermount /usr/bin/gpasswd /usr/bin/ksu /usr/bin/mount /usr/bin/newgrp /usr/bin/passwd /usr/bin/pkexec /usr/bin/staprun /usr/bin/sudoedit /usr/bin/sudo /usr/bin/su /usr/bin/umount /usr/bin/Xorg /usr/lib64/amanda/application/amgtar /usr/lib64/amanda/application/amstar /usr/lib64/amanda/calcsize /usr/lib64/amanda/dumper /usr/lib64/amanda/killpgrp /usr/lib64/amanda/planner /usr/lib64/amanda/rundump /usr/lib64/amanda/runtar /usr/lib64/dbus-1/dbus-daemon-launch-helper /usr/lib/amanda/application/amgtar /usr/lib/amanda/application/amstar /usr/lib/amanda/calcsize /usr/lib/amanda/dumper /usr/lib/amanda/killpgrp /usr/lib/amanda/planner /usr/lib/amanda/rundump /usr/lib/amanda/runtar /usr/lib/dbus-1/dbus-daemon-launch-helper /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache /usr/libexec/cockpit-session /usr/libexec/dbus-1/dbus-daemon-launch-helper /usr/libexec/kde4/kpac_dhcp_helper /usr/libexec/qemu-bridge-helper /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper /usr/libexec/sssd/krb5_child /usr/libexec/sssd/ldap_child /usr/libexec/sssd/proxy_child /usr/libexec/sssd/selinux_child /usr/lib/polkit-1/polkit-agent-helper-1 /usr/sbin/amcheck /usr/sbin/amservice /usr/sbin/mount.nfs /usr/sbin/pam_timestamp_check /usr/sbin/unix_chkpwd /usr/sbin/userhelper /usr/sbin/usernetctl \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid \nauth[\s]+\[success=done[\s]authinfo_unavail=ignore[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]nodebug\n \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n.* \npassword[\s]+required[\s]+pam_pkcs11.so\n -1 -1 -1 -1 -1 pam_unix(?:.*[\n](?:.*[\n]){ })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) pam_unix(?:.*[\n](?:.*[\n]){ })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) 64 8 64 8 64 8 64 8 ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ %^/etc/rsyslog.conf$ %^/etc/rsyslog.conf$ %^/etc/rsyslog.conf$ .xml /etc/sysconfig/docker-storage /usr/lib/docker-storage-setup/docker-storage-setup /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 64 8 64 8 ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chmod)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chmod)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chown)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chown)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(creat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(creat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmod)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmod)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmodat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmodat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchown)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchown)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchownat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchownat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fremovexattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fremovexattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fsetxattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fsetxattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(ftruncate)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(ftruncate)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lchown)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lchown)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lremovexattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lremovexattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lsetxattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lsetxattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:[^.]|\.\s)* (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) (?:-F\s+exit=-EACCES) (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(removexattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(removexattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(rename)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(rename)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(renameat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(renameat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(setxattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(setxattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(truncate)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(truncate)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlink)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlink)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlinkat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlinkat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ xccdf-create-ocil.xslt from SCAP Security Guide ssg: 0.1.43 2.0 2019-06-12T12:11:03-04:00 Uninstall rsh Package ocil:ssg-package_rsh_removed_action:testaction:1 Disable rlogin Service ocil:ssg-service_rlogin_disabled_action:testaction:1 Disable rexec Service ocil:ssg-service_rexec_disabled_action:testaction:1 Remove Host-Based Authentication Files ocil:ssg-no_host_based_files_action:testaction:1 Disable rsh Service ocil:ssg-service_rsh_disabled_action:testaction:1 Remove User Host-Based Authentication Files ocil:ssg-no_user_host_based_files_action:testaction:1 Uninstall rsh-server Package ocil:ssg-package_rsh-server_removed_action:testaction:1 Remove Rsh Trust Files ocil:ssg-no_rsh_trust_files_action:testaction:1 Remove telnet Clients ocil:ssg-package_telnet_removed_action:testaction:1 Disable telnet Service ocil:ssg-service_telnet_disabled_action:testaction:1 Uninstall telnet-server Package ocil:ssg-package_telnet-server_removed_action:testaction:1 Remove NIS Client ocil:ssg-package_ypbind_removed_action:testaction:1 Disable ypbind Service ocil:ssg-service_ypbind_disabled_action:testaction:1 Uninstall ypserv Package ocil:ssg-package_ypserv_removed_action:testaction:1 Disable tftp Service ocil:ssg-service_tftp_disabled_action:testaction:1 Remove tftp Daemon ocil:ssg-package_tftp_removed_action:testaction:1 Uninstall tftp-server Package ocil:ssg-package_tftp-server_removed_action:testaction:1 Ensure tftp Daemon Uses Secure Mode ocil:ssg-tftpd_uses_secure_mode_action:testaction:1 Install tcp_wrappers Package ocil:ssg-package_tcp_wrappers_installed_action:testaction:1 Disable xinetd Service ocil:ssg-service_xinetd_disabled_action:testaction:1 Uninstall xinetd Package ocil:ssg-package_xinetd_removed_action:testaction:1 Uninstall talk Package ocil:ssg-package_talk_removed_action:testaction:1 Uninstall talk-server Package ocil:ssg-package_talk-server_removed_action:testaction:1 Create Warning Banners for All FTP Users ocil:ssg-ftp_present_banner_action:testaction:1 Enable Logging of All FTP Transactions ocil:ssg-ftp_log_transactions_action:testaction:1 Disable vsftpd Service ocil:ssg-service_vsftpd_disabled_action:testaction:1 Uninstall vsftpd Package ocil:ssg-package_vsftpd_removed_action:testaction:1 Configure SNMP Service to Use Only SNMPv3 or Newer ocil:ssg-snmpd_use_newer_protocol_action:testaction:1 Ensure Default SNMP Password Is Not Used ocil:ssg-snmpd_not_default_password_action:testaction:1 Uninstall net-snmp Package ocil:ssg-package_net-snmp_removed_action:testaction:1 Disable snmpd Service ocil:ssg-service_snmpd_disabled_action:testaction:1 Verify Group Who Owns /etc/cron.allow file ocil:ssg-file_groupowner_cron_allow_action:testaction:1 Verify User Who Owns /etc/cron.allow file ocil:ssg-file_owner_cron_allow_action:testaction:1 Disable anacron Service ocil:ssg-disable_anacron_action:testaction:1 Enable cron Service ocil:ssg-service_crond_enabled_action:testaction:1 Disable At Service (atd) ocil:ssg-service_atd_disabled_action:testaction:1 Enable cron Service ocil:ssg-service_cron_enabled_action:testaction:1 Disable X Windows Startup By Setting Default Target ocil:ssg-xwindows_runlevel_target_action:testaction:1 Remove the X Windows Package Group ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 Uninstall quagga Package ocil:ssg-package_quagga_removed_action:testaction:1 Disable Quagga Service ocil:ssg-service_zebra_disabled_action:testaction:1 Disable named Service ocil:ssg-service_named_disabled_action:testaction:1 Uninstall bind Package ocil:ssg-package_bind_removed_action:testaction:1 Uninstall openldap-servers Package ocil:ssg-package_openldap-servers_removed_action:testaction:1 Enable the LDAP Client For Use in Authconfig ocil:ssg-enable_ldap_client_action:testaction:1 Configure Certificate Directives for LDAP Use of TLS ocil:ssg-ldap_client_tls_cacertpath_action:testaction:1 Configure LDAP Client to Use TLS For All Transactions ocil:ssg-ldap_client_start_tls_action:testaction:1 Disable DHCP Client in ifcfg ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1 Uninstall DHCP Server Package ocil:ssg-package_dhcp_removed_action:testaction:1 Disable DHCP Service ocil:ssg-service_dhcpd_disabled_action:testaction:1 Disable Samba ocil:ssg-service_smb_disabled_action:testaction:1 Uninstall Samba Package ocil:ssg-package_samba_removed_action:testaction:1 Install the Samba Common Package ocil:ssg-package_samba-common_installed_action:testaction:1 Require Client SMB Packet Signing, if using smbclient ocil:ssg-require_smb_client_signing_action:testaction:1 Require Client SMB Packet Signing, if using mount.cifs ocil:ssg-mount_option_smb_client_signing_action:testaction:1 Disable httpd Service ocil:ssg-service_httpd_disabled_action:testaction:1 Uninstall httpd Package ocil:ssg-package_httpd_removed_action:testaction:1 HTTPD Log Files Must Be Owned By Root ocil:ssg-http_configure_log_file_ownership_action:testaction:1 Set Permissions on the /var/log/httpd/ Directory ocil:ssg-dir_perms_var_log_httpd_action:testaction:1 Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/ ocil:ssg-file_permissions_httpd_server_modules_files_action:testaction:1 Set Permissions on the /etc/httpd/conf/ Directory ocil:ssg-dir_perms_etc_httpd_conf_action:testaction:1 Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/ ocil:ssg-file_permissions_httpd_server_conf_d_files_action:testaction:1 Set Permissions on All Configuration Files Inside /etc/httpd/conf/ ocil:ssg-file_permissions_httpd_server_conf_files_action:testaction:1 Ensure Remote Administrative Access Is Encrypted ocil:ssg-httpd_configure_remote_session_encryption_action:testaction:1 Scan All Uploaded Content for Malicious Software ocil:ssg-httpd_antivirus_scan_uploads_action:testaction:1 Configure firewall to Allow Access to the Web Server ocil:ssg-httpd_configure_firewall_action:testaction:1 Enable Transport Layer Security (TLS) Encryption ocil:ssg-httpd_configure_tls_action:testaction:1 Require Client Certificates ocil:ssg-httpd_require_client_certs_action:testaction:1 Configure A Valid Server Certificate ocil:ssg-httpd_configure_valid_server_cert_action:testaction:1 Ignore HTTPD .htaccess Files ocil:ssg-httpd_ignore_htaccess_files_action:testaction:1 Disable Anonymous FTP Access ocil:ssg-httpd_disable_anonymous_ftp_access_action:testaction:1 Remove Write Permissions From Filesystem Paths And Server Scripts ocil:ssg-httpd_configure_script_permissions_action:testaction:1 Web Content Directories Must Not Be Shared Anonymously ocil:ssg-httpd_anonymous_content_sharing_action:testaction:1 Enable log_config_module For HTTPD Logging ocil:ssg-httpd_enable_log_config_action:testaction:1 Configure HTTP PERL Scripts To Use TAINT Option ocil:ssg-httpd_configure_perl_taint_action:testaction:1 Ensure Web Content Located on Separate partition ocil:ssg-partition_for_web_content_action:testaction:1 Disable Web Content Symbolic Links ocil:ssg-httpd_disable_content_symlinks_action:testaction:1 Remove .java And .jpp Files ocil:ssg-httpd_limit_java_files_action:testaction:1 Each Web Content Directory Must Contain An index.html File ocil:ssg-httpd_configure_documentroot_action:testaction:1 The robots.txt Files Must Not Exist ocil:ssg-httpd_remove_robots_file_action:testaction:1 Configure A Banner Page For Each Website ocil:ssg-httpd_configure_banner_page_action:testaction:1 Encrypt All File Uploads ocil:ssg-httpd_encrypt_file_uploads_action:testaction:1 Enable HTTPD Error Logging ocil:ssg-httpd_enable_error_logging_action:testaction:1 A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension ocil:ssg-httpd_nipr_accredited_dmz_action:testaction:1 A private web server must be located on a separate controlled access subnet ocil:ssg-httpd_private_server_on_separate_subnet_action:testaction:1 Configure The Number of Allowed Simultaneous Requests ocil:ssg-httpd_configure_max_keepalive_requests_action:testaction:1 Public web server resources must not be shared with private assets ocil:ssg-httpd_public_resources_not_shared_action:testaction:1 The web server password(s) must be entrusted to the SA or Web Manager ocil:ssg-httpd_entrust_passwords_action:testaction:1 Configure Error Log Format ocil:ssg-httpd_configure_log_format_action:testaction:1 Backup interactive scripts on the production web server are prohibited ocil:ssg-httpd_remove_backups_action:testaction:1 MIME types for csh or sh shell programs must be disabled ocil:ssg-httpd_disable_mime_types_action:testaction:1 Enable HTTPD System Logging ocil:ssg-httpd_enable_system_logging_action:testaction:1 Enable HTTPD LogLevel ocil:ssg-httpd_enable_loglevel_action:testaction:1 Installation of a compiler on production web server is prohibited ocil:ssg-httpd_no_compilers_in_prod_action:testaction:1 Configure SSSD LDAP Backend Client CA Certificate Location ocil:ssg-sssd_ldap_configure_tls_ca_dir_action:testaction:1 Configure SSSD LDAP Backend to Use TLS For All Transactions ocil:ssg-sssd_ldap_start_tls_action:testaction:1 Configure SSSD LDAP Backend Client CA Certificate ocil:ssg-sssd_ldap_configure_tls_ca_action:testaction:1 Configure SSSD's Memory Cache to Expire ocil:ssg-sssd_memcache_timeout_action:testaction:1 Configure PAM in SSSD Services ocil:ssg-sssd_enable_pam_services_action:testaction:1 Enable Smartcards in SSSD ocil:ssg-sssd_enable_smartcards_action:testaction:1 Configure SSSD to Expire Offline Credentials ocil:ssg-sssd_offline_cred_expiration_action:testaction:1 Install the SSSD Package ocil:ssg-package_sssd_installed_action:testaction:1 Configure SSSD to Expire SSH Known Hosts ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1 Enable the SSSD Service ocil:ssg-service_sssd_enabled_action:testaction:1 Enable systemd_timesyncd Service ocil:ssg-service_timesyncd_enabled_action:testaction:1 Configure Time Service Maxpoll Interval ocil:ssg-chronyd_or_ntpd_set_maxpoll_action:testaction:1 Enable the NTP Daemon ocil:ssg-service_chronyd_or_ntpd_enabled_action:testaction:1 Enable the NTP Daemon ocil:ssg-service_ntpd_enabled_action:testaction:1 Specify a Remote NTP Server ocil:ssg-chronyd_or_ntpd_specify_remote_server_action:testaction:1 Specify a Remote NTP Server ocil:ssg-ntpd_specify_remote_server_action:testaction:1 Enable the NTP Daemon ocil:ssg-service_ntp_enabled_action:testaction:1 Uninstall Automatic Bug Reporting Tool (abrt) ocil:ssg-package_abrt_removed_action:testaction:1 Disable Control Group Rules Engine (cgred) ocil:ssg-service_cgred_disabled_action:testaction:1 Disable D-Bus IPC Service (messagebus) ocil:ssg-service_messagebus_disabled_action:testaction:1 Disable Advanced Configuration and Power Interface (acpid) ocil:ssg-service_acpid_disabled_action:testaction:1 Disable Network Router Discovery Daemon (rdisc) ocil:ssg-service_rdisc_disabled_action:testaction:1 Disable Network Console (netconsole) ocil:ssg-service_netconsole_disabled_action:testaction:1 Disable Certmonger Service (certmonger) ocil:ssg-service_certmonger_disabled_action:testaction:1 Disable Quota Netlink (quota_nld) ocil:ssg-service_quota_nld_disabled_action:testaction:1 Enable Process Accounting (psacct) ocil:ssg-service_psacct_enabled_action:testaction:1 Disable Red Hat Network Service (rhnsd) ocil:ssg-service_rhnsd_disabled_action:testaction:1 Install the psacct package ocil:ssg-package_psacct_installed_action:testaction:1 Disable Software RAID Monitor (mdmonitor) ocil:ssg-service_mdmonitor_disabled_action:testaction:1 Enable IRQ Balance (irqbalance) ocil:ssg-service_irqbalance_enabled_action:testaction:1 Disable Odd Job Daemon (oddjobd) ocil:ssg-service_oddjobd_disabled_action:testaction:1 Disable SMART Disk Monitoring Service (smartd) ocil:ssg-service_smartd_disabled_action:testaction:1 Disable Apache Qpid (qpidd) ocil:ssg-service_qpidd_disabled_action:testaction:1 Disable Automatic Bug Reporting Tool (abrtd) ocil:ssg-service_abrtd_disabled_action:testaction:1 Disable CPU Speed (cpupower) ocil:ssg-service_cpupower_disabled_action:testaction:1 Disable Cyrus SASL Authentication Daemon (saslauthd) ocil:ssg-service_saslauthd_disabled_action:testaction:1 Disable Control Group Config (cgconfig) ocil:ssg-service_cgconfig_disabled_action:testaction:1 Disable ntpdate Service (ntpdate) ocil:ssg-service_ntpdate_disabled_action:testaction:1 Disable KDump Kernel Crash Analyzer (kdump) ocil:ssg-service_kdump_disabled_action:testaction:1 Disable Red Hat Subscription Manager Daemon (rhsmcertd) ocil:ssg-service_rhsmcertd_disabled_action:testaction:1 Disable Portreserve (portreserve) ocil:ssg-service_portreserve_disabled_action:testaction:1 Disable System Statistics Reset Service (sysstat) ocil:ssg-service_sysstat_disabled_action:testaction:1 Enable Use of Strict Mode Checking ocil:ssg-sshd_enable_strictmodes_action:testaction:1 Disable SSH Support for User Known Hosts ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1 Disable SSH Access via Empty Passwords ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 Set SSH Client Alive Max Count ocil:ssg-sshd_set_keepalive_action:testaction:1 Set SSH Idle Timeout Interval ocil:ssg-sshd_set_idle_timeout_action:testaction:1 Enable SSH Warning Banner ocil:ssg-sshd_enable_warning_banner_action:testaction:1 Use Only FIPS 140-2 Validated MACs ocil:ssg-sshd_use_approved_macs_action:testaction:1 Do Not Allow SSH Environment Options ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1 Disable Kerberos Authentication ocil:ssg-sshd_disable_kerb_auth_action:testaction:1 Allow Only SSH Protocol 2 ocil:ssg-sshd_allow_only_protocol2_action:testaction:1 Disable SSH Support for .rhosts Files ocil:ssg-sshd_disable_rhosts_action:testaction:1 Disable SSH Support for Rhosts RSA Authentication ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 Set LogLevel to INFO ocil:ssg-sshd_set_loglevel_info_action:testaction:1 Enable Encrypted X11 Forwarding ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1 Use Only FIPS 140-2 Validated Ciphers ocil:ssg-sshd_use_approved_ciphers_action:testaction:1 Disable Host-Based Authentication ocil:ssg-disable_host_auth_action:testaction:1 Enable SSH Server firewalld Firewall Exception ocil:ssg-firewalld_sshd_port_enabled_action:testaction:1 Set SSH authentication attempt limit ocil:ssg-sshd_set_max_auth_tries_action:testaction:1 Use Only Strong MACs ocil:ssg-sshd_use_strong_macs_action:testaction:1 Enable Use of Privilege Separation ocil:ssg-sshd_use_priv_separation_action:testaction:1 Enable SSH Print Last Log ocil:ssg-sshd_print_last_log_action:testaction:1 Use Only Strong Ciphers ocil:ssg-sshd_use_strong_ciphers_action:testaction:1 Disable GSSAPI Authentication ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1 Disable Compression Or Set Compression to delayed ocil:ssg-sshd_disable_compression_action:testaction:1 Disable SSH Root Login ocil:ssg-sshd_disable_root_login_action:testaction:1 Install the OpenSSH Server Package ocil:ssg-package_openssh-server_installed_action:testaction:1 Enable the OpenSSH Service ocil:ssg-service_sshd_enabled_action:testaction:1 Verify Permissions on SSH Server Public *.pub Key Files ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1 Verify Permissions on SSH Server Private *_key Key Files ocil:ssg-file_permissions_sshd_private_key_action:testaction:1 Configure System to Forward All Mail For The Root Account ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1 Disable Postfix Network Listening ocil:ssg-postfix_network_listening_disabled_action:testaction:1 Prevent Unrestricted Mail Relaying ocil:ssg-postfix_prevent_unrestricted_relay_action:testaction:1 Uninstall Sendmail Package ocil:ssg-package_sendmail_removed_action:testaction:1 Enable Postfix Service ocil:ssg-service_postfix_enabled_action:testaction:1 Disable Dovecot Service ocil:ssg-service_dovecot_disabled_action:testaction:1 Uninstall dovecot Package ocil:ssg-package_dovecot_removed_action:testaction:1 Ensure All-Squashing Disabled On All Exports ocil:ssg-no_all_squash_exports_action:testaction:1 Use Kerberos Security on All Exports ocil:ssg-use_kerberos_security_all_exports_action:testaction:1 Ensure Insecure File Locking is Not Allowed ocil:ssg-no_insecure_locks_exports_action:testaction:1 Mount Remote Filesystems with noexec ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1 Mount Remote Filesystems with Kerberos Security ocil:ssg-mount_option_krb_sec_remote_filesystems_action:testaction:1 Mount Remote Filesystems with nosuid ocil:ssg-mount_option_nosuid_remote_filesystems_action:testaction:1 Mount Remote Filesystems with nodev ocil:ssg-mount_option_nodev_remote_filesystems_action:testaction:1 Specify UID and GID for Anonymous NFS Connections ocil:ssg-nfs_no_anonymous_action:testaction:1 Disable Network File System (nfs) ocil:ssg-service_nfs_disabled_action:testaction:1 Disable Secure RPC Server Service (rpcsvcgssd) ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 Disable Printer Browsing Entirely if Possible ocil:ssg-cups_disable_browsing_action:testaction:1 Disable the CUPS Service ocil:ssg-service_cups_disabled_action:testaction:1 Install the docker Package ocil:ssg-package_docker_installed_action:testaction:1 Enable the Docker service ocil:ssg-service_docker_enabled_action:testaction:1 Disable Avahi Server Software ocil:ssg-service_avahi-daemon_disabled_action:testaction:1 Disable Squid ocil:ssg-service_squid_disabled_action:testaction:1 Uninstall squid Package ocil:ssg-package_squid_removed_action:testaction:1 Configure auditd flush priority ocil:ssg-auditd_data_retention_flush_action:testaction:1 Encrypt Audit Records Sent With audispd Plugin ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1 Configure audispd Plugin To Send Logs To Remote Server ocil:ssg-auditd_audispd_configure_remote_server_action:testaction:1 Configure audispd's Plugin network_failure_action On Network Failure ocil:ssg-auditd_audispd_network_failure_action_action:testaction:1 Configure auditd Disk Full Action when Disk Space Is Full ocil:ssg-auditd_data_disk_full_action_action:testaction:1 Configure auditd Max Log File Size ocil:ssg-auditd_data_retention_max_log_file_action:testaction:1 Configure auditd space_left on Low Disk Space ocil:ssg-auditd_data_retention_space_left_action:testaction:1 Configure auditd mail_acct Action on Low Disk Space ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 Configure auditd to use audispd's syslog plugin ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 Configure auditd admin_space_left Action on Low Disk Space ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1 Configure auditd max_log_file_action Upon Reaching Maximum Log Size ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1 Configure auditd space_left Action on Low Disk Space ocil:ssg-auditd_data_retention_space_left_action_action:testaction:1 Configure auditd Disk Error Action on Disk Error ocil:ssg-auditd_data_disk_error_action_action:testaction:1 Configure auditd Number of Logs Retained ocil:ssg-auditd_data_retention_num_logs_action:testaction:1 Configure audispd's Plugin disk_full_action When Disk Is Full ocil:ssg-auditd_audispd_disk_full_action_action:testaction:1 Ensure auditd Collects Information on Kernel Module Unloading - rmmod ocil:ssg-audit_rules_kernel_module_loading_rmmod_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading and Unloading ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 Ensure auditd Collects Information on Kernel Module Unloading - delete_module ocil:ssg-audit_rules_kernel_module_loading_delete_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading - insmod ocil:ssg-audit_rules_kernel_module_loading_insmod_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe ocil:ssg-audit_rules_kernel_module_loading_modprobe_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading - create_module ocil:ssg-audit_rules_kernel_module_loading_create_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading - init_module ocil:ssg-audit_rules_kernel_module_loading_init_action:testaction:1 Record Attempts to Alter Logon and Logout Events - lastlog ocil:ssg-audit_rules_login_events_lastlog_action:testaction:1 Record Attempts to Alter Logon and Logout Events - faillock ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 Record Attempts to Alter Logon and Logout Events - tallylog ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1 Record Attempts to Alter Time Through stime ocil:ssg-audit_rules_time_stime_action:testaction:1 Record attempts to alter time through settimeofday ocil:ssg-audit_rules_time_settimeofday_action:testaction:1 Record Attempts to Alter the localtime File ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 Record Attempts to Alter Time Through clock_settime ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 Record attempts to alter time through adjtimex ocil:ssg-audit_rules_time_adjtimex_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchown ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - setxattr ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - chown ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchownat ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lchown ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - chmod ocil:ssg-audit_rules_dac_modification_chmod_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - removexattr ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchmod ocil:ssg-audit_rules_dac_modification_fchmod_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lsetxattr ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fremovexattr ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lremovexattr ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fsetxattr ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchmodat ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1 Record Any Attempts to Run seunshare ocil:ssg-audit_rules_execution_seunshare_action:testaction:1 Record Any Attempts to Run setfiles ocil:ssg-audit_rules_execution_setfiles_action:testaction:1 Record Any Attempts to Run setsebool ocil:ssg-audit_rules_execution_setsebool_action:testaction:1 Record Any Attempts to Run semanage ocil:ssg-audit_rules_execution_semanage_action:testaction:1 Record Any Attempts to Run chcon ocil:ssg-audit_rules_execution_chcon_action:testaction:1 Record Any Attempts to Run restorecon ocil:ssg-audit_rules_execution_restorecon_action:testaction:1 Ensure auditd Collects File Deletion Events by User - rmdir ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1 Ensure auditd Collects File Deletion Events by User - unlinkat ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1 Ensure auditd Collects File Deletion Events by User ocil:ssg-audit_rules_file_deletion_events_action:testaction:1 Ensure auditd Collects File Deletion Events by User - rename ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 Ensure auditd Collects File Deletion Events by User - renameat ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1 Ensure auditd Collects File Deletion Events by User - unlink ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - passwd ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - sudo ocil:ssg-audit_rules_privileged_commands_sudo_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl ocil:ssg-audit_rules_privileged_commands_usernetctl_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - postdrop ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - chsh ocil:ssg-audit_rules_privileged_commands_chsh_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap ocil:ssg-audit_rules_privileged_commands_newgidmap_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - postqueue ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - chage ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - userhelper ocil:ssg-audit_rules_privileged_commands_userhelper_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - at ocil:ssg-audit_rules_privileged_commands_at_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - crontab ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - umount ocil:ssg-audit_rules_privileged_commands_umount_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit ocil:ssg-audit_rules_privileged_commands_sudoedit_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - mount ocil:ssg-audit_rules_privileged_commands_mount_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap ocil:ssg-audit_rules_privileged_commands_newuidmap_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd ocil:ssg-audit_rules_privileged_commands_gpasswd_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands ocil:ssg-audit_rules_privileged_commands_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - su ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - newgrp ocil:ssg-audit_rules_privileged_commands_newgrp_action:testaction:1 Record Unsuccessul Delete Attempts to Files - renameat ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_action:testaction:1 Record Unauthorized Creation Attempts to Files - open_by_handle_at O_CREAT ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 Record Unauthorized Modification Attempts to Files - open O_TRUNC ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1 Record Unsuccessul Ownership Changes to Files - fchownat ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_action:testaction:1 Record Unauthorized Creation Attempts to Files - openat O_CREAT ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_action:testaction:1 Record Unsuccessul Ownership Changes to Files - lchown ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_action:testaction:1 Record Unsuccessul Permission Changes to Files - fchmodat ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1 Record Unsuccessul Permission Changes to Files - removexattr ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_action:testaction:1 Record Unsuccessul Ownership Changes to Files - chown ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 Record Unsuccessul Ownership Changes to Files - fchown ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - truncate ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1 Record Unsuccessul Permission Changes to Files - setxattr ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1 Record Unsuccessul Permission Changes to Files - lremovexattr ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - creat ocil:ssg-audit_rules_unsuccessful_file_modification_creat_action:testaction:1 Record Unauthorized Creation Attempts to Files - open O_CREAT ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1 Record Unsuccessul Permission Changes to Files - fremovexattr ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_action:testaction:1 Record Unsuccessul Delete Attempts to Files - unlink ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_action:testaction:1 Record Unsuccessul Permission Changes to Files - fsetxattr ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1 Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_action:testaction:1 Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - open ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 Record Unsuccessul Permission Changes to Files - lsetxattr ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_action:testaction:1 Record Unsuccessul Permission Changes to Files - chmod ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1 Record Unsuccessul Delete Attempts to Files - unlinkat ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1 Record Unauthorized Modification Attempts to Files - openat O_TRUNC ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_action:testaction:1 Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) ocil:ssg-audit_rules_unsuccessful_file_modification_action:testaction:1 Record Unsuccessul Permission Changes to Files - fchmod ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_action:testaction:1 Record Unauthorized Modification Attempts to Files - open_by_handle_at O_TRUNC ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - openat ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 Record Unsuccessul Delete Attempts to Files - rename ocil:ssg-audit_rules_unsuccessful_file_modification_rename_action:testaction:1 Ensure auditd Collects System Administrator Actions ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1 Record Events that Modify the System's Network Environment ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1 Record Events that Modify User/Group Information ocil:ssg-audit_rules_usergroup_modification_action:testaction:1 Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_action:testaction:1 Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1 Record Events that Modify User/Group Information via open syscall - /etc/passwd ocil:ssg-audit_rules_etc_passwd_open_action:testaction:1 System Audit Logs Must Have Mode 0750 or Less Permissive ocil:ssg-directory_permissions_var_log_audit_action:testaction:1 Record Events that Modify User/Group Information via openat syscall - /etc/group ocil:ssg-audit_rules_etc_group_openat_action:testaction:1 Record Events that Modify User/Group Information via open syscall - /etc/group ocil:ssg-audit_rules_etc_group_open_action:testaction:1 Record Events that Modify User/Group Information - /etc/shadow ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1 Record Events that Modify User/Group Information via openat syscall - /etc/passwd ocil:ssg-audit_rules_etc_passwd_openat_action:testaction:1 Record Access Events to Audit Log directory ocil:ssg-directory_access_var_log_audit_action:testaction:1 Ensure auditd Collects Information on Exporting to Media (successful) ocil:ssg-audit_rules_media_export_action:testaction:1 Record Events that Modify User/Group Information - /etc/security/opasswd ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1 System Audit Logs Must Be Owned By Root ocil:ssg-file_ownership_var_log_audit_action:testaction:1 Record Events that Modify the System's Mandatory Access Controls ocil:ssg-audit_rules_mac_modification_action:testaction:1 Shutdown System When Auditing Failures Occur ocil:ssg-audit_rules_system_shutdown_action:testaction:1 System Audit Logs Must Have Mode 0640 or Less Permissive ocil:ssg-file_permissions_var_log_audit_action:testaction:1 Record Events that Modify User/Group Information - /etc/gshadow ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 Record Events that Modify User/Group Information - /etc/passwd ocil:ssg-audit_rules_usergroup_modification_passwd_action:testaction:1 Record Events that Modify User/Group Information - /etc/group ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1 Extend Audit Backlog Limit for the Audit Daemon ocil:ssg-grub2_audit_backlog_limit_argument_action:testaction:1 Enable Auditing for Processes Which Start Prior to the Audit Daemon ocil:ssg-grub2_audit_argument_action:testaction:1 Enable auditd Service ocil:ssg-service_auditd_enabled_action:testaction:1 Ensure Logs Sent To Remote Host ocil:ssg-rsyslog_remote_loghost_action:testaction:1 Ensure Log Files Are Owned By Appropriate User ocil:ssg-rsyslog_files_ownership_action:testaction:1 Ensure Log Files Are Owned By Appropriate Group ocil:ssg-rsyslog_files_groupownership_action:testaction:1 Ensure cron Is Logging To Rsyslog ocil:ssg-rsyslog_cron_logging_action:testaction:1 Ensure System Log Files Have Correct Permissions ocil:ssg-rsyslog_files_permissions_action:testaction:1 Enable syslog-ng Service ocil:ssg-service_syslogng_enabled_action:testaction:1 Ensure syslog-ng is Installed ocil:ssg-package_syslogng_installed_action:testaction:1 Ensure Logrotate Runs Periodically ocil:ssg-ensure_logrotate_activated_action:testaction:1 Enable rsyslog Service ocil:ssg-service_rsyslog_enabled_action:testaction:1 Ensure rsyslog is Installed ocil:ssg-package_rsyslog_installed_action:testaction:1 Configure Kernel Parameter for Accepting Source-Routed Packets for Interfaces By Default ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1 Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_action:testaction:1 Disable Kernel Parameter for IPv6 Forwarding ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1 Configure Accepting IPv6 Redirects on All Interfaces ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_action:testaction:1 Configure Accepting IPv6 Router Advertisements by Default ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_action:testaction:1 Configure Accepting IPv6 Router Advertisements on All Interfaces ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1 Configure Accepting IPv6 Redirects By Default ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_action:testaction:1 Disable IPv6 Networking Support Automatic Loading ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_action:testaction:1 Disable IPv6 Networking Support Automatic Loading ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1 Verify Any Configured IPSec Tunnel Connections ocil:ssg-libreswan_approved_tunnels_action:testaction:1 Install libreswan Package ocil:ssg-package_libreswan_installed_action:testaction:1 Verify ip6tables Enabled if Using IPv6 ocil:ssg-service_ip6tables_enabled_action:testaction:1 Verify iptables Enabled ocil:ssg-service_iptables_enabled_action:testaction:1 Set Default ip6tables Policy for Incoming Packets ocil:ssg-set_ip6tables_default_rule_action:testaction:1 Set Default iptables Policy for Forwarded Packets ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 Set Default iptables Policy for Incoming Packets ocil:ssg-set_iptables_default_rule_action:testaction:1 Set Default firewalld Zone for Incoming Packets ocil:ssg-set_firewalld_default_zone_action:testaction:1 Configure the Firewalld Ports ocil:ssg-configure_firewalld_ports_action:testaction:1 Configure firewalld To Rate Limit Connections ocil:ssg-configure_firewalld_rate_limiting_action:testaction:1 Verify firewalld Enabled ocil:ssg-service_firewalld_enabled_action:testaction:1 Install firewalld ocil:ssg-package_firewalld_installed_action:testaction:1 Configure Kernel Parameter for Accepting Source-Routed Packets By Default ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_action:testaction:1 Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1 Configure Kernel Parameter to Log Martian Packets By Default ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_action:testaction:1 Configure Kernel Parameter to Use Reverse Path Filtering by Default ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_action:testaction:1 Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_action:testaction:1 Configure Kernel Parameter to Use TCP Syncookies ocil:ssg-sysctl_net_ipv4_tcp_syncookies_action:testaction:1 Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_action:testaction:1 Configure Kernel Parameter to Log Martian Packets ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_action:testaction:1 Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_action:testaction:1 Configure Kernel Parameter to Ignore Bogus ICMP Error Responses ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_action:testaction:1 Configure Kernel Parameter for Accepting Secure Redirects By Default ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1 Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_action:testaction:1 Configure Kernel Parameter for Accepting ICMP Redirects By Default ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1 Disable Kernel Parameter for IP Forwarding ocil:ssg-sysctl_net_ipv4_ip_forward_action:testaction:1 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_action:testaction:1 Disable Kernel Parameter for Sending ICMP Redirects by Default ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 Disable DCCP Support ocil:ssg-kernel_module_dccp_disabled_action:testaction:1 Disable RDS Support ocil:ssg-kernel_module_rds_disabled_action:testaction:1 Disable TIPC Support ocil:ssg-kernel_module_tipc_disabled_action:testaction:1 Disable SCTP Support ocil:ssg-kernel_module_sctp_disabled_action:testaction:1 Disable Bluetooth Kernel Modules ocil:ssg-kernel_module_bluetooth_disabled_action:testaction:1 Disable Bluetooth Service ocil:ssg-service_bluetooth_disabled_action:testaction:1 Deactivate Wireless Network Interfaces ocil:ssg-wireless_disable_interfaces_action:testaction:1 Ensure System is Not Acting as a Network Sniffer ocil:ssg-network_sniffer_disabled_action:testaction:1 Configure Multiple DNS Servers in /etc/resolv.conf ocil:ssg-network_configure_name_resolution_action:testaction:1 Disable Client Dynamic DNS Updates ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 Set Boot Loader Password in grub2 ocil:ssg-grub2_password_action:testaction:1 Verify /boot/grub2/grub.cfg Permissions ocil:ssg-file_permissions_grub2_cfg_action:testaction:1 Verify /boot/grub2/grub.cfg User Ownership ocil:ssg-file_owner_grub2_cfg_action:testaction:1 Set the UEFI Boot Loader Password ocil:ssg-grub2_uefi_password_action:testaction:1 Boat Loader Is Not Installed On Removeable Media ocil:ssg-grub2_no_removeable_media_action:testaction:1 Verify /boot/efi/EFI/redhat/grub.cfg Group Ownership ocil:ssg-file_groupowner_efi_grub2_cfg_action:testaction:1 Verify /boot/grub2/grub.cfg Group Ownership ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1 UEFI Boat Loader Is Not Installed On Removeable Media ocil:ssg-uefi_no_removeable_media_action:testaction:1 Verify /boot/efi/EFI/redhat/grub.cfg User Ownership ocil:ssg-file_owner_efi_grub2_cfg_action:testaction:1 Verify /boot/efi/EFI/redhat/grub.cfg Permissions ocil:ssg-file_permissions_efi_grub2_cfg_action:testaction:1 Disable the openvpn_can_network_connect SELinux Boolean ocil:ssg-sebool_openvpn_can_network_connect_action:testaction:1 Disable the httpd_use_gpg SELinux Boolean ocil:ssg-sebool_httpd_use_gpg_action:testaction:1 Disable the ssh_sysadm_login SELinux Boolean ocil:ssg-sebool_ssh_sysadm_login_action:testaction:1 Disable the httpd_run_stickshift SELinux Boolean ocil:ssg-sebool_httpd_run_stickshift_action:testaction:1 Disable the polipo_connect_all_unreserved SELinux Boolean ocil:ssg-sebool_polipo_connect_all_unreserved_action:testaction:1 Disable the httpd_sys_script_anon_write SELinux Boolean ocil:ssg-sebool_httpd_sys_script_anon_write_action:testaction:1 Disable the pcp_bind_all_unreserved_ports SELinux Boolean ocil:ssg-sebool_pcp_bind_all_unreserved_ports_action:testaction:1 Disable the minidlna_read_generic_user_content SELinux Boolean ocil:ssg-sebool_minidlna_read_generic_user_content_action:testaction:1 Enable the auditadm_exec_content SELinux Boolean ocil:ssg-sebool_auditadm_exec_content_action:testaction:1 Disable the authlogin_radius SELinux Boolean ocil:ssg-sebool_authlogin_radius_action:testaction:1 Disable the logwatch_can_network_connect_mail SELinux Boolean ocil:ssg-sebool_logwatch_can_network_connect_mail_action:testaction:1 Disable the logrotate_use_nfs SELinux Boolean ocil:ssg-sebool_logrotate_use_nfs_action:testaction:1 Disable the git_cgi_use_cifs SELinux Boolean ocil:ssg-sebool_git_cgi_use_cifs_action:testaction:1 Disable the postgresql_can_rsync SELinux Boolean ocil:ssg-sebool_postgresql_can_rsync_action:testaction:1 disable the selinuxuser_execstack SELinux Boolean ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1 Disable the entropyd_use_audio SELinux Boolean ocil:ssg-sebool_entropyd_use_audio_action:testaction:1 Disable the httpd_execmem SELinux Boolean ocil:ssg-sebool_httpd_execmem_action:testaction:1 Enable the mount_anyfile SELinux Boolean ocil:ssg-sebool_mount_anyfile_action:testaction:1 Disable the smartmon_3ware SELinux Boolean ocil:ssg-sebool_smartmon_3ware_action:testaction:1 Disable the git_cgi_enable_homedirs SELinux Boolean ocil:ssg-sebool_git_cgi_enable_homedirs_action:testaction:1 Disable the mailman_use_fusefs SELinux Boolean ocil:ssg-sebool_mailman_use_fusefs_action:testaction:1 Disable the httpd_can_check_spam SELinux Boolean ocil:ssg-sebool_httpd_can_check_spam_action:testaction:1 Disable the fenced_can_ssh SELinux Boolean ocil:ssg-sebool_fenced_can_ssh_action:testaction:1 Disable the nagios_run_pnp4nagios SELinux Boolean ocil:ssg-sebool_nagios_run_pnp4nagios_action:testaction:1 Disable the httpd_can_network_connect SELinux Boolean ocil:ssg-sebool_httpd_can_network_connect_action:testaction:1 Disable the mozilla_plugin_can_network_connect SELinux Boolean ocil:ssg-sebool_mozilla_plugin_can_network_connect_action:testaction:1 Disable the git_session_bind_all_unreserved_ports SELinux Boolean ocil:ssg-sebool_git_session_bind_all_unreserved_ports_action:testaction:1 Disable the tmpreaper_use_samba SELinux Boolean ocil:ssg-sebool_tmpreaper_use_samba_action:testaction:1 Disable the selinuxuser_tcp_server SELinux Boolean ocil:ssg-sebool_selinuxuser_tcp_server_action:testaction:1 Disable the httpd_anon_write SELinux Boolean ocil:ssg-sebool_httpd_anon_write_action:testaction:1 Disable the httpd_can_connect_ldap SELinux Boolean ocil:ssg-sebool_httpd_can_connect_ldap_action:testaction:1 Disable the xen_use_nfs SELinux Boolean ocil:ssg-sebool_xen_use_nfs_action:testaction:1 Disable the daemons_use_tcp_wrapper SELinux Boolean ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1 Disable the ftpd_connect_db SELinux Boolean ocil:ssg-sebool_ftpd_connect_db_action:testaction:1 Disable the ftpd_use_nfs SELinux Boolean ocil:ssg-sebool_ftpd_use_nfs_action:testaction:1 Disable the cron_can_relabel SELinux Boolean ocil:ssg-sebool_cron_can_relabel_action:testaction:1 Disable the openvpn_run_unconfined SELinux Boolean ocil:ssg-sebool_openvpn_run_unconfined_action:testaction:1 Disable the zebra_write_config SELinux Boolean ocil:ssg-sebool_zebra_write_config_action:testaction:1 Disable the virt_rw_qemu_ga_data SELinux Boolean ocil:ssg-sebool_virt_rw_qemu_ga_data_action:testaction:1 Disable the condor_tcp_network_connect SELinux Boolean ocil:ssg-sebool_condor_tcp_network_connect_action:testaction:1 Disable the fcron_crond SELinux Boolean ocil:ssg-sebool_fcron_crond_action:testaction:1 Disable the nfsd_anon_write SELinux Boolean ocil:ssg-sebool_nfsd_anon_write_action:testaction:1 Enable the logadm_exec_content SELinux Boolean ocil:ssg-sebool_logadm_exec_content_action:testaction:1 Disable the httpd_dbus_sssd SELinux Boolean ocil:ssg-sebool_httpd_dbus_sssd_action:testaction:1 Disable the httpd_manage_ipa SELinux Boolean ocil:ssg-sebool_httpd_manage_ipa_action:testaction:1 Disable the haproxy_connect_any SELinux Boolean ocil:ssg-sebool_haproxy_connect_any_action:testaction:1 Disable the httpd_setrlimit SELinux Boolean ocil:ssg-sebool_httpd_setrlimit_action:testaction:1 Disable the antivirus_use_jit SELinux Boolean ocil:ssg-sebool_antivirus_use_jit_action:testaction:1 Disable the rsync_full_access SELinux Boolean ocil:ssg-sebool_rsync_full_access_action:testaction:1 Disable the httpd_run_ipa SELinux Boolean ocil:ssg-sebool_httpd_run_ipa_action:testaction:1 Configure the httpd_builtin_scripting SELinux Boolean ocil:ssg-sebool_httpd_builtin_scripting_action:testaction:1 Disable the staff_use_svirt SELinux Boolean ocil:ssg-sebool_staff_use_svirt_action:testaction:1 Enable the user_exec_content SELinux Boolean ocil:ssg-sebool_user_exec_content_action:testaction:1 Disable the samba_run_unconfined SELinux Boolean ocil:ssg-sebool_samba_run_unconfined_action:testaction:1 Disable the mozilla_plugin_use_spice SELinux Boolean ocil:ssg-sebool_mozilla_plugin_use_spice_action:testaction:1 Disable the mpd_use_nfs SELinux Boolean ocil:ssg-sebool_mpd_use_nfs_action:testaction:1 Disable the httpd_read_user_content SELinux Boolean ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 Disable the rsync_client SELinux Boolean ocil:ssg-sebool_rsync_client_action:testaction:1 Disable the dbadm_read_user_files SELinux Boolean ocil:ssg-sebool_dbadm_read_user_files_action:testaction:1 Disable the deny_ptrace SELinux Boolean ocil:ssg-sebool_deny_ptrace_action:testaction:1 Enable the nfs_export_all_rw SELinux Boolean ocil:ssg-sebool_nfs_export_all_rw_action:testaction:1 Disable the rsync_anon_write SELinux Boolean ocil:ssg-sebool_rsync_anon_write_action:testaction:1 Disable the httpd_can_network_memcache SELinux Boolean ocil:ssg-sebool_httpd_can_network_memcache_action:testaction:1 Enable the virt_sandbox_use_audit SELinux Boolean ocil:ssg-sebool_virt_sandbox_use_audit_action:testaction:1 Disable the mozilla_read_content SELinux Boolean ocil:ssg-sebool_mozilla_read_content_action:testaction:1 Disable the xserver_object_manager SELinux Boolean ocil:ssg-sebool_xserver_object_manager_action:testaction:1 Disable the httpd_tty_comm SELinux Boolean ocil:ssg-sebool_httpd_tty_comm_action:testaction:1 Disable the collectd_tcp_network_connect SELinux Boolean ocil:ssg-sebool_collectd_tcp_network_connect_action:testaction:1 Disable the xdm_sysadm_login SELinux Boolean ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1 Disable the pcp_read_generic_logs SELinux Boolean ocil:ssg-sebool_pcp_read_generic_logs_action:testaction:1 Enable the spamd_enable_home_dirs SELinux Boolean ocil:ssg-sebool_spamd_enable_home_dirs_action:testaction:1 Disable the xguest_mount_media SELinux Boolean ocil:ssg-sebool_xguest_mount_media_action:testaction:1 Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean ocil:ssg-sebool_polipo_session_bind_all_unreserved_ports_action:testaction:1 Disable the container_connect_any SELinux Boolean ocil:ssg-sebool_container_connect_any_action:testaction:1 Disable the tftp_anon_write SELinux Boolean ocil:ssg-sebool_tftp_anon_write_action:testaction:1 Disable the git_system_use_nfs SELinux Boolean ocil:ssg-sebool_git_system_use_nfs_action:testaction:1 Disable the virt_use_usb SELinux Boolean ocil:ssg-sebool_virt_use_usb_action:testaction:1 Disable the nis_enabled SELinux Boolean ocil:ssg-sebool_nis_enabled_action:testaction:1 Disable the selinuxuser_mysql_connect_enabled SELinux Boolean ocil:ssg-sebool_selinuxuser_mysql_connect_enabled_action:testaction:1 Disable the samba_share_fusefs SELinux Boolean ocil:ssg-sebool_samba_share_fusefs_action:testaction:1 Disable the httpd_enable_ftp_server SELinux Boolean ocil:ssg-sebool_httpd_enable_ftp_server_action:testaction:1 Disable the pppd_for_user SELinux Boolean ocil:ssg-sebool_pppd_for_user_action:testaction:1 Disable the virt_sandbox_use_all_caps SELinux Boolean ocil:ssg-sebool_virt_sandbox_use_all_caps_action:testaction:1 Disable the mozilla_plugin_use_gps SELinux Boolean ocil:ssg-sebool_mozilla_plugin_use_gps_action:testaction:1 Disable the samba_domain_controller SELinux Boolean ocil:ssg-sebool_samba_domain_controller_action:testaction:1 Disable the boinc_execmem SELinux Boolean ocil:ssg-sebool_boinc_execmem_action:testaction:1 Disable the use_fusefs_home_dirs SELinux Boolean ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 Disable the tmpreaper_use_nfs SELinux Boolean ocil:ssg-sebool_tmpreaper_use_nfs_action:testaction:1 Disable the sanlock_use_fusefs SELinux Boolean ocil:ssg-sebool_sanlock_use_fusefs_action:testaction:1 Disable the ssh_keysign SELinux Boolean ocil:ssg-sebool_ssh_keysign_action:testaction:1 Disable the httpd_tmp_exec SELinux Boolean ocil:ssg-sebool_httpd_tmp_exec_action:testaction:1 Disable the httpd_use_fusefs SELinux Boolean ocil:ssg-sebool_httpd_use_fusefs_action:testaction:1 Enable the staff_exec_content SELinux Boolean ocil:ssg-sebool_staff_exec_content_action:testaction:1 Enable the nscd_use_shm SELinux Boolean ocil:ssg-sebool_nscd_use_shm_action:testaction:1 Disable the global_ssp SELinux Boolean ocil:ssg-sebool_global_ssp_action:testaction:1 Disable the virt_use_fusefs SELinux Boolean ocil:ssg-sebool_virt_use_fusefs_action:testaction:1 Disable the gluster_anon_write SELinux Boolean ocil:ssg-sebool_gluster_anon_write_action:testaction:1 Disable the wine_mmap_zero_ignore SELinux Boolean ocil:ssg-sebool_wine_mmap_zero_ignore_action:testaction:1 Disable the fenced_can_network_connect SELinux Boolean ocil:ssg-sebool_fenced_can_network_connect_action:testaction:1 Disable the zabbix_can_network SELinux Boolean ocil:ssg-sebool_zabbix_can_network_action:testaction:1 Disable the virt_use_nfs SELinux Boolean ocil:ssg-sebool_virt_use_nfs_action:testaction:1 Disable the prosody_bind_http_port SELinux Boolean ocil:ssg-sebool_prosody_bind_http_port_action:testaction:1 Disable the use_samba_home_dirs SELinux Boolean ocil:ssg-sebool_use_samba_home_dirs_action:testaction:1 Enable the cron_userdomain_transition SELinux Boolean ocil:ssg-sebool_cron_userdomain_transition_action:testaction:1 Disable the spamassassin_can_network SELinux Boolean ocil:ssg-sebool_spamassassin_can_network_action:testaction:1 Disable the git_cgi_use_nfs SELinux Boolean ocil:ssg-sebool_git_cgi_use_nfs_action:testaction:1 Disable the secure_mode_insmod SELinux Boolean ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 Disable the mysql_connect_any SELinux Boolean ocil:ssg-sebool_mysql_connect_any_action:testaction:1 Disable the samba_load_libgfapi SELinux Boolean ocil:ssg-sebool_samba_load_libgfapi_action:testaction:1 Disable the samba_portmapper SELinux Boolean ocil:ssg-sebool_samba_portmapper_action:testaction:1 Disable the httpd_run_preupgrade SELinux Boolean ocil:ssg-sebool_httpd_run_preupgrade_action:testaction:1 Disable the virt_use_xserver SELinux Boolean ocil:ssg-sebool_virt_use_xserver_action:testaction:1 Disable the mplayer_execstack SELinux Boolean ocil:ssg-sebool_mplayer_execstack_action:testaction:1 Disable the selinuxuser_rw_noexattrfile SELinux Boolean ocil:ssg-sebool_selinuxuser_rw_noexattrfile_action:testaction:1 Disable the neutron_can_network SELinux Boolean ocil:ssg-sebool_neutron_can_network_action:testaction:1 Disable the ftpd_full_access SELinux Boolean ocil:ssg-sebool_ftpd_full_access_action:testaction:1 Disable the ftpd_use_fusefs SELinux Boolean ocil:ssg-sebool_ftpd_use_fusefs_action:testaction:1 Disable the deny_execmem SELinux Boolean ocil:ssg-sebool_deny_execmem_action:testaction:1 Disable the ssh_chroot_rw_homedirs SELinux Boolean ocil:ssg-sebool_ssh_chroot_rw_homedirs_action:testaction:1 Disable the httpd_mod_auth_pam SELinux Boolean ocil:ssg-sebool_httpd_mod_auth_pam_action:testaction:1 Disable the authlogin_yubikey SELinux Boolean ocil:ssg-sebool_authlogin_yubikey_action:testaction:1 Disable the virt_use_samba SELinux Boolean ocil:ssg-sebool_virt_use_samba_action:testaction:1 Disable the httpd_can_connect_ftp SELinux Boolean ocil:ssg-sebool_httpd_can_connect_ftp_action:testaction:1 Disable the abrt_anon_write SELinux Boolean ocil:ssg-sebool_abrt_anon_write_action:testaction:1 Disable the named_tcp_bind_http_port SELinux Boolean ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 Disable the squid_use_tproxy SELinux Boolean ocil:ssg-sebool_squid_use_tproxy_action:testaction:1 Disable the dhcpd_use_ldap SELinux Boolean ocil:ssg-sebool_dhcpd_use_ldap_action:testaction:1 Disable the tftp_home_dir SELinux Boolean ocil:ssg-sebool_tftp_home_dir_action:testaction:1 Disable the awstats_purge_apache_log_files SELinux Boolean ocil:ssg-sebool_awstats_purge_apache_log_files_action:testaction:1 Disable the samba_share_nfs SELinux Boolean ocil:ssg-sebool_samba_share_nfs_action:testaction:1 Disable the glance_use_fusefs SELinux Boolean ocil:ssg-sebool_glance_use_fusefs_action:testaction:1 Disable the sanlock_use_nfs SELinux Boolean ocil:ssg-sebool_sanlock_use_nfs_action:testaction:1 Configure the gluster_export_all_rw SELinux Boolean ocil:ssg-sebool_gluster_export_all_rw_action:testaction:1 Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean ocil:ssg-sebool_mozilla_plugin_bind_unreserved_ports_action:testaction:1 Enable the logging_syslogd_use_tty SELinux Boolean ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1 Enable the login_console_enabled SELinux Boolean ocil:ssg-sebool_login_console_enabled_action:testaction:1 Disable the glance_api_can_network SELinux Boolean ocil:ssg-sebool_glance_api_can_network_action:testaction:1 Disable the abrt_handle_event SELinux Boolean ocil:ssg-sebool_abrt_handle_event_action:testaction:1 Disable the gluster_export_all_ro SELinux Boolean ocil:ssg-sebool_gluster_export_all_ro_action:testaction:1 Disable the ksmtuned_use_nfs SELinux Boolean ocil:ssg-sebool_ksmtuned_use_nfs_action:testaction:1 Disable the puppetagent_manage_all_files SELinux Boolean ocil:ssg-sebool_puppetagent_manage_all_files_action:testaction:1 Disable the httpd_dontaudit_search_dirs SELinux Boolean ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 Disable the smbd_anon_write SELinux Boolean ocil:ssg-sebool_smbd_anon_write_action:testaction:1 Disable the cron_system_cronjob_use_shares SELinux Boolean ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1 Disable the mozilla_plugin_use_bluejeans SELinux Boolean ocil:ssg-sebool_mozilla_plugin_use_bluejeans_action:testaction:1 Disable the openvpn_enable_homedirs SELinux Boolean ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1 Disable the mcelog_server SELinux Boolean ocil:ssg-sebool_mcelog_server_action:testaction:1 Enable the mcelog_exec_scripts SELinux Boolean ocil:ssg-sebool_mcelog_exec_scripts_action:testaction:1 Disable the sge_use_nfs SELinux Boolean ocil:ssg-sebool_sge_use_nfs_action:testaction:1 Disable the webadm_read_user_files SELinux Boolean ocil:ssg-sebool_webadm_read_user_files_action:testaction:1 Disable the piranha_lvs_can_network_connect SELinux Boolean ocil:ssg-sebool_piranha_lvs_can_network_connect_action:testaction:1 Disable the domain_kernel_load_modules SELinux Boolean ocil:ssg-sebool_domain_kernel_load_modules_action:testaction:1 Disable the exim_manage_user_files SELinux Boolean ocil:ssg-sebool_exim_manage_user_files_action:testaction:1 Disable the virt_sandbox_use_netlink SELinux Boolean ocil:ssg-sebool_virt_sandbox_use_netlink_action:testaction:1 Enable the unconfined_chrome_sandbox_transition SELinux Boolean ocil:ssg-sebool_unconfined_chrome_sandbox_transition_action:testaction:1 Disable the httpd_verify_dns SELinux Boolean ocil:ssg-sebool_httpd_verify_dns_action:testaction:1 Disable the virt_read_qemu_ga_data SELinux Boolean ocil:ssg-sebool_virt_read_qemu_ga_data_action:testaction:1 Disable the glance_use_execmem SELinux Boolean ocil:ssg-sebool_glance_use_execmem_action:testaction:1 Disable the httpd_can_sendmail SELinux Boolean ocil:ssg-sebool_httpd_can_sendmail_action:testaction:1 Disable the httpd_enable_homedirs SELinux Boolean ocil:ssg-sebool_httpd_enable_homedirs_action:testaction:1 Disable the cdrecord_read_content SELinux Boolean ocil:ssg-sebool_cdrecord_read_content_action:testaction:1 Enable the unconfined_login SELinux Boolean ocil:ssg-sebool_unconfined_login_action:testaction:1 Disable the logging_syslogd_can_sendmail SELinux Boolean ocil:ssg-sebool_logging_syslogd_can_sendmail_action:testaction:1 Disable the gitosis_can_sendmail SELinux Boolean ocil:ssg-sebool_gitosis_can_sendmail_action:testaction:1 Disable the httpd_use_sasl SELinux Boolean ocil:ssg-sebool_httpd_use_sasl_action:testaction:1 Disable the git_system_use_cifs SELinux Boolean ocil:ssg-sebool_git_system_use_cifs_action:testaction:1 Disable the virt_use_comm SELinux Boolean ocil:ssg-sebool_virt_use_comm_action:testaction:1 Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean ocil:ssg-sebool_selinuxuser_postgresql_connect_enabled_action:testaction:1 Disable the dbadm_manage_user_files SELinux Boolean ocil:ssg-sebool_dbadm_manage_user_files_action:testaction:1 Disable the httpd_can_network_connect_db SELinux Boolean ocil:ssg-sebool_httpd_can_network_connect_db_action:testaction:1 Configure the httpd_enable_cgi SELinux Boolean ocil:ssg-sebool_httpd_enable_cgi_action:testaction:1 Enable the antivirus_can_scan_system SELinux Boolean ocil:ssg-sebool_antivirus_can_scan_system_action:testaction:1 Disable the zarafa_setrlimit SELinux Boolean ocil:ssg-sebool_zarafa_setrlimit_action:testaction:1 Disable the samba_export_all_ro SELinux Boolean ocil:ssg-sebool_samba_export_all_ro_action:testaction:1 Disable the zoneminder_anon_write SELinux Boolean ocil:ssg-sebool_zoneminder_anon_write_action:testaction:1 Disable the daemons_enable_cluster_mode SELinux Boolean ocil:ssg-sebool_daemons_enable_cluster_mode_action:testaction:1 Disable the httpd_can_connect_mythtv SELinux Boolean ocil:ssg-sebool_httpd_can_connect_mythtv_action:testaction:1 Disable the squid_connect_any SELinux Boolean ocil:ssg-sebool_squid_connect_any_action:testaction:1 Disable the varnishd_connect_any SELinux Boolean ocil:ssg-sebool_varnishd_connect_any_action:testaction:1 Disable the privoxy_connect_any SELinux Boolean ocil:ssg-sebool_privoxy_connect_any_action:testaction:1 Enable the xend_run_qemu SELinux Boolean ocil:ssg-sebool_xend_run_qemu_action:testaction:1 Disable the abrt_upload_watch_anon_write SELinux Boolean ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1 Disable the openshift_use_nfs SELinux Boolean ocil:ssg-sebool_openshift_use_nfs_action:testaction:1 Enable the unconfined_mozilla_plugin_transition SELinux Boolean ocil:ssg-sebool_unconfined_mozilla_plugin_transition_action:testaction:1 Disable the conman_can_network SELinux Boolean ocil:ssg-sebool_conman_can_network_action:testaction:1 Disable the cobbler_can_network_connect SELinux Boolean ocil:ssg-sebool_cobbler_can_network_connect_action:testaction:1 Disable the daemons_use_tty SELinux Boolean ocil:ssg-sebool_daemons_use_tty_action:testaction:1 Disable the zoneminder_run_sudo SELinux Boolean ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1 Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean ocil:ssg-sebool_postgresql_selinux_unconfined_dbadm_action:testaction:1 Disable the samba_export_all_rw SELinux Boolean ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 Enable the httpd_graceful_shutdown SELinux Boolean ocil:ssg-sebool_httpd_graceful_shutdown_action:testaction:1 Disable the pppd_can_insmod SELinux Boolean ocil:ssg-sebool_pppd_can_insmod_action:testaction:1 Disable the webadm_manage_user_files SELinux Boolean ocil:ssg-sebool_webadm_manage_user_files_action:testaction:1 Disable the secure_mode SELinux Boolean ocil:ssg-sebool_secure_mode_action:testaction:1 Disable the cluster_use_execmem SELinux Boolean ocil:ssg-sebool_cluster_use_execmem_action:testaction:1 Disable the httpd_serve_cobbler_files SELinux Boolean ocil:ssg-sebool_httpd_serve_cobbler_files_action:testaction:1 Disable the irssi_use_full_network SELinux Boolean ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 Disable the xdm_bind_vnc_tcp_port SELinux Boolean ocil:ssg-sebool_xdm_bind_vnc_tcp_port_action:testaction:1 Configure the selinuxuser_direct_dri_enabled SELinux Boolean ocil:ssg-sebool_selinuxuser_direct_dri_enabled_action:testaction:1 Disable the swift_can_network SELinux Boolean ocil:ssg-sebool_swift_can_network_action:testaction:1 Disable the httpd_can_connect_zabbix SELinux Boolean ocil:ssg-sebool_httpd_can_connect_zabbix_action:testaction:1 Disable the mcelog_foreground SELinux Boolean ocil:ssg-sebool_mcelog_foreground_action:testaction:1 Disable the cobbler_use_cifs SELinux Boolean ocil:ssg-sebool_cobbler_use_cifs_action:testaction:1 Disable the virt_sandbox_use_sys_admin SELinux Boolean ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 Disable the virt_use_execmem SELinux Boolean ocil:ssg-sebool_virt_use_execmem_action:testaction:1 Disable the exim_can_connect_db SELinux Boolean ocil:ssg-sebool_exim_can_connect_db_action:testaction:1 Disable the cluster_manage_all_files SELinux Boolean ocil:ssg-sebool_cluster_manage_all_files_action:testaction:1 Disable the xserver_execmem SELinux Boolean ocil:ssg-sebool_xserver_execmem_action:testaction:1 Disable the cobbler_use_nfs SELinux Boolean ocil:ssg-sebool_cobbler_use_nfs_action:testaction:1 Disable the cups_execmem SELinux Boolean ocil:ssg-sebool_cups_execmem_action:testaction:1 Disable the puppetmaster_use_db SELinux Boolean ocil:ssg-sebool_puppetmaster_use_db_action:testaction:1 Disable the xserver_clients_write_xshm SELinux Boolean ocil:ssg-sebool_xserver_clients_write_xshm_action:testaction:1 Disable the use_ecryptfs_home_dirs SELinux Boolean ocil:ssg-sebool_use_ecryptfs_home_dirs_action:testaction:1 Enable the dbadm_exec_content SELinux Boolean ocil:ssg-sebool_dbadm_exec_content_action:testaction:1 Disable the use_nfs_home_dirs SELinux Boolean ocil:ssg-sebool_use_nfs_home_dirs_action:testaction:1 Disable the tor_can_network_relay SELinux Boolean ocil:ssg-sebool_tor_can_network_relay_action:testaction:1 Disable the httpd_unified SELinux Boolean ocil:ssg-sebool_httpd_unified_action:testaction:1 Disable the mock_enable_homedirs SELinux Boolean ocil:ssg-sebool_mock_enable_homedirs_action:testaction:1 Disable the httpd_can_network_relay SELinux Boolean ocil:ssg-sebool_httpd_can_network_relay_action:testaction:1 Disable the xguest_exec_content SELinux Boolean ocil:ssg-sebool_xguest_exec_content_action:testaction:1 Disable the nagios_run_sudo SELinux Boolean ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 Disable the virt_transition_userdomain SELinux Boolean ocil:ssg-sebool_virt_transition_userdomain_action:testaction:1 Disable the httpd_ssi_exec SELinux Boolean ocil:ssg-sebool_httpd_ssi_exec_action:testaction:1 Disable the ksmtuned_use_cifs SELinux Boolean ocil:ssg-sebool_ksmtuned_use_cifs_action:testaction:1 Disable the mpd_use_cifs SELinux Boolean ocil:ssg-sebool_mpd_use_cifs_action:testaction:1 Disable the use_lpd_server SELinux Boolean ocil:ssg-sebool_use_lpd_server_action:testaction:1 Disable the polipo_use_nfs SELinux Boolean ocil:ssg-sebool_polipo_use_nfs_action:testaction:1 Disable the lsmd_plugin_connect_any SELinux Boolean ocil:ssg-sebool_lsmd_plugin_connect_any_action:testaction:1 Disable the ftpd_connect_all_unreserved SELinux Boolean ocil:ssg-sebool_ftpd_connect_all_unreserved_action:testaction:1 Disable the virt_use_rawip SELinux Boolean ocil:ssg-sebool_virt_use_rawip_action:testaction:1 Disable the gpg_web_anon_write SELinux Boolean ocil:ssg-sebool_gpg_web_anon_write_action:testaction:1 Disable the telepathy_connect_all_ports SELinux Boolean ocil:ssg-sebool_telepathy_connect_all_ports_action:testaction:1 Disable the tor_bind_all_unreserved_ports SELinux Boolean ocil:ssg-sebool_tor_bind_all_unreserved_ports_action:testaction:1 Disable the dhcpc_exec_iptables SELinux Boolean ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 Enable the domain_fd_use SELinux Boolean ocil:ssg-sebool_domain_fd_use_action:testaction:1 Disable the polipo_use_cifs SELinux Boolean ocil:ssg-sebool_polipo_use_cifs_action:testaction:1 Disable the samba_create_home_dirs SELinux Boolean ocil:ssg-sebool_samba_create_home_dirs_action:testaction:1 Disable the mmap_low_allowed SELinux Boolean ocil:ssg-sebool_mmap_low_allowed_action:testaction:1 Disable the selinuxuser_share_music SELinux Boolean ocil:ssg-sebool_selinuxuser_share_music_action:testaction:1 Disable the ftpd_use_cifs SELinux Boolean ocil:ssg-sebool_ftpd_use_cifs_action:testaction:1 Enable the xend_run_blktap SELinux Boolean ocil:ssg-sebool_xend_run_blktap_action:testaction:1 Disable the mcelog_client SELinux Boolean ocil:ssg-sebool_mcelog_client_action:testaction:1 Disable the cluster_can_network_connect SELinux Boolean ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 Enable the selinuxuser_execmod SELinux Boolean ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1 Disable the httpd_use_nfs SELinux Boolean ocil:ssg-sebool_httpd_use_nfs_action:testaction:1 Disable the cobbler_anon_write SELinux Boolean ocil:ssg-sebool_cobbler_anon_write_action:testaction:1 Disable the selinuxuser_udp_server SELinux Boolean ocil:ssg-sebool_selinuxuser_udp_server_action:testaction:1 Enable the gssd_read_tmp SELinux Boolean ocil:ssg-sebool_gssd_read_tmp_action:testaction:1 Disable the kdumpgui_run_bootloader SELinux Boolean ocil:ssg-sebool_kdumpgui_run_bootloader_action:testaction:1 Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean ocil:ssg-sebool_telepathy_tcp_connect_generic_network_ports_action:testaction:1 Disable the rsync_export_all_ro SELinux Boolean ocil:ssg-sebool_rsync_export_all_ro_action:testaction:1 Disable the xguest_connect_network SELinux Boolean ocil:ssg-sebool_xguest_connect_network_action:testaction:1 Disable the samba_enable_home_dirs SELinux Boolean ocil:ssg-sebool_samba_enable_home_dirs_action:testaction:1 Disable the virt_use_sanlock SELinux Boolean ocil:ssg-sebool_virt_use_sanlock_action:testaction:1 Disable the saslauthd_read_shadow SELinux Boolean ocil:ssg-sebool_saslauthd_read_shadow_action:testaction:1 Disable the xdm_write_home SELinux Boolean ocil:ssg-sebool_xdm_write_home_action:testaction:1 Disable the named_write_master_zones SELinux Boolean ocil:ssg-sebool_named_write_master_zones_action:testaction:1 Disable the polipo_session_users SELinux Boolean ocil:ssg-sebool_polipo_session_users_action:testaction:1 Enable the sysadm_exec_content SELinux Boolean ocil:ssg-sebool_sysadm_exec_content_action:testaction:1 Disable the xguest_use_bluetooth SELinux Boolean ocil:ssg-sebool_xguest_use_bluetooth_action:testaction:1 Disable the unprivuser_use_svirt SELinux Boolean ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 Enable the kerberos_enabled SELinux Boolean ocil:ssg-sebool_kerberos_enabled_action:testaction:1 Disable the sge_domain_can_network_connect SELinux Boolean ocil:ssg-sebool_sge_domain_can_network_connect_action:testaction:1 Disable the sanlock_use_samba SELinux Boolean ocil:ssg-sebool_sanlock_use_samba_action:testaction:1 Disable the irc_use_any_tcp_ports SELinux Boolean ocil:ssg-sebool_irc_use_any_tcp_ports_action:testaction:1 Disable the ftpd_anon_write SELinux Boolean ocil:ssg-sebool_ftpd_anon_write_action:testaction:1 Disable the guest_exec_content SELinux Boolean ocil:ssg-sebool_guest_exec_content_action:testaction:1 Disable the selinuxuser_execheap SELinux Boolean ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1 Disable the secure_mode_policyload SELinux Boolean ocil:ssg-sebool_secure_mode_policyload_action:testaction:1 Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean ocil:ssg-sebool_httpd_mod_auth_ntlm_winbind_action:testaction:1 Disable the httpd_use_openstack SELinux Boolean ocil:ssg-sebool_httpd_use_openstack_action:testaction:1 Disable the httpd_use_cifs SELinux Boolean ocil:ssg-sebool_httpd_use_cifs_action:testaction:1 Enable the postgresql_selinux_users_ddl SELinux Boolean ocil:ssg-sebool_postgresql_selinux_users_ddl_action:testaction:1 Enable the nfs_export_all_ro SELinux Boolean ocil:ssg-sebool_nfs_export_all_ro_action:testaction:1 Disable the daemons_dump_core SELinux Boolean ocil:ssg-sebool_daemons_dump_core_action:testaction:1 Enable the postfix_local_write_mail_spool SELinux Boolean ocil:ssg-sebool_postfix_local_write_mail_spool_action:testaction:1 Disable the xdm_exec_bootloader SELinux Boolean ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1 Disable the httpd_dbus_avahi SELinux Boolean ocil:ssg-sebool_httpd_dbus_avahi_action:testaction:1 Disable the exim_read_user_files SELinux Boolean ocil:ssg-sebool_exim_read_user_files_action:testaction:1 Disable the cvs_read_shadow SELinux Boolean ocil:ssg-sebool_cvs_read_shadow_action:testaction:1 Disable the racoon_read_shadow SELinux Boolean ocil:ssg-sebool_racoon_read_shadow_action:testaction:1 Disable the git_system_enable_homedirs SELinux Boolean ocil:ssg-sebool_git_system_enable_homedirs_action:testaction:1 Enable the fips_mode SELinux Boolean ocil:ssg-sebool_fips_mode_action:testaction:1 Disable the httpd_can_network_connect_cobbler SELinux Boolean ocil:ssg-sebool_httpd_can_network_connect_cobbler_action:testaction:1 Disable the polyinstantiation_enabled SELinux Boolean ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 Disable the icecast_use_any_tcp_ports SELinux Boolean ocil:ssg-sebool_icecast_use_any_tcp_ports_action:testaction:1 Disable the selinuxuser_use_ssh_chroot SELinux Boolean ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1 Disable the authlogin_nsswitch_use_ldap SELinux Boolean ocil:ssg-sebool_authlogin_nsswitch_use_ldap_action:testaction:1 Disable the virt_sandbox_use_mknod SELinux Boolean ocil:ssg-sebool_virt_sandbox_use_mknod_action:testaction:1 Enable the selinuxuser_ping SELinux Boolean ocil:ssg-sebool_selinuxuser_ping_action:testaction:1 Disable the logging_syslogd_run_nagios_plugins SELinux Boolean ocil:ssg-sebool_logging_syslogd_run_nagios_plugins_action:testaction:1 Disable the mpd_enable_homedirs SELinux Boolean ocil:ssg-sebool_mpd_enable_homedirs_action:testaction:1 Disable the ftpd_use_passive_mode SELinux Boolean ocil:ssg-sebool_ftpd_use_passive_mode_action:testaction:1 Enable the secadm_exec_content SELinux Boolean ocil:ssg-sebool_secadm_exec_content_action:testaction:1 Disable the postgresql_selinux_transmit_client_label SELinux Boolean ocil:ssg-sebool_postgresql_selinux_transmit_client_label_action:testaction:1 Disable the git_session_users SELinux Boolean ocil:ssg-sebool_git_session_users_action:testaction:1 Ensure SELinux Not Disabled in /etc/default/grub ocil:ssg-grub2_enable_selinux_action:testaction:1 Configure SELinux Policy ocil:ssg-selinux_policytype_action:testaction:1 Ensure No Device Files are Unlabeled by SELinux ocil:ssg-selinux_all_devicefiles_labeled_action:testaction:1 Map System Users To The Appropriate SELinux Role ocil:ssg-selinux_user_login_roles_action:testaction:1 Ensure SELinux State is Enforcing ocil:ssg-selinux_state_action:testaction:1 Set Password Minimum Length in login.defs ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1 Set Password Warning Age ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1 Set Password Minimum Age ocil:ssg-accounts_minimum_age_login_defs_action:testaction:1 Set Password Maximum Age ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 Set Existing Passwords Minimum Age ocil:ssg-accounts_password_set_min_life_existing_action:testaction:1 Set Existing Passwords Maximum Age ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1 Restrict Serial Port Root Logins ocil:ssg-restrict_serial_port_logins_action:testaction:1 Root Path Must Be Vendor Default ocil:ssg-root_path_default_action:testaction:1 Direct root Logins Not Allowed ocil:ssg-no_direct_root_logins_action:testaction:1 Restrict Web Browser Use for Administrative Accounts ocil:ssg-no_root_webbrowsing_action:testaction:1 Ensure that System Accounts Are Locked ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 Restrict Virtual Console Root Logins ocil:ssg-securetty_root_login_console_only_action:testaction:1 Ensure that System Accounts Do Not Run a Shell Upon Login ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 Verify Only Root Has UID 0 ocil:ssg-accounts_no_uid_except_zero_action:testaction:1 Use Centralized and Automated Authentication ocil:ssg-account_use_centralized_automated_auth_action:testaction:1 Ensure All Accounts on the System Have Unique Names ocil:ssg-account_unique_name_action:testaction:1 Set Account Expiration Following Inactivity ocil:ssg-account_disable_post_pw_expiration_action:testaction:1 Assign Expiration Date to Temporary Accounts ocil:ssg-account_temp_expire_date_action:testaction:1 Verify No netrc Files Exist ocil:ssg-no_netrc_files_action:testaction:1 Prevent Login to Accounts With Empty Password ocil:ssg-no_empty_passwords_action:testaction:1 Verify All Account Password Hashes are Shadowed ocil:ssg-accounts_password_all_shadowed_action:testaction:1 All GIDs referenced in /etc/passwd must be defined in /etc/group ocil:ssg-gid_passwd_group_same_action:testaction:1 Install the screen Package ocil:ssg-package_screen_installed_action:testaction:1 Install Smart Card Packages For Multifactor Authentication ocil:ssg-install_smartcard_packages_action:testaction:1 Configure opensc Smart Card Drivers ocil:ssg-configure_opensc_card_drivers_action:testaction:1 Configure NSS DB To Use opensc ocil:ssg-configure_opensc_nss_db_action:testaction:1 Configure Smart Card Certificate Status Checking ocil:ssg-smartcard_configure_cert_checking_action:testaction:1 Force opensc To Use Defined Smart Card Driver ocil:ssg-force_opensc_card_drivers_action:testaction:1 Install the pcsc-lite package ocil:ssg-package_pcsc-lite_installed_action:testaction:1 Enable the pcscd Service ocil:ssg-service_pcscd_enabled_action:testaction:1 Enable Smart Card Login ocil:ssg-smartcard_auth_action:testaction:1 Install the opensc Package For Multifactor Authentication ocil:ssg-package_opensc_installed_action:testaction:1 Require Authentication for Single User Mode ocil:ssg-require_singleuser_auth_action:testaction:1 Disable Ctrl-Alt-Del Burst Action ocil:ssg-disable_ctrlaltdel_burstaction_action:testaction:1 Verify that Interactive Boot is Disabled ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 Disable Ctrl-Alt-Del Reboot Activation ocil:ssg-disable_ctrlaltdel_reboot_action:testaction:1 Disable debug-shell SystemD Service ocil:ssg-service_debug-shell_disabled_action:testaction:1 Ensure that Root's Path Does Not Include World or Group-Writable Directories ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1 Ensure the Default Umask is Set Correctly For Interactive Users ocil:ssg-accounts_umask_interactive_users_action:testaction:1 Ensure the Default Umask is Set Correctly in login.defs ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1 Ensure the Default Bash Umask is Set Correctly ocil:ssg-accounts_umask_etc_bashrc_action:testaction:1 Ensure the Default C Shell Umask is Set Correctly ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 Ensure the Default Umask is Set Correctly in /etc/profile ocil:ssg-accounts_umask_etc_profile_action:testaction:1 Set Interactive Session Timeout ocil:ssg-accounts_tmout_action:testaction:1 Ensure that User Home Directories are not Group-Writable or World-Readable ocil:ssg-file_permissions_home_dirs_action:testaction:1 User Initialization Files Must Be Owned By the Primary User ocil:ssg-accounts_user_dot_user_ownership_action:testaction:1 All Interactive Users Home Directories Must Exist ocil:ssg-accounts_user_interactive_home_directory_exists_action:testaction:1 User Initialization Files Must Not Run World-Writable Programs ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1 Ensure Home Directories are Created for New Users ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1 Ensure the Logon Failure Delay is Set Correctly in login.defs ocil:ssg-accounts_logon_fail_delay_action:testaction:1 All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1 Ensure that Users Path Contains Only Local Directories ocil:ssg-accounts_user_home_paths_only_action:testaction:1 All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive ocil:ssg-accounts_users_home_files_permissions_action:testaction:1 Limit the Number of Concurrent Login Sessions Allowed Per User ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1 All Interactive User Home Directories Must Be Group-Owned By The Primary User ocil:ssg-file_groupownership_home_directories_action:testaction:1 All Interactive Users Must Have A Home Directory Defined ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1 Ensure All User Initialization Files Have Mode 0740 Or Less Permissive ocil:ssg-file_permission_user_init_files_action:testaction:1 All Interactive User Home Directories Must Be Owned By The Primary User ocil:ssg-file_ownership_home_directories_action:testaction:1 All User Files and Directories In The Home Directory Must Be Owned By The Primary User ocil:ssg-accounts_users_home_files_ownership_action:testaction:1 User Initialization Files Must Be Group-Owned By The Primary User ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1 All Interactive User Home Directories Must Have mode 0750 Or Less Permissive ocil:ssg-file_permissions_home_directories_action:testaction:1 Enable GNOME3 Login Warning Banner ocil:ssg-dconf_gnome_banner_enabled_action:testaction:1 Set the GNOME3 Login Warning Banner Text ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1 Enable GUI Warning Banner ocil:ssg-gconf_gdm_enable_warning_gui_banner_action:testaction:1 Set GUI Warning Banner Text ocil:ssg-gconf_gdm_set_login_banner_text_action:testaction:1 Modify the System Login Banner ocil:ssg-banner_etc_issue_action:testaction:1 Set Password Hashing Algorithm in /etc/login.defs ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 Set Password Hashing Algorithm in /etc/libuser.conf ocil:ssg-set_password_hashing_algorithm_libuserconf_action:testaction:1 Set PAM's Password Hashing Algorithm ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1 Configure the root Account for Failed Password Attempts ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1 Set Lockout Time for Failed Password Attempts ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1 Limit Password Reuse ocil:ssg-accounts_password_pam_unix_remember_action:testaction:1 Set Interval For Counting Failed Password Attempts ocil:ssg-accounts_passwords_pam_faillock_interval_action:testaction:1 Set Deny For Failed Password Attempts ocil:ssg-accounts_passwords_pam_faillock_deny_action:testaction:1 Set Password Minimum Length ocil:ssg-accounts_password_pam_minlen_action:testaction:1 Set Password to Maximum of Consecutive Repeating Characters from Same Character Class ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 Set Password Maximum Consecutive Repeating Characters ocil:ssg-accounts_password_pam_maxrepeat_action:testaction:1 Set Password Strength Minimum Digit Characters ocil:ssg-accounts_password_pam_dcredit_action:testaction:1 Set Password Strength Minimum Different Categories ocil:ssg-accounts_password_pam_minclass_action:testaction:1 Set Password Strength Minimum Different Characters ocil:ssg-accounts_password_pam_difok_action:testaction:1 Set Password Strength Minimum Special Characters ocil:ssg-accounts_password_pam_ocredit_action:testaction:1 Set Password Strength Minimum Lowercase Characters ocil:ssg-accounts_password_pam_lcredit_action:testaction:1 Set Password Strength Minimum Uppercase Characters ocil:ssg-accounts_password_pam_ucredit_action:testaction:1 Set Password Retry Prompts Permitted Per-Session ocil:ssg-accounts_password_pam_retry_action:testaction:1 Set Password Retry Prompts Permitted Per-Session ocil:ssg-cracklib_accounts_password_pam_retry_action:testaction:1 Set Password Strength Minimum Special Characters ocil:ssg-cracklib_accounts_password_pam_ocredit_action:testaction:1 Set Password Strength Minimum Digit Characters ocil:ssg-cracklib_accounts_password_pam_dcredit_action:testaction:1 Set Password Strength Minimum Different Categories ocil:ssg-cracklib_accounts_password_pam_minclass_action:testaction:1 Set Password Strength Minimum Uppercase Characters ocil:ssg-cracklib_accounts_password_pam_ucredit_action:testaction:1 Set Password Strength Minimum Lowercase Characters ocil:ssg-cracklib_accounts_password_pam_lcredit_action:testaction:1 Set Password Minimum Length ocil:ssg-cracklib_accounts_password_pam_minlen_action:testaction:1 Set Password to Maximum of Three Consecutive Repeating Characters ocil:ssg-cracklib_accounts_password_pam_maxrepeat_action:testaction:1 Set Password Strength Minimum Different Characters ocil:ssg-cracklib_accounts_password_pam_difok_action:testaction:1 Set Last Logon/Access Notification ocil:ssg-display_login_attempts_action:testaction:1 Encrypt Partitions ocil:ssg-encrypt_partitions_action:testaction:1 Ensure /home Located On Separate Partition ocil:ssg-partition_for_home_action:testaction:1 Ensure /srv Located On Separate Partition ocil:ssg-partition_for_srv_action:testaction:1 Ensure /var/tmp Located On Separate Partition ocil:ssg-partition_for_var_tmp_action:testaction:1 Ensure /tmp Located On Separate Partition ocil:ssg-partition_for_tmp_action:testaction:1 Ensure /var Located On Separate Partition ocil:ssg-partition_for_var_action:testaction:1 Ensure /var/log/audit Located On Separate Partition ocil:ssg-partition_for_var_log_audit_action:testaction:1 Ensure /var/log Located On Separate Partition ocil:ssg-partition_for_var_log_action:testaction:1 Ensure Users Re-Authenticate for Privilege Escalation - sudo ocil:ssg-sudo_require_authentication_action:testaction:1 Only the VDSM User Can Use sudo NOPASSWD ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate ocil:ssg-sudo_remove_no_authenticate_action:testaction:1 Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD ocil:ssg-sudo_remove_nopasswd_action:testaction:1 The Installed Operating System Is Vendor Supported ocil:ssg-installed_OS_is_vendor_supported_action:testaction:1 The Installed Operating System Is FIPS 140-2 Certified ocil:ssg-installed_OS_is_FIPS_certified_action:testaction:1 Install the dracut-fips Package ocil:ssg-package_dracut-fips_installed_action:testaction:1 Enable FIPS Mode in GRUB2 ocil:ssg-grub2_enable_fips_mode_action:testaction:1 Install the Policy Auditor (PA) Module ocil:ssg-install_mcafee_hbss_pa_action:testaction:1 Install the Asset Configuration Compliance Module (ACCM) ocil:ssg-install_mcafee_hbss_accm_action:testaction:1 Install the Host Intrusion Prevention System (HIPS) Module ocil:ssg-install_mcafee_hbss_hips_action:testaction:1 Enable nails Service ocil:ssg-service_nails_enabled_action:testaction:1 Install McAfee Virus Scanning Software ocil:ssg-install_mcafee_antivirus_action:testaction:1 Virus Scanning Software Definitions Are Updated ocil:ssg-mcafee_antivirus_definitions_updated_action:testaction:1 Install the McAfee Runtime Libraries and Linux Agent ocil:ssg-install_mcafee_cma_rt_action:testaction:1 Configure Backups of User Data ocil:ssg-configure_user_data_backups_action:testaction:1 Install Virus Scanning Software ocil:ssg-install_antivirus_action:testaction:1 Install Intrusion Detection Software ocil:ssg-install_hids_action:testaction:1 Verify and Correct File Permissions with RPM ocil:ssg-rpm_verify_permissions_action:testaction:1 Verify and Correct Ownership with RPM ocil:ssg-rpm_verify_ownership_action:testaction:1 Verify File Hashes with RPM ocil:ssg-rpm_verify_hashes_action:testaction:1 Install AIDE ocil:ssg-package_aide_installed_action:testaction:1 Configure AIDE to Verify Extended Attributes ocil:ssg-aide_verify_ext_attributes_action:testaction:1 Configure AIDE to Verify Access Control Lists (ACLs) ocil:ssg-aide_verify_acls_action:testaction:1 Configure AIDE to Use FIPS 140-2 for Validating Hashes ocil:ssg-aide_use_fips_hashes_action:testaction:1 Configure Notification of Post-AIDE Scan Details ocil:ssg-aide_scan_notification_action:testaction:1 Configure Periodic Execution of AIDE ocil:ssg-aide_periodic_cron_checking_action:testaction:1 Build and Test AIDE Database ocil:ssg-aide_build_database_action:testaction:1 Ensure gpgcheck Enabled for All yum Package Repositories ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 Ensure Software Patches Installed ocil:ssg-security_patches_up_to_date_action:testaction:1 Ensure gpgcheck Enabled for Local Packages ocil:ssg-ensure_gpgcheck_local_packages_action:testaction:1 Ensure Red Hat GPG Key Installed ocil:ssg-ensure_redhat_gpgkey_installed_action:testaction:1 Ensure gpgcheck Enabled for Repository Metadata ocil:ssg-ensure_gpgcheck_repo_metadata_action:testaction:1 Ensure yum Removes Previous Package Versions ocil:ssg-clean_components_post_updating_action:testaction:1 Ensure gpgcheck Enabled In Main yum Configuration ocil:ssg-ensure_gpgcheck_globally_activated_action:testaction:1 Implement Blank Screensaver ocil:ssg-gconf_gnome_screensaver_mode_blank_action:testaction:1 Enable Screen Lock Activation After Idle Period ocil:ssg-gconf_gnome_screensaver_lock_enabled_action:testaction:1 Set GNOME Screen Locking Keybindings ocil:ssg-gconf_gnome_screen_locking_keybindings_action:testaction:1 Ensure Users Cannot Change GNOME3 Session Idle Settings ocil:ssg-dconf_gnome_session_idle_user_locks_action:testaction:1 Set GNOME3 Screensaver Lock Delay After Activation Period ocil:ssg-dconf_gnome_screensaver_lock_delay_action:testaction:1 Disable Full User Name on Splash Shield ocil:ssg-dconf_gnome_screensaver_user_info_action:testaction:1 Ensure Users Cannot Change GNOME3 Screensaver Settings ocil:ssg-dconf_gnome_screensaver_user_locks_action:testaction:1 GNOME Desktop Screensaver Mandatory Use ocil:ssg-gconf_gnome_screensaver_idle_activation_enabled_action:testaction:1 Enable GNOME3 Screensaver Idle Activation ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_action:testaction:1 Set GNOME Login Maximum Allowed Inactivity Action ocil:ssg-gconf_gnome_screensaver_max_idle_action_action:testaction:1 Set GNOME3 Screensaver Inactivity Timeout ocil:ssg-dconf_gnome_screensaver_idle_delay_action:testaction:1 Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period ocil:ssg-dconf_gnome_screensaver_lock_locked_action:testaction:1 Set GNOME Login Maximum Allowed Inactivity ocil:ssg-gconf_gnome_screensaver_max_idle_time_action:testaction:1 Implement Blank Screensaver ocil:ssg-dconf_gnome_screensaver_mode_blank_action:testaction:1 Set GNOME Login Inactivity Timeout ocil:ssg-gconf_gnome_screensaver_idle_delay_action:testaction:1 Enable GNOME3 Screensaver Lock After Idle Period ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 Ensure Users Cannot Change GNOME3 Screensaver Idle Activation ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1 Disable GNOME Automounting ocil:ssg-gconf_gnome_disable_automount_action:testaction:1 Disable All GNOME Thumbnailers ocil:ssg-gconf_gnome_disable_thumbnailers_action:testaction:1 Disable All GNOME3 Thumbnailers ocil:ssg-dconf_gnome_disable_thumbnailers_action:testaction:1 Disable GNOME3 Automounting ocil:ssg-dconf_gnome_disable_automount_action:testaction:1 Disable Geolocation in GNOME3 ocil:ssg-dconf_gnome_disable_geolocation_action:testaction:1 Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME ocil:ssg-gconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 Disable the GNOME Clock Weather Feature ocil:ssg-gconf_gnome_disable_clock_weather_action:testaction:1 Disable the GNOME Clock Temperature Feature ocil:ssg-gconf_gnome_disable_clock_temperature_action:testaction:1 Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 Disable Power Settings in GNOME3 ocil:ssg-dconf_gnome_disable_power_settings_action:testaction:1 Disable User Administration in GNOME3 ocil:ssg-dconf_gnome_disable_user_admin_action:testaction:1 Enable the GNOME3 Login Smartcard Authentication ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 Disable the GNOME3 Login Restart and Shutdown Buttons ocil:ssg-dconf_gnome_disable_restart_shutdown_action:testaction:1 Disable the GNOME Login Restart and Shutdown Buttons ocil:ssg-gconf_gnome_disable_restart_shutdown_action:testaction:1 Disable GDM Automatic Login ocil:ssg-gnome_gdm_disable_automatic_login_action:testaction:1 Set the GNOME3 Login Number of Failures ocil:ssg-dconf_gnome_login_retries_action:testaction:1 Disable the GNOME3 Login User List ocil:ssg-dconf_gnome_disable_user_list_action:testaction:1 Disable the User List ocil:ssg-gconf_gdm_disable_user_list_action:testaction:1 Disable GDM Guest Login ocil:ssg-gnome_gdm_disable_guest_login_action:testaction:1 Disable WIFI Network Connection Creation in GNOME ocil:ssg-gconf_gnome_disable_wifi_create_action:testaction:1 Disable WIFI Network Connection Creation in GNOME3 ocil:ssg-dconf_gnome_disable_wifi_create_action:testaction:1 Disable WIFI Network Notification in GNOME3 ocil:ssg-dconf_gnome_disable_wifi_notification_action:testaction:1 Disable WIFI Network Connection Notification in GNOME ocil:ssg-gconf_gnome_disable_wifi_notification_action:testaction:1 Disable WIFI Network Disconnect Notification in GNOME ocil:ssg-gconf_gnome_disable_wifi_disconnect_action:testaction:1 Require Encryption for Remote Access in GNOME3 ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1 Require Credential Prompting for Remote Access in GNOME3 ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1 Remove the GDM Package Group ocil:ssg-package_gdm_removed_action:testaction:1 Force dconf to use the textfiles instead of a binary DB ocil:ssg-dconf_use_text_backend_action:testaction:1 Make sure that the dconf databases are up-to-date with regards to respective keyfiles ocil:ssg-dconf_db_up_to_date_action:testaction:1 Configure GNOME3 DConf User Profile ocil:ssg-enable_dconf_user_profile_action:testaction:1 Verify Permissions on shadow File ocil:ssg-file_permissions_etc_shadow_action:testaction:1 Verify User Who Owns shadow File ocil:ssg-file_owner_etc_shadow_action:testaction:1 Verify User Who Owns gshadow File ocil:ssg-file_owner_etc_gshadow_action:testaction:1 Verify Permissions on group File ocil:ssg-file_permissions_etc_group_action:testaction:1 Verify Group Who Owns gshadow File ocil:ssg-file_groupowner_etc_gshadow_action:testaction:1 Verify User Who Owns passwd File ocil:ssg-file_owner_etc_passwd_action:testaction:1 Verify Group Who Owns shadow File ocil:ssg-file_groupowner_etc_shadow_action:testaction:1 Verify User Who Owns group File ocil:ssg-file_owner_etc_group_action:testaction:1 Verify Group Who Owns group File ocil:ssg-file_groupowner_etc_group_action:testaction:1 Verify Permissions on gshadow File ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 Verify Group Who Owns passwd File ocil:ssg-file_groupowner_etc_passwd_action:testaction:1 Verify Permissions on passwd File ocil:ssg-file_permissions_etc_passwd_action:testaction:1 Verify that System Executables Have Restrictive Permissions ocil:ssg-file_permissions_binary_dirs_action:testaction:1 Verify that Shared Library Files Have Root Ownership ocil:ssg-file_ownership_library_dirs_action:testaction:1 Verify that System Executables Have Root Ownership ocil:ssg-file_ownership_binary_dirs_action:testaction:1 Verify that Shared Library Files Have Restrictive Permissions ocil:ssg-file_permissions_library_dirs_action:testaction:1 Ensure All SGID Executables Are Authorized ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1 Disallow creating symlinks to a file you not own ocil:ssg-sysctl_fs_protected_symlinks_action:testaction:1 Ensure All World-Writable Directories Are Owned by a System Account ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1 Ensure All Files Are Owned by a Group ocil:ssg-file_permissions_ungroupowned_action:testaction:1 Ensure All Files Are Owned by a User ocil:ssg-no_files_unowned_by_user_action:testaction:1 Disallow creating symlinks to a file you not own ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1 Ensure No World-Writable Files Exist ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 Verify that All World-Writable Directories Have Sticky Bits Set ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 Verify that local System.map file (if exists) is readable only by root ocil:ssg-file_permissions_systemmap_action:testaction:1 Ensure All SUID Executables Are Authorized ocil:ssg-file_permissions_unauthorized_suid_action:testaction:1 Disable Modprobe Loading of USB Storage Driver ocil:ssg-kernel_module_usb-storage_disabled_action:testaction:1 Disable the Automounter ocil:ssg-service_autofs_disabled_action:testaction:1 Add noexec Option to Removable Media Partitions ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1 Set Daemon Umask ocil:ssg-umask_for_daemons_action:testaction:1 Enable SLUB/SLAB allocator poisoning ocil:ssg-grub2_slub_debug_argument_action:testaction:1 Enable page allocator poisoning ocil:ssg-grub2_page_poison_argument_action:testaction:1 Disable Core Dumps for SUID programs ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1 Disable Core Dumps for All Users ocil:ssg-disable_users_coredumps_action:testaction:1 Restrict Exposed Kernel Pointer Addresses Access ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 Enable ExecShield via sysctl ocil:ssg-sysctl_kernel_exec_shield_action:testaction:1 Enable Randomized Layout of Virtual Address Space ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1 Disable kernel image loading ocil:ssg-sysctl_kernel_kexec_load_disabled_action:testaction:1 Disable vsyscalls ocil:ssg-grub2_vsyscall_argument_action:testaction:1 Restrict usage of ptrace to descendant processes ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1 Restrict Access to Kernel Message Buffer ocil:ssg-sysctl_kernel_dmesg_restrict_action:testaction:1 PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL The rsh package can be removed with the following command: $ sudo yum erase rsh Is it the case that ? To check that the rlogin service is disabled in system boot configuration with xinetd, run the following command: $ chkconfig rlogin --list Output should indicate the rlogin service has either not been installed, or has been disabled, as shown in the example below: $ chkconfig rlogin --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. rlogin off To check that the rlogin socket is disabled in system boot configuration with systemd, run the following command: $ systemctl is-enabled rlogin Output should indicate the rlogin socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rlogindisabled Run the following command to verify rlogin is not active (i.e. not running) through current runtime configuration: systemctl is-active rlogin If the socket is not running the command will return the following output: inactive Is it the case that service and/or socket are running? To check that the rexec service is disabled in system boot configuration with xinetd, run the following command: $ chkconfig rexec --list Output should indicate the rexec service has either not been installed, or has been disabled, as shown in the example below: $ chkconfig rexec --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. rexec off To check that the rexec socket is disabled in system boot configuration with systemd, run the following command: $ systemctl is-enabled rexec Output should indicate the rexec socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rexecdisabled Run the following command to verify rexec is not active (i.e. not running) through current runtime configuration: systemctl is-active rexec If the socket is not running the command will return the following output: inactive Is it the case that service and/or socket are running? To verify that there are no shosts.equiv files on the system, run the following command: $ find / -name shosts.equiv No output should be returned. Is it the case that these files exist? To check that the rsh service is disabled in system boot configuration with xinetd, run the following command: $ chkconfig rsh --list Output should indicate the rsh service has either not been installed, or has been disabled, as shown in the example below: $ chkconfig rsh --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. rsh off To check that the rsh socket is disabled in system boot configuration with systemd, run the following command: $ systemctl is-enabled rsh Output should indicate the rsh socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rshdisabled Run the following command to verify rsh is not active (i.e. not running) through current runtime configuration: systemctl is-active rsh If the socket is not running the command will return the following output: inactive Is it the case that service and/or socket are running? To verify that there are no /etc/shosts.equiv files on the system, run the following command: $ sudo find / -name '*.shosts' No output should be returned. Is it the case that these files exist? Run the following command to determine if the rsh-server package is installed: $ rpm -q rsh-server Is it the case that the package is installed? The existence of the file /etc/hosts.equiv or a file named .rhosts inside a user home directory indicates the presence of an Rsh trust relationship. Is it the case that these files exist? The telnet package can be removed with the following command: $ sudo yum erase telnet Is it the case that ? To check that the telnet service is disabled in system boot configuration with xinetd, run the following command: $ chkconfig telnet --list Output should indicate the telnet service has either not been installed, or has been disabled, as shown in the example below: $ chkconfig telnet --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. telnet off To check that the telnet socket is disabled in system boot configuration with systemd, run the following command: $ systemctl is-enabled telnet Output should indicate the telnet socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled telnetdisabled Run the following command to verify telnet is not active (i.e. not running) through current runtime configuration: systemctl is-active telnet If the socket is not running the command will return the following output: inactive Is it the case that service and/or socket are running? Run the following command to determine if the telnet-server package is installed: $ rpm -q telnet-server Is it the case that the package is installed? The ypbind package can be removed with the following command: $ sudo yum erase ypbind Is it the case that ? To check that the ypbind service is disabled in system boot configuration, run the following command: $ systemctl is-enabled ypbind Output should indicate the ypbind service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled ypbinddisabled Run the following command to verify ypbind is not active (i.e. not running) through current runtime configuration: $ systemctl is-active ypbind If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the ypserv package is installed: $ rpm -q ypserv Is it the case that the package is installed? To check that the tftp service is disabled in system boot configuration, run the following command: $ systemctl is-enabled tftp Output should indicate the tftp service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled tftpdisabled Run the following command to verify tftp is not active (i.e. not running) through current runtime configuration: $ systemctl is-active tftp If the service is not running the command will return the following output: inactive Is it the case that ? The tftp package can be removed with the following command: $ sudo yum erase tftp Is it the case that ? Run the following command to determine if the tftp-server package is installed: $ rpm -q tftp-server Is it the case that the package is installed? If TFTP is not installed, this is not applicable. To determine if TFTP is installed, run the following command: $ rpm -qa | grep tftp Verify tftp is configured by with the -s option by running the following command: grep "server_args" /etc/xinetd.d/tftp The output should indicate the server_args variable is configured with the -s flag, matching the example below: $ grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot Is it the case that this flag is missing? Run the following command to determine if the tcp_wrappers package is installed: $ rpm -q tcp_wrappers Is it the case that the package is not installed? If network services are using the xinetd service, this is not applicable. To check that the xinetd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled xinetd Output should indicate the xinetd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled xinetddisabled Run the following command to verify xinetd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active xinetd If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the xinetd package is installed: $ rpm -q xinetd Is it the case that the package is installed? Run the following command to determine if the talk package is installed: $ rpm -q talk Is it the case that the package is installed? Run the following command to determine if the talk-server package is installed: $ rpm -q talk-server Is it the case that the package is installed? If FTP services are not installed, this is not applicable. To verify this configuration, run the following command: grep "banner_file" /etc/vsftpd/vsftpd.conf The output should show the value of banner_file is set to /etc/issue, an example of which is shown below: $ sudo grep "banner_file" /etc/vsftpd/vsftpd.conf banner_file=/etc/issue Is it the case that it does not? Find if logging is applied to the FTP daemon. Procedures: If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file: $ grep vsftpd /etc/xinetd.d/* $ grep server_args vsftpd xinetd.d startup file This will indicate the vsftpd config file used when starting through xinetd. If the server_args line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. $ sudo grep xferlog_enable vsftpd config file Is it the case that xferlog_enable is missing, or is not set to yes? To check that the vsftpd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled vsftpd Output should indicate the vsftpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled vsftpddisabled Run the following command to verify vsftpd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active vsftpd If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the vsftpd package is installed: $ rpm -q vsftpd Is it the case that the package is installed? To ensure only SNMPv3 or newer is used, run the following command: $ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#" There should be no output. Is it the case that there is output? To ensure the default password is not set, run the following command: $ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private' There should be no output. Is it the case that the default SNMP passwords public and private have not been changed or removed? Run the following command to determine if the net-snmp package is installed: $ rpm -q net-snmp Is it the case that the package is installed? To check that the snmpd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled snmpd Output should indicate the snmpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled snmpddisabled Run the following command to verify snmpd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active snmpd If the service is not running the command will return the following output: inactive Is it the case that ? To check the group ownership of /etc/cron.allow, run the command: $ ls -lL /etc/cron.allow If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/cron.allow has group owner root? To check the ownership of /etc/cron.allow, run the command: $ ls -lL /etc/cron.allow If properly configured, the output should indicate the following owner: root Is it the case that /etc/cron.allow has owner root? Run the following command to determine if the cronie-anacron package is installed: $ rpm -q cronie-anacron Is it the case that the package is installed? Run the following command to determine the current status of the crond service: $ systemctl is-active crond If the service is running, it should return the following: active Is it the case that ? To check that the atd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled atd Output should indicate the atd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled atddisabled Run the following command to verify atd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active atd If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine the current status of the cron service: $ systemctl is-active cron If the service is running, it should return the following: active Is it the case that ? To verify the default target is multi-user, run the following command: $ systemctl get-default The output should show the following: multi-user.target Is it the case that the X windows display server is running and/or has not been disabled? To ensure the X Windows package group is removed, run the following command: $ rpm -qi xorg-x11-server-common The output should be: package xorg-x11-server-common is not installed Is it the case that the X Windows package group or xorg-x11-server-common has not be removed? Run the following command to determine if the quagga package is installed: $ rpm -q quagga Is it the case that the package is installed? To check that the zebra service is disabled in system boot configuration, run the following command: $ systemctl is-enabled zebra Output should indicate the zebra service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled zebradisabled Run the following command to verify zebra is not active (i.e. not running) through current runtime configuration: $ systemctl is-active zebra If the service is not running the command will return the following output: inactive Is it the case that ? To check that the named service is disabled in system boot configuration, run the following command: $ systemctl is-enabled named Output should indicate the named service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled nameddisabled Run the following command to verify named is not active (i.e. not running) through current runtime configuration: $ systemctl is-active named If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the bind package is installed: $ rpm -q bind Is it the case that the package is installed? To verify the openldap-servers package is not installed, run the following command: $ rpm -q openldap-servers The output should show the following: package openldap-servers is not installed Is it the case that it does not? To determine if LDAP is being used for authentication, use the following command: $ sudo grep -i useldapauth /etc/sysconfig/authconfig The output should return: USELDAPAUTH=yes Is it the case that USELDAPAUTH=yes is not configured correctly in /etc/sysconfig/authconfig? To ensure TLS is configured with trust certificates, run the following command: $ grep cert /etc/nslcd.conf Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? To ensure LDAP is configured to use TLS for all transactions, run the following command: $ grep start_tls /etc/pam_ldap.conf The result should contain: ssl start_tls Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? To verify that DHCP is not being used, examine the following file for each interface: # /etc/sysconfig/network-scripts/ifcfg-interface Look for the following: BOOTPROTO=none and the following, substituting the appropriate values based on your site's addressing scheme: NETMASK=255.255.255.0 IPADDR=192.168.1.2 GATEWAY=192.168.1.1 Is it the case that it does not? Run the following command to determine if the dhcp package is installed: $ rpm -q dhcp Is it the case that the package is installed? To check that the dhcpd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled dhcpd Output should indicate the dhcpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled dhcpddisabled Run the following command to verify dhcpd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active dhcpd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the smb service is disabled in system boot configuration, run the following command: $ systemctl is-enabled smb Output should indicate the smb service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled smbdisabled Run the following command to verify smb is not active (i.e. not running) through current runtime configuration: $ systemctl is-active smb If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the samba package is installed: $ rpm -q samba Is it the case that the package is installed? Run the following command to determine if the samba-common package is installed: $ rpm -q samba-common Is it the case that the package is not installed? To verify that Samba clients running smbclient must use packet signing, run the following command: $ grep signing /etc/samba/smb.conf The output should show: client signing = mandatory Is it the case that it is not? To verify that Samba clients using mount.cifs must use packet signing, run the following command: $ grep sec /etc/fstab The output should show either krb5i or ntlmv2i in use. Is it the case that it does not? To check that the httpd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled httpd Output should indicate the httpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled httpddisabled Run the following command to verify httpd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active httpd If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the httpd package is installed: $ rpm -q httpd Is it the case that the package is installed? To properly set the owner of /var/log/httpd, run the command: $ sudo chown root /var/log/httpd To properly set the owner of /var/log/httpd/*, run the command: $ sudo chown root /var/log/httpd/* Is it the case that ? Run the following command to check the mode of the httpd log directory: $ ls -l /var/log/ | grep httpd Log directory must be mode 0700 or less permissive. Is it the case that it is more permissive? To check the permissions of /etc/http/conf.modules.d/*, run the command: $ ls -l /etc/http/conf.modules.d/* If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/http/conf.modules.d/* has unix mode -rw-r-----? To check the permissions of /etc/http/conf, run the command: $ ls -l /etc/http/conf If properly configured, the output should indicate the following permissions: -rwxr-x--- Is it the case that ? To check the permissions of /etc/http/conf.d/*, run the command: $ ls -l /etc/http/conf.d/* If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/http/conf.d/* has unix mode -rw-r-----? To check the permissions of /etc/http/conf/*, run the command: $ ls -l /etc/http/conf/* If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/http/conf/* has unix mode -rw-r-----? Run the following command to determine the current status of the sshd service: $ systemctl is-active sshd If the service is running, it should return the following: active Is it the case that ? Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mobile code. Is it the case that it is not? Review the web site to determine if HTTP and HTTPs are used in accordance with well known ports (e.g., 80 and 443) or those ports and services as registered and approved for use by the DoD PPSM. To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=http To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=https Is it the case that it is not? To verify that TLS is configured properly in /etc/httpd/conf.modules.d/ssl.conf, run the following command: $ grep -i "sslengine\|sslprotocol" /etc/httpd/conf.d/ssl.conf The output should return the following: SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 Is it the case that it is not? To verify if SSLVerifyClient is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i sslverifyclient /etc/httpd/conf/httpd.conf The command should return the following: SSLVerifyClient require Is it the case that it is not? Open browser window and browse to the appropriate site. Before entry to the site, you should be presented with the server's PKI credentials. Review these credentials for authenticity. For DoD, find an entry which cites: Issuer: CN = DOD CLASS 3 CA-3 OU = PKI OU = DoD O = U.S. Government C = US Is it the case that it is not? To preclude access to the servers root directory, ensure the following directive is in the httpd.conf file. This entry will also stop users from setting up .htaccess files which can override security features configured in /etc/httpd/conf/httpd.conf. AllowOverride none Is it the case that it is not? Locate the directories containing the CGI scripts. These directories should be language-specific (e.g., PERL, ASP, JS, JSP, etc.). Examine the file permissions on the directories using the following command: ls -l directories Anonymous FTP users must not have access to these directories. Is it the case that it is not? Verify that the files and directories of each instance of Alias, ScriptAlias, and ScriptAliasMatch that exist have the correct file and directory permissions applied. Is it the case that it is not? To verify that web content directories should not be shared anonymously over remote filesystems such as nfs and smb, inspect each instance of DocumentRoot and serverRoot and verify that no entry in /etc/fstab exists or no remote filesystem process is running for any instance. $ ps -ef | grep "nfs\|smb" Is it the case that it is not? To verify that the log_config_module exists in /etc/httpd/conf/httpd.conf, run the following command: $ grep log_config_module /etc/httpd/conf/httpd.conf The output should return: <IfModule log_config_module> Is it the case that it is not? To verify if the mod_perl is installed, run the following command: $ rpm -qa | grep mod_perl If the mod_perl module is installed, verify that PerlSwitches -T is enabled in /etc/httpd/conf.d/perl.conf by running the following command: $ grep -i "PerlSwitches -T" /etc/httpd/conf.d/perl.conf The output should return uncommented: PerlSwitches -T Is it the case that it is not? To verify that each web content directory exists on separate partitions, run the following command: $ grep `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` /etc/fstab Each of the corresponding DocumentRoot entries should have a corresponding entry in /etc/fstab. Is it the case that it is not? Inspect each <Directory> instance and verify that either FollowSymLinks does not exist, or Options SymLinksIfOwnerMatchDisable is configured properly. Is it the case that it is not? To verify that no .java and .jpp files exist, run the following command: find / -name *.java -o -name *.jpp The output should not return any .java or .jpp files Is it the case that it is not? To verify that each web content directory has an index.html file, run the following command: $ sudo find `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` -name index.html The output should return an index.html file for every DocumentRoot that is set. Is it the case that it is not? Inspect all instances of DocumentRoot and Alias. No robots.txt file should exist. Is it the case that it is not? The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The banner should be set to the following: Is it the case that it is not display the required banner? Determine if there is a process for the uploading of files to the web site. This process should include the requirement for the use of a secure encrypted logon and secure encrypted connection. If the remote users are uploading files without utilizing approved encryption methods, this is a finding. Is it the case that it is not? To verify if ErrorLog is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i errorlog /etc/httpd/conf/httpd.conf The output should return the following: ErrorLog "logs/error_log" Is it the case that it is not? Interview the SA or web administrator to see where the public web server is logically located in the data center. Review the site network diagram to see how the web server is connected to the LAN. Visually check the web server hardware connections to see if it conforms to the site network diagram. Is it the case that the web server is not isolated in an accredited DoD DMZ Extension? Verify the site's network diagram and visually check the web server, to ensure that the private web server is located on a separate controlled access subnet and is not part of the public DMZ that houses the public web servers. In addition, the private web server needs to be isolated via a controlled access mechanism from the local general population lan. Is it the case that the private web server is not on a separate controlled access subnet? To verify if MaxKeepAliveRequests is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i maxkeepaliverequests /etc/httpd/conf/httpd.conf The command should return the following: MaxKeepAliveRequests 100 Is it the case that it is not? Configure the public web server to not have a trusted relationship with any system resources that is also not accessible to the public. Web content is not to be shared via Microsoft shares or NFS mounts. Determine whether the public web server has a two-way trust relationship with any private asset located within the network. Private web server resources (e.g. drives, folders, printers, etc.) will not be directly mapped to or shared with public web servers. Is it the case that sharing is selected for any web folder, this is a finding. If private resources (e.g. drives, partitions, folders/directories, printers, etc.) are sharedw ith the public web server? The reviewed should make a note of the name of the account being used for the web service. This information may be needed later in the SRR. There may also be other server services running related to the web server in support of a particular web application, these passwords must be entrusted to the SA or Web Manager as well. Query the SA or Web Manager to determine if they have the web service password(s). NOTE: For installations that run as a service, or without a password, the SA or Web Manager having an Admin account on the system would meet the intent of this check. Is it the case that the web server password(s) are not entrusted to the SA or Web Manager? To verify if LogFormat is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i logformat /etc/httpd/conf/httpd.conf The output should contain the following: LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined Is it the case that it is not? Ensure that CGI backup scripts are not left on the production web server. This check is limited to CGI/interactive content and not static HTML. Search for backup copies of CGI scripts on the web server or ask the Web Administrator if they keep backup copies of CGI scripts on the web server. Common backup file extensions are: *.bak, *.old, *.temp, *.tmp, *.backup, *.??0. This would also apply to .jsp files. On Red Hat Enterprise Linux, run the following commands to find backup scripts: find / name "*.bak" -printfind / name "*.*" -printfind / name "*.old" -print Is it the case that If fileos with these extensions have no relationship with web activity, such as backup batch file for operating system utility, and they are not accessible by the web application, this is not a finding. If files with these extensions are found in either the document directory or the home directory of the web server, this is a finding. If files with these extensions are stored in a repository (not in the document root) as backups for the web server? Enter the following commands: grep Action /etc/httpd/conf/httpd.confgrep AddHandler /etc/httpd/conf/httpd.conf Is it the case that either of these exist and they configure csh, or any other shell as a viewer for documents? To verify if CustomLog is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i customlog /etc/httpd/conf/httpd.conf The output should return the following: CustomLog "logs/access_log" combined Is it the case that it is not? To verify if LogLevel is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: $ grep -i loglevel /etc/httpd/conf/httpd.conf The command should return the following: LogLevel warn Is it the case that it is not? Query the SA and the Web Manager to determine if a compiler is present on the server. Is it the case that the web server is part of an application suite and a comiler is needed for installation, patching, and upgrading of the suite or if the compiler is embedded and can't be removed without breaking the suite, document the installation of the compiler with the ISSO/ISSM and verify that the compiler is restricted to administrative users only. If documented and restricted to administrative users, this is not a finding. If an undocumented compiler is present, and available to non-administrative users? To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: $ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf The output should return the following with a correctly configured CA cert path: ldap_tls_cacertdir /path/to/tls/cacert Is it the case that the TLS CA cert is not configured? If the system is not using TLS, set the ldap_id_use_start_tls option in /etc/sssd/sssd.conf to True. Is it the case that the 'ldap_id_use_start_tls' option is not set to 'True'? To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: $ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf The output should return the following with a correctly configured CA cert path: ldap_tls_cacert /path/to/tls/ca.cert Is it the case that the TLS CA cert is not configured? To verify that SSSD's in-memory cache expires after a day, run the following command: $ sudo grep memcache_timeout /etc/sssd/sssd.conf If configured properly, output should be memcache_timeout = . Is it the case that it does not exist or is not configured properly? To verify that SSSD is configured for PAM services, run the following command: $ sudo grep services /etc/sssd/sssd.conf If configured properly, output should be similar to services = pam Is it the case that it does not exist or 'pam' is not added to the 'services' option under the 'sssd' section? To verify that smart cards are enabled in SSSD, run the following command: $ sudo grep pam_cert_auth /etc/sssd/sssd.conf If configured properly, output should be pam_cert_auth = true Is it the case that smart cards are not enabled in SSSD? To verify that SSSD expires offline credentials, run the following command: $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf If configured properly, output should be offline_credentials_expiration = 1 Is it the case that it does not exist or is not configured properly? Run the following command to determine if the sssd package is installed: $ rpm -q sssd Is it the case that the package is not installed? To verify that SSSD expires known SSH host keys, run the following command: $ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf If configured properly, output should be ssh_known_hosts_timeout = Is it the case that it does not exist or is not configured properly? Run the following command to determine the current status of the sssd service: $ systemctl is-active sssd If the service is running, it should return the following: active Is it the case that the service is not enabled? Run the following command to determine the current status of the systemd_timesyncd service: $ systemctl is-active systemd_timesyncd If the service is running, it should return the following: active Is it the case that ? To verify that maxpoll has been set properly, perform the following: $ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf The output should return maxpoll . Is it the case that it does not exist or maxpoll has not been set to the expected value? Run the following command to determine the current status of the chronyd service: $ systemctl is-active chronyd If the service is running, it should return the following: active Run the following command to determine the current status of the ntpd service: $ systemctl is-active ntpd If the service is running, it should return the following: active Is it the case that ? Run the following command to determine the current status of the ntpd service: $ systemctl is-active ntpd If the service is running, it should return the following: active Is it the case that ? To verify that a remote NTP service is configured for time synchronization, open the following file: /etc/chrony.conf in the case the system in question is configured to use the chronyd as the NTP daemon (default setting)/etc/ntp.conf in the case the system in question is configured to use the ntpd as the NTP daemon In the file, there should be a section similar to the following: server ntpserver Is it the case that this is not the case? To verify that a remote NTP service is configured for time synchronization, open the following file: /etc/ntp.conf In the file, there should be a section similar to the following: server ntpserver Is it the case that this is not the case? Run the following command to determine the current status of the ntp service: $ systemctl is-active ntp If the service is running, it should return the following: active Is it the case that ? Run the following command to determine if the abrt package is installed: $ rpm -q abrt Is it the case that the package is installed? To check that the cgred service is disabled in system boot configuration, run the following command: $ systemctl is-enabled cgred Output should indicate the cgred service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled cgreddisabled Run the following command to verify cgred is not active (i.e. not running) through current runtime configuration: $ systemctl is-active cgred If the service is not running the command will return the following output: inactive Is it the case that ? To check that the messagebus service is disabled in system boot configuration, run the following command: $ systemctl is-enabled messagebus Output should indicate the messagebus service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled messagebusdisabled Run the following command to verify messagebus is not active (i.e. not running) through current runtime configuration: $ systemctl is-active messagebus If the service is not running the command will return the following output: inactive Is it the case that ? To check that the acpid service is disabled in system boot configuration, run the following command: $ systemctl is-enabled acpid Output should indicate the acpid service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled acpiddisabled Run the following command to verify acpid is not active (i.e. not running) through current runtime configuration: $ systemctl is-active acpid If the service is not running the command will return the following output: inactive Is it the case that ? To check that the rdisc service is disabled in system boot configuration, run the following command: $ systemctl is-enabled rdisc Output should indicate the rdisc service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rdiscdisabled Run the following command to verify rdisc is not active (i.e. not running) through current runtime configuration: $ systemctl is-active rdisc If the service is not running the command will return the following output: inactive Is it the case that ? To check that the netconsole service is disabled in system boot configuration, run the following command: $ systemctl is-enabled netconsole Output should indicate the netconsole service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled netconsoledisabled Run the following command to verify netconsole is not active (i.e. not running) through current runtime configuration: $ systemctl is-active netconsole If the service is not running the command will return the following output: inactive Is it the case that ? To check that the certmonger service is disabled in system boot configuration, run the following command: $ systemctl is-enabled certmonger Output should indicate the certmonger service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled certmongerdisabled Run the following command to verify certmonger is not active (i.e. not running) through current runtime configuration: $ systemctl is-active certmonger If the service is not running the command will return the following output: inactive Is it the case that ? To check that the quota_nld service is disabled in system boot configuration, run the following command: $ systemctl is-enabled quota_nld Output should indicate the quota_nld service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled quota_nlddisabled Run the following command to verify quota_nld is not active (i.e. not running) through current runtime configuration: $ systemctl is-active quota_nld If the service is not running the command will return the following output: inactive Is it the case that ? To check that the psacct service is disabled in system boot configuration, run the following command: $ systemctl is-enabled psacct Output should indicate the psacct service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled psacctdisabled Run the following command to verify psacct is not active (i.e. not running) through current runtime configuration: $ systemctl is-active psacct If the service is not running the command will return the following output: inactive Is it the case that ? To check that the rhnsd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled rhnsd Output should indicate the rhnsd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rhnsddisabled Run the following command to verify rhnsd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active rhnsd If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the psacct package is installed: $ rpm -q psacct Is it the case that the package is not installed? To check that the mdmonitor service is disabled in system boot configuration, run the following command: $ systemctl is-enabled mdmonitor Output should indicate the mdmonitor service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled mdmonitordisabled Run the following command to verify mdmonitor is not active (i.e. not running) through current runtime configuration: $ systemctl is-active mdmonitor If the service is not running the command will return the following output: inactive Is it the case that ? To check that the irqbalance service is disabled in system boot configuration, run the following command: $ systemctl is-enabled irqbalance Output should indicate the irqbalance service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled irqbalancedisabled Run the following command to verify irqbalance is not active (i.e. not running) through current runtime configuration: $ systemctl is-active irqbalance If the service is not running the command will return the following output: inactive Is it the case that ? To check that the oddjobd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled oddjobd Output should indicate the oddjobd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled oddjobddisabled Run the following command to verify oddjobd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active oddjobd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the smartd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled smartd Output should indicate the smartd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled smartddisabled Run the following command to verify smartd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active smartd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the qpidd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled qpidd Output should indicate the qpidd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled qpidddisabled Run the following command to verify qpidd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active qpidd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the abrtd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled abrtd Output should indicate the abrtd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled abrtddisabled Run the following command to verify abrtd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active abrtd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the cpupower service is disabled in system boot configuration, run the following command: $ systemctl is-enabled cpupower Output should indicate the cpupower service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled cpupowerdisabled Run the following command to verify cpupower is not active (i.e. not running) through current runtime configuration: $ systemctl is-active cpupower If the service is not running the command will return the following output: inactive Is it the case that ? To check that the saslauthd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled saslauthd Output should indicate the saslauthd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled saslauthddisabled Run the following command to verify saslauthd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active saslauthd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the cgconfig service is disabled in system boot configuration, run the following command: $ systemctl is-enabled cgconfig Output should indicate the cgconfig service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled cgconfigdisabled Run the following command to verify cgconfig is not active (i.e. not running) through current runtime configuration: $ systemctl is-active cgconfig If the service is not running the command will return the following output: inactive Is it the case that ? To check that the ntpdate service is disabled in system boot configuration, run the following command: $ systemctl is-enabled ntpdate Output should indicate the ntpdate service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled ntpdatedisabled Run the following command to verify ntpdate is not active (i.e. not running) through current runtime configuration: $ systemctl is-active ntpdate If the service is not running the command will return the following output: inactive Is it the case that ? To check that the kdump service is disabled in system boot configuration, run the following command: $ systemctl is-enabled kdump Output should indicate the kdump service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled kdumpdisabled Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: $ systemctl is-active kdump If the service is not running the command will return the following output: inactive Is it the case that ? To check that the rhsmcertd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled rhsmcertd Output should indicate the rhsmcertd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rhsmcertddisabled Run the following command to verify rhsmcertd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active rhsmcertd If the service is not running the command will return the following output: inactive Is it the case that ? To check that the portreserve service is disabled in system boot configuration, run the following command: $ systemctl is-enabled portreserve Output should indicate the portreserve service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled portreservedisabled Run the following command to verify portreserve is not active (i.e. not running) through current runtime configuration: $ systemctl is-active portreserve If the service is not running the command will return the following output: inactive Is it the case that ? To check that the sysstat service is disabled in system boot configuration, run the following command: $ systemctl is-enabled sysstat Output should indicate the sysstat service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled sysstatdisabled Run the following command to verify sysstat is not active (i.e. not running) through current runtime configuration: $ systemctl is-active sysstat If the service is not running the command will return the following output: inactive Is it the case that ? To check if StrictModes is enabled or set correctly, run the following command: $ sudo grep StrictModes /etc/ssh/sshd_config If configured properly, output should be yes Is it the case that it is commented out or is not enabled? To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: $ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: $ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? To ensure the SSH idle timeout will occur when the ClientAliveInterval is set, run the following command: $ sudo grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, output should be: ClientAliveCountMax Is it the case that it is commented out or not configured properly? Run the following command to see what the timeout interval is: $ sudo grep ClientAliveInterval /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveInterval Is it the case that it is commented out or not configured properly? To determine how the SSH daemon's Banner option is set, run the following command: $ sudo grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. Is it the case that the required value is not set? Only FIPS-approved MACs should be used. To verify that only FIPS-approved MACs are in use, run the following command: $ sudo grep -i macs /etc/ssh/sshd_config The output should contain only those MACs which are FIPS-approved. Any use of other ciphers or algorithms will result in the module entering the non-FIPS mode of operation. Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms? To ensure users are not able to present environment daemons, run the following command: $ sudo grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no Is it the case that PermitUserEnvironment is not disabled? To check if KerberosAuthentication is disabled or set correctly, run the following command: $ sudo grep KerberosAuthentication /etc/ssh/sshd_config If configured properly, output should be no Is it the case that it is commented out or is not disabled? To check which SSH protocol version is allowed, check version of openssh-server with following command: $ rpm -qi openssh-server | grep Version Versions equal to or higher than 7.4 only allow Protocol 2. If version is lower than 7.4, run the following command to check configuration: $ sudo grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 Is it the case that it is commented out or is not set correctly to Protocol 2? To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: $ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value yes is returned, then the required value is set. Is it the case that the required value is not set? To check which SSH protocol version is allowed, check version of openssh-server with following command: $ rpm -qi openssh-server | grep Version Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. If version is lower than 7.4, run the following command to check configuration: To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command: $ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? To check if LogLevel is enabled or set correctly, run the following command: $ sudo grep "^LogLevel" /etc/ssh/sshd_config If configured properly, output should be LogLevel INFO Is it the case that it is commented out or is not enabled? To determine how the SSH daemon's X11Forwarding option is set, run the following command: $ sudo grep -i X11Forwarding /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? Only FIPS ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are FIPS-approved. Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command: $ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? To determine if firewalld is configured to allow access to ssh on port 22/tcp, run the following command(s): firewall-cmd --list-ports firewall-cmd --list-services If firewalld is configured to allow access through the firewall, something similar to the following will be output: If it is a service: ssh If it is a port: 22/tcp Is it the case that ? To ensure the MaxAuthTries parameter is set, run the following command: $ sudo grep MaxAuthTries /etc/ssh/sshd_config If properly configured, output should be: MaxAuthTries tries Is it the case that it is commented out or not configured properly? Only strong MACs should be used. To verify that only strong MACs are in use, run the following command: $ sudo grep -i macs /etc/ssh/sshd_config The output should contain only those MACs which are strong, namely, hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 hash functions. Is it the case that MACs option is commented out or not using strong hash algorithms? To check if UsePrivilegeSeparation is enabled or set correctly, run the following command: $ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config If configured properly, output should be sandbox Is it the case that it is commented out or is not enabled? To check if PrintLastLog is enabled or set correctly, run the following command: $ sudo grep PrintLastLog /etc/ssh/sshd_config If configured properly, output should be yes Is it the case that it is commented out or is not enabled? Only strong ciphers should be used. To verify that only strong ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are considered strong, namely, chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr Is it the case that ciphers are not configured or not using strong ciphers? To check if GSSAPIAuthentication is disabled or set correctly, run the following command: $ sudo grep GSSAPIAuthentication /etc/ssh/sshd_config If configured properly, output should be no Is it the case that it is commented out or is not disabled? To check if compression is enabled or set correctly, run the following command: $ sudo grep Compression /etc/ssh/sshd_config If configured properly, output should be no or delayed. Is it the case that it is commented out, or is not set to no or delayed? To determine how the SSH daemon's PermitRootLogin option is set, run the following command: $ sudo grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server Is it the case that the package is not installed? Run the following command to determine the current status of the sshd service: $ systemctl is-active sshd If the service is running, it should return the following: active Is it the case that ? To check the permissions of /etc/ssh/*.pub, run the command: $ ls -l /etc/ssh/*.pub If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/ssh/*.pub has unix mode -rw-r--r--? To check the permissions of /etc/ssh/*_key, run the command: $ ls -l /etc/ssh/*_key If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/ssh/*_key has unix mode -rw-r-----? Find the list of alias maps used by the Postfix mail server: $ sudo postconf alias_maps Query the Postfix alias maps for an alias for the root user: $ sudo postmap -q root hash:/etc/aliases The output should return an alias. Is it the case that it is not? Run the following command to ensure postfix accepts mail messages from only the local system: $ grep inet_interfaces /etc/postfix/main.cf If properly configured, the output should show only localhost. Is it the case that it does not? To verify the system is configured to prevent unrestricted mail relaying, run the following command: $ sudo postconf -n smtpd_client_restrictions The output should return: smtpd_client_restrictions = permit_mynetworks,reject Is it the case that it is not? Run the following command to determine if the sendmail package is installed: $ rpm -q sendmail Is it the case that the package is installed? Run the following command to determine the current status of the postfix service: $ systemctl is-active postfix If the service is running, it should return the following: active Is it the case that the system is not a cross domain solution and the service is not enabled? To check that the dovecot service is disabled in system boot configuration, run the following command: $ systemctl is-enabled dovecot Output should indicate the dovecot service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled dovecotdisabled Run the following command to verify dovecot is not active (i.e. not running) through current runtime configuration: $ systemctl is-active dovecot If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the dovecot package is installed: $ rpm -q dovecot Is it the case that the package is installed? To verify all squashing has been disabled, run the following command: $ grep all_squash /etc/exports Is it the case that there is output? To verify the sec option is configured for all NFS mounts, run the following command: $ grep "sec=" /etc/exports All configured NFS exports should show the sec=krb5:krb5i:krb5p setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? To verify insecure file locking has been disabled, run the following command: $ grep insecure_locks /etc/exports Is it the case that there is output? To verify the noexec option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? To verify the sec option is configured for all NFS mounts, run the following command: $ mount | grep "sec=" All NFS mounts should show the sec=krb5:krb5i:krb5p setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? To verify the nosuid option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the nosuid setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? To verify the nodev option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the nodev setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? Inspect the mounts configured in /etc/exports. Each mount should specify a value greater than UID_MAX and GID_MAX as defined in /etc/login.defs. Is it the case that anonuid or anongid are not set to a value greater than UID_MAX (for anonuid) and GID_MAX (for anongid)? To check that the nfs service is disabled in system boot configuration, run the following command: $ systemctl is-enabled nfs Output should indicate the nfs service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled nfsdisabled Run the following command to verify nfs is not active (i.e. not running) through current runtime configuration: $ systemctl is-active nfs If the service is not running the command will return the following output: inactive Is it the case that it does not? To check that the rpcsvcgssd service is disabled in system boot configuration, run the following command: $ systemctl is-enabled rpcsvcgssd Output should indicate the rpcsvcgssd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled rpcsvcgssddisabled Run the following command to verify rpcsvcgssd is not active (i.e. not running) through current runtime configuration: $ systemctl is-active rpcsvcgssd If the service is not running the command will return the following output: inactive Is it the case that ? To verify that CUPS printer browsing is disabled, run the following command: $ sudo grep "Browsing\|BrowseAllow" /etc/cups/cupsd.conf The output should return the following: Browsing Off BrowseAllow none Is it the case that printer browsing is not disabled? To check that the cups service is disabled in system boot configuration, run the following command: $ systemctl is-enabled cups Output should indicate the cups service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled cupsdisabled Run the following command to verify cups is not active (i.e. not running) through current runtime configuration: $ systemctl is-active cups If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the docker package is installed: $ rpm -q docker Is it the case that the package is not installed? Run the following command to determine the current status of the docker service: $ systemctl is-active docker If the service is running, it should return the following: active Is it the case that ? To check that the avahi-daemon service is disabled in system boot configuration, run the following command: $ systemctl is-enabled avahi-daemon Output should indicate the avahi-daemon service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled avahi-daemondisabled Run the following command to verify avahi-daemon is not active (i.e. not running) through current runtime configuration: $ systemctl is-active avahi-daemon If the service is not running the command will return the following output: inactive Is it the case that ? To check that the squid service is disabled in system boot configuration, run the following command: $ systemctl is-enabled squid Output should indicate the squid service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled squiddisabled Run the following command to verify squid is not active (i.e. not running) through current runtime configuration: $ systemctl is-active squid If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine if the squid package is installed: $ rpm -q squid Is it the case that the package is installed? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to synchronize audit event data with the log files on the disk: $ sudo grep flush /etc/audit/auditd.conf flush = DATA Acceptable values are DATA, and SYNC. The setting is case-insensitive. Is it the case that auditd is not configured to synchronously write audit event data to disk? To verify the audispd plugin encrypts audit records off-loaded onto a different system or media from the system being audited, run the following command: $ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf The output should return the following: enable_krb5 = yes Is it the case that audispd is not encrypting audit records when sent over the network? To verify the audispd plugin off-loads audit records onto a different system or media from the system being audited, run the following command: $ sudo grep -i remote_server /etc/audisp/audisp-remote.conf The output should return something similar to where REMOTE_SYSTEM is an IP address or hostname: remote_server = REMOTE_SYSTEM Is it the case that audispd is not sending logs to a remote system? Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when there is a network failure with audispd: grep -i network_failure_action /etc/audisp/audisp-remote.conf The output should return something similar to: network_failure_action = single Acceptable values also include syslog and halt. Is it the case that the system is not configured to switch to single user mode for corrective action? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either log to syslog, switch to single-user mode, execute a script, or halt when the disk is out of space: disk_full_action single Is it the case that the system is not configured to switch to single-user mode for corrective action? Inspect /etc/audit/auditd.conf and locate the following line to determine how much data the system will retain in each audit log file: $ sudo grep max_log_file /etc/audit/auditd.conf max_log_file = 6 Is it the case that the system audit data threshold has not been properly configured? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured correctly: space_left SIZE_in_MB Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: action_mail_acct = root Is it the case that auditd is not configured to send emails per identified actions? To verify the audispd's syslog plugin is active, run the following command: $ sudo grep active /etc/audisp/plugins.d/syslog.conf If the plugin is active, the output will show yes. Is it the case that it is not activated? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either suspend, switch to single user mode, or halt when disk space has run low: admin_space_left_action single Is it the case that the system is not configured to switch to single user mode for corrective action? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: $ sudo grep max_log_file_action /etc/audit/auditd.conf max_log_file_action rotate Is it the case that the system has not been properly configured to rotate audit logs? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: $ sudo grep space_left_action /etc/audit/auditd.conf space_left_action Acceptable values are email, suspend, single, and halt. Is it the case that the system is not configured to send an email to the system administrator when disk space is starting to run low? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either log to syslog, switch to single-user mode, execute a script, or halt when the disk errors: disk_error_action single Is it the case that the system is not configured to switch to single-user mode for corrective action? Inspect /etc/audit/auditd.conf and locate the following line to determine how many logs the system is configured to retain after rotation: $ sudo grep num_logs /etc/audit/auditd.conf num_logs = 5 Is it the case that the system log file retention has not been properly configured? Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when the disk is full: grep -i disk_full_action /etc/audisp/audisp-remote.conf The output should return something similar to: disk_full_action = single Acceptable values also include syslog and halt. Is it the case that the system is not configured to switch to single user mode for corrective action? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/usr/sbin/rmmod\|-w /usr/sbin/rmmod" Is it the case that there is not output? To determine if the system is configured to audit calls to the init_module system call, run the following command: preserve$ sudo grep "init_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the delete_module system call, run the following command: preserve$ sudo grep "delete_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the delete_module system call, run the following command: preserve$ sudo grep "delete_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/usr/sbin/insmod\|-w /usr/sbin/insmod" Is it the case that there is not output? To determine if the system is configured to audit calls to the finit_module system call, run the following command: preserve$ sudo grep "finit_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/usr/sbin/modprobe\|-w /usr/sbin/modprobe" Is it the case that there is not output? To determine if the system is configured to audit calls to the create_module system call, run the following command: preserve$ sudo grep "create_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the init_module system call, run the following command: preserve$ sudo grep "init_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/log/lastlog\|-w /var/log/lastlog" Is it the case that there is not output? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/run/faillock\|-w /var/run/faillock" Is it the case that there is not output? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/log/tallylog\|-w /var/log/tallylog" Is it the case that there is not output? If the system is not configured to audit time changes, this is a finding. If the system is 64-bit only, this is not applicable ocil: | To determine if the system is configured to audit calls to the stime system call, run the following command: preserve$ sudo grep "stime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the settimeofday system call, run the following command: preserve$ sudo grep "settimeofday" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: $ sudo auditctl -l | grep "watch=/etc/localtime" If the system is configured to audit this activity, it will return a line. Is it the case that the system is not configured to audit time changes? To determine if the system is configured to audit calls to the clock_settime system call, run the following command: preserve$ sudo grep "clock_settime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the adjtimex system call, run the following command: preserve$ sudo grep "adjtimex" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchown system call, run the following command: preserve$ sudo grep "fchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the setxattr system call, run the following command: preserve$ sudo grep "setxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the chown system call, run the following command: preserve$ sudo grep "chown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchownat system call, run the following command: preserve$ sudo grep "fchownat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lchown system call, run the following command: preserve$ sudo grep "lchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the chmod system call, run the following command: preserve$ sudo grep "chmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the removexattr system call, run the following command: preserve$ sudo grep "removexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchmod system call, run the following command: preserve$ sudo grep "fchmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lsetxattr system call, run the following command: preserve$ sudo grep "lsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fremovexattr system call, run the following command: preserve$ sudo grep "fremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lremovexattr system call, run the following command: preserve$ sudo grep "lremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fsetxattr system call, run the following command: preserve$ sudo grep "fsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchmodat system call, run the following command: preserve$ sudo grep "fchmodat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/seunshare" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/setfiles" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/restorecon" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To determine if the system is configured to audit calls to the rmdir system call, run the following command: preserve$ sudo grep "rmdir" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the unlinkat system call, run the following command: preserve$ sudo grep "unlinkat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the rmdir system call, run the following command: preserve$ sudo grep "rmdir" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the unlink system call, run the following command: preserve$ sudo grep "unlink" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the unlinkat system call, run the following command: preserve$ sudo grep "unlinkat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the rename system call, run the following command: preserve$ sudo grep "rename" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the renameat system call, run the following command: preserve$ sudo grep "renameat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the rename system call, run the following command: preserve$ sudo grep "rename" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the renameat system call, run the following command: preserve$ sudo grep "renameat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the unlink system call, run the following command: preserve$ sudo grep "unlink" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep usernetctl /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep newgidmap /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep '\bat\b' /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep mount /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep newuidmap /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command for each local partition PART to find relevant setuid / setgid programs: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: $ sudo grep path /etc/audit/audit.rules It should be the case that all relevant setuid / setgid programs have a line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To determine if the system is configured to audit calls to the renameat system call, run the following command: preserve$ sudo grep "renameat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchownat system call, run the following command: preserve$ sudo grep "fchownat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lchown system call, run the following command: preserve$ sudo grep "lchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchmodat system call, run the following command: preserve$ sudo grep "fchmodat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the removexattr system call, run the following command: preserve$ sudo grep "removexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the chown system call, run the following command: preserve$ sudo grep "chown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchown system call, run the following command: preserve$ sudo grep "fchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the truncate system call, run the following command: preserve$ sudo grep "truncate" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the setxattr system call, run the following command: preserve$ sudo grep "setxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lremovexattr system call, run the following command: preserve$ sudo grep "lremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the creat system call, run the following command: preserve$ sudo grep "creat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fremovexattr system call, run the following command: preserve$ sudo grep "fremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the unlink system call, run the following command: preserve$ sudo grep "unlink" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fsetxattr system call, run the following command: preserve$ sudo grep "fsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lsetxattr system call, run the following command: preserve$ sudo grep "lsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the chmod system call, run the following command: preserve$ sudo grep "chmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the ftruncate system call, run the following command: preserve$ sudo grep "ftruncate" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the unlinkat system call, run the following command: preserve$ sudo grep "unlinkat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that the audit system collects unauthorized file accesses, run the following commands: $ sudo grep EACCES /etc/audit/audit.rules $ sudo grep EPERM /etc/audit/audit.rules Is it the case that 32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM? To determine if the system is configured to audit calls to the fchmod system call, run the following command: preserve$ sudo grep "fchmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the rename system call, run the following command: preserve$ sudo grep "rename" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" Is it the case that there is not output? To determine if the system is configured to audit changes to its network configuration, run the following command: auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and perm=wa should be indicated for each). Is it the case that the system is not configured to audit changes of the network configuration? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Run the following command to check the mode of the system audit logs: $ sudo ls -ld /var/log/audit Audit log directories must be mode 0700 or less permissive. Is it the case that any are more permissive? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/shadow)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit accesses to /var/log/audit directory, run the following command: preserve$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing is configured for all media exportation events, run the following command: $ sudo auditctl -l | grep syscall | grep mount Is it the case that there is not output? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To properly set the owner of /var/log/audit, run the command: $ sudo chown root /var/log/audit To properly set the owner of /var/log/audit/*, run the command: $ sudo chown root /var/log/audit/* Is it the case that ? To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: $ sudo auditctl -l | grep "dir=/etc/selinux" If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including perm=wa indicating permissions that are watched). Is it the case that the system is not configured to audit attempts to change the MAC policy? To verify that the system will shutdown when auditd fails, run the following command: $ sudo grep "\-f 2" /etc/audit/audit.rules The output should contain: -f 2 Is it the case that the system is not configured to shutdown on auditd failures? Run the following command to check the mode of the system audit logs: $ sudo ls -l /var/log/audit Audit logs must be mode 0640 or less permissive. Is it the case that any are more permissive? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/gshadow)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/group)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If they include audit_backlog_limit=1, then auditing is enabled at boot time. To ensure audit_backlog_limit=1 is configured on all installed kernels, the following command may be used: $ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=1" Is it the case that audit backlog limit is not configured? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If they include audit=1, then auditing is enabled at boot time. To ensure audit=1 is configured on all installed kernels, the following command may be used: $ sudo /sbin/grubby --update-kernel=ALL --args="audit=1" Is it the case that auditing is not enabled at boot time? Run the following command to determine the current status of the auditd service: $ systemctl is-active auditd If the service is running, it should return the following: active Is it the case that ? To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: *.* @loghost.example.com If using TCP, a line similar to the following should be present: *.* @@loghost.example.com If using RELP, a line similar to the following should be present: *.* :omrelp:loghost.example.com Is it the case that none of these are present? The owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the owner of a given log file, run the following command: $ ls -l LOGFILE Is it the case that the owner is not correct? The group-owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the group-owner of a given log file, run the following command: $ ls -l LOGFILE Is it the case that the group-owner is not correct? To verify that cron is logging to rsyslog, run the following command: grep -rni "cron\.\*" /etc/rsyslog.* The output should return some similar to: cron.* /var/log/cron Is it the case that cron is not logging to rsyslog? The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the permissions of a given log file, run the following command: $ ls -l LOGFILE The permissions should be 600, or more restrictive. Is it the case that the permissions are not correct? Run the following command to determine the current status of the syslog-ng service: $ systemctl is-active syslog-ng If the service is running, it should return the following: active Is it the case that ? Run the following command to determine if the syslog-ng-core package is installed: $ rpm -q syslog-ng-core Is it the case that the package is not installed? To determine the status and frequency of logrotate, run the following command: $ sudo grep logrotate /var/log/cron* If logrotate is configured properly, output should include references to /etc/cron.daily. Is it the case that logrotate is not configured to run daily? Run the following command to determine the current status of the rsyslog service: $ systemctl is-active rsyslog If the service is running, it should return the following: active Is it the case that ? Run the following command to determine if the rsyslog package is installed: $ rpm -q rsyslog Is it the case that the package is not installed? The status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_source_route The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_source_route The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv6.conf.all.forwarding kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.forwarding The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.all.forwarding /etc/sysctl.conf /etc/sysctl.d The ability to forward packets is only appropriate for routers. Is it the case that ? The status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_ra The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.default.accept_ra /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_ra The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.all.accept_ra /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? If the system uses IPv6, this is not applicable. If the system is configured to prevent the usage of the ipv6 on network interfaces, it will contain a line of the form: net.ipv6.conf.all.disable_ipv6 = 1 Such lines may be inside any file in the /etc/sysctl.d directory. This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps all network interfaces from using IPv6. Run the following command to search for such lines in all files in /etc/sysctl.d: $ grep -r ipv6 /etc/sysctl.d Is it the case that the ipv6 support is disabled on network interfaces? If the system uses IPv6, this is not applicable. If the system is configured to disable the ipv6 kernel module, it will contain a line of the form: options ipv6 disable=1 Such lines may be inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps it inactive. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: preserve$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d Is it the case that the ipv6 kernel module is not disabled? To check for configured IPsec connections (conn), perform the following: grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ Verify any returned results for organizational approval. Is it the case that the IPSec tunnels are not approved? Run the following command to determine if the libreswan package is installed: $ rpm -q libreswan Is it the case that the package is not installed? If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the ip6tables service: $ systemctl is-active ip6tables If the service is running, it should return the following: active Is it the case that ? Run the following command to determine the current status of the iptables service: $ systemctl is-active iptables If the service is running, it should return the following: active Is it the case that ? If IPv6 is disabled, this is not applicable. Inspect the file /etc/sysconfig/ip6tables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/ip6tables Is it the case that the default policy for the INPUT chain is not set to DROP? Run the following command to ensure the default FORWARD policy is DROP: grep ":FORWARD" /etc/sysconfig/iptables The output should be similar to the following: $ sudo grep ":FORWARD" /etc/sysconfig/iptables :FORWARD DROP [0:0 Is it the case that the default policy for the FORWARD chain is not set to DROP? Inspect the file /etc/sysconfig/iptables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/iptables Is it the case that the default policy for the INPUT chain is not set to DROP? Inspect the file /etc/firewalld/firewalld.conf to determine the default zone for the firewalld. It should be set to DefaultZone=drop: $ sudo grep DefaultZone /etc/firewalld/firewalld.conf Is it the case that the default zone is not set to DROP? Inspect the list of enabled firewall ports and verify they are configured correctly by running the following command: $ sudo firewall-cmd --list-all Is it the case that the default rules are not configured? To verify the operating system protects against or limits the effects of DoS attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces, run the following command: $ sudo firewall-cmd --permanent --direct --get-rules ipv4 filter INPUT_direct The output should return: 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT Is it the case that firewalld is not rate limiting connections? Run the following command to determine the current status of the firewalld service: $ systemctl is-active firewalld If the service is running, it should return the following: active Is it the case that ? Run the following command to determine if the firewalld package is installed: $ rpm -q firewalld Is it the case that the package is not installed? The status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.log_martians kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.log_martians The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.log_martians /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.secure_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.secure_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.secure_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.tcp_syncookies kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.log_martians kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.log_martians The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.log_martians /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.rp_filter kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_ignore_bogus_error_responses The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.secure_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.secure_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.secure_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.ip_forward kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d The ability to forward packets is only appropriate for routers. Is it the case that ? The status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.send_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.send_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? If the system is configured to prevent the loading of the dccp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r dccp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the rds kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r rds /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the tipc kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the sctp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r sctp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the bluetooth kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? To check that the bluetooth service is disabled in system boot configuration, run the following command: $ systemctl is-enabled bluetooth Output should indicate the bluetooth service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled bluetoothdisabled Run the following command to verify bluetooth is not active (i.e. not running) through current runtime configuration: $ systemctl is-active bluetooth If the service is not running the command will return the following output: inactive Is it the case that ? Verify that there are no wireless interfaces configured on the system with the following command: $ sudo nmcli device The output should contain the following: wifi disconnected Is it the case that it is not? Promiscuous mode of an interface can be disabled with the following command: $ sudo ip link set dev device_name promisc off Is it the case that any network device is in promiscuous mode? To verify that DNS servers have been configured properly, perform the following: $ sudo grep nameserver /etc/resolv.conf The output should return more than one nameserver entry. Is it the case that it does not exist or is not properly configured or less than 2 'nameserver' entries exist? To verify that clients cannot automatically update DNS records, perform the following: $ grep -i dhcp_hostname /etc/sysconfig/network-scripts/ifcfg-* $ grep -rni "send host-name" /etc/dhclient.conf /etc/dhcp The output should return no results. Is it the case that client Dynamic DNS updates are not disabled? To verify the boot loader superuser account has been set, run the following command: sudo grep -A1 "superusers\|password" /etc/grub2.cfg The output should show the following: set superusers="superusers-account" export superusers password_pbkdf2 superusers-account ${GRUB2_PASSWORD} To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: sudo cat /boot/grub2/user.cfg The output should be similar to: GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 Is it the case that it does not? To check the permissions of /boot/grub2/grub.cfg, run the command: $ sudo ls -lL /boot/grub2/grub.cfg If properly configured, the output should indicate the following permissions: -rw------- Is it the case that it does not? To check the ownership of /boot/grub2/grub.cfg, run the command: $ ls -lL /boot/grub2/grub.cfg If properly configured, the output should indicate the following owner: root Is it the case that /boot/grub2/grub.cfg has owner root? To verify the boot loader superuser account has been set, run the following command: sudo grep -A1 "superusers\|password" /etc/grub2-efi.cfg The output should show the following: set superusers="superusers-account" export superusers password_pbkdf2 superusers-account ${GRUB2_PASSWORD} To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: sudo cat /boot/efi/EFI/redhat/user.cfg The output should be similar to: GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 Is it the case that it does not? To verify the system is not configured to use a boot loader on removable media, run the following command: $ sudo grep "set root='hd0" /boot/grub2/grub.cfg The output should return something similar to: set root='hd0,msdos1' usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1' Is it the case that it is not? To check the group ownership of /boot/efi/EFI/redhat/grub.cfg, run the command: $ ls -lL /boot/efi/EFI/redhat/grub.cfg If properly configured, the output should indicate the following group-owner. root Is it the case that /boot/efi/EFI/redhat/grub.cfg has group owner root? To check the group ownership of /boot/grub2/grub.cfg, run the command: $ ls -lL /boot/grub2/grub.cfg If properly configured, the output should indicate the following group-owner. root Is it the case that /boot/grub2/grub.cfg has group owner root? To verify the system is not configured to use a boot loader on removable media, run the following command: $ sudo grep "set root='hd0" /boot/efi/EFI/redhat/grub.cfg The output should return something similar to: set root='hd0,msdos1' usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1' Is it the case that it is not? To check the ownership of /boot/efi/EFI/redhat/grub.cfg, run the command: $ ls -lL /boot/efi/EFI/redhat/grub.cfg If properly configured, the output should indicate the following owner: root Is it the case that /boot/efi/EFI/redhat/grub.cfg has owner root? To check the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: $ sudo ls -lL /boot/efi/EFI/redhat/grub.cfg If properly configured, the output should indicate the following permissions: -rwx------ Is it the case that it does not? Run the following command to determine if the openvpn_can_network_connect SELinux boolean is disabled: $ getsebool openvpn_can_network_connect If properly configured, the output should show the following: openvpn_can_network_connect --> off Is it the case that openvpn_can_network_connect is not disabled? Run the following command to determine if the httpd_use_gpg SELinux boolean is disabled: $ getsebool httpd_use_gpg If properly configured, the output should show the following: httpd_use_gpg --> off Is it the case that httpd_use_gpg is not disabled? Run the following command to determine if the ssh_sysadm_login SELinux boolean is disabled: $ getsebool ssh_sysadm_login If properly configured, the output should show the following: ssh_sysadm_login --> off Is it the case that ssh_sysadm_login is not disabled? Run the following command to determine if the httpd_run_stickshift SELinux boolean is disabled: $ getsebool httpd_run_stickshift If properly configured, the output should show the following: httpd_run_stickshift --> off Is it the case that httpd_run_stickshift is not disabled? Run the following command to determine if the polipo_connect_all_unreserved SELinux boolean is disabled: $ getsebool polipo_connect_all_unreserved If properly configured, the output should show the following: polipo_connect_all_unreserved --> off Is it the case that polipo_connect_all_unreserved is not disabled? Run the following command to determine if the httpd_sys_script_anon_write SELinux boolean is disabled: $ getsebool httpd_sys_script_anon_write If properly configured, the output should show the following: httpd_sys_script_anon_write --> off Is it the case that httpd_sys_script_anon_write is not disabled? Run the following command to determine if the pcp_bind_all_unreserved_ports SELinux boolean is disabled: $ getsebool pcp_bind_all_unreserved_ports If properly configured, the output should show the following: pcp_bind_all_unreserved_ports --> off Is it the case that pcp_bind_all_unreserved_ports is not disabled? Run the following command to determine if the minidlna_read_generic_user_content SELinux boolean is disabled: $ getsebool minidlna_read_generic_user_content If properly configured, the output should show the following: minidlna_read_generic_user_content --> off Is it the case that minidlna_read_generic_user_content is not disabled? Run the following command to determine if the auditadm_exec_content SELinux boolean is enabled: $ getsebool auditadm_exec_content If properly configured, the output should show the following: auditadm_exec_content --> on Is it the case that auditadm_exec_content is not enabled? Run the following command to determine if the authlogin_radius SELinux boolean is disabled: $ getsebool authlogin_radius If properly configured, the output should show the following: authlogin_radius --> off Is it the case that authlogin_radius is not disabled? Run the following command to determine if the logwatch_can_network_connect_mail SELinux boolean is disabled: $ getsebool logwatch_can_network_connect_mail If properly configured, the output should show the following: logwatch_can_network_connect_mail --> off Is it the case that logwatch_can_network_connect_mail is not disabled? Run the following command to determine if the logrotate_use_nfs SELinux boolean is disabled: $ getsebool logrotate_use_nfs If properly configured, the output should show the following: logrotate_use_nfs --> off Is it the case that logrotate_use_nfs is not disabled? Run the following command to determine if the git_cgi_use_cifs SELinux boolean is disabled: $ getsebool git_cgi_use_cifs If properly configured, the output should show the following: git_cgi_use_cifs --> off Is it the case that git_cgi_use_cifs is not disabled? Run the following command to determine if the postgresql_can_rsync SELinux boolean is disabled: $ getsebool postgresql_can_rsync If properly configured, the output should show the following: postgresql_can_rsync --> off Is it the case that postgresql_can_rsync is not disabled? Run the following command to determine if the selinuxuser_execstack SELinux boolean is disabled: $ getsebool selinuxuser_execstack If properly configured, the output should show the following: selinuxuser_execstack --> off Is it the case that selinuxuser_execstack is not disabled? Run the following command to determine if the entropyd_use_audio SELinux boolean is disabled: $ getsebool entropyd_use_audio If properly configured, the output should show the following: entropyd_use_audio --> off Is it the case that entropyd_use_audio is not disabled? Run the following command to determine if the httpd_execmem SELinux boolean is disabled: $ getsebool httpd_execmem If properly configured, the output should show the following: httpd_execmem --> off Is it the case that httpd_execmem is not disabled? Run the following command to determine if the mount_anyfile SELinux boolean is enabled: $ getsebool mount_anyfile If properly configured, the output should show the following: mount_anyfile --> on Is it the case that mount_anyfile is not enabled? Run the following command to determine if the smartmon_3ware SELinux boolean is disabled: $ getsebool smartmon_3ware If properly configured, the output should show the following: smartmon_3ware --> off Is it the case that smartmon_3ware is not disabled? Run the following command to determine if the git_cgi_enable_homedirs SELinux boolean is disabled: $ getsebool git_cgi_enable_homedirs If properly configured, the output should show the following: git_cgi_enable_homedirs --> off Is it the case that git_cgi_enable_homedirs is not disabled? Run the following command to determine if the mailman_use_fusefs SELinux boolean is disabled: $ getsebool mailman_use_fusefs If properly configured, the output should show the following: mailman_use_fusefs --> off Is it the case that mailman_use_fusefs is not disabled? Run the following command to determine if the httpd_can_check_spam SELinux boolean is disabled: $ getsebool httpd_can_check_spam If properly configured, the output should show the following: httpd_can_check_spam --> off Is it the case that httpd_can_check_spam is not disabled? Run the following command to determine if the fenced_can_ssh SELinux boolean is disabled: $ getsebool fenced_can_ssh If properly configured, the output should show the following: fenced_can_ssh --> off Is it the case that fenced_can_ssh is not disabled? Run the following command to determine if the nagios_run_pnp4nagios SELinux boolean is disabled: $ getsebool nagios_run_pnp4nagios If properly configured, the output should show the following: nagios_run_pnp4nagios --> off Is it the case that nagios_run_pnp4nagios is not disabled? Run the following command to determine if the httpd_can_network_connect SELinux boolean is disabled: $ getsebool httpd_can_network_connect If properly configured, the output should show the following: httpd_can_network_connect --> off Is it the case that httpd_can_network_connect is not disabled? Run the following command to determine if the mozilla_plugin_can_network_connect SELinux boolean is disabled: $ getsebool mozilla_plugin_can_network_connect If properly configured, the output should show the following: mozilla_plugin_can_network_connect --> off Is it the case that mozilla_plugin_can_network_connect is not disabled? Run the following command to determine if the git_session_bind_all_unreserved_ports SELinux boolean is disabled: $ getsebool git_session_bind_all_unreserved_ports If properly configured, the output should show the following: git_session_bind_all_unreserved_ports --> off Is it the case that git_session_bind_all_unreserved_ports is not disabled? Run the following command to determine if the tmpreaper_use_samba SELinux boolean is disabled: $ getsebool tmpreaper_use_samba If properly configured, the output should show the following: tmpreaper_use_samba --> off Is it the case that tmpreaper_use_samba is not disabled? Run the following command to determine if the selinuxuser_tcp_server SELinux boolean is disabled: $ getsebool selinuxuser_tcp_server If properly configured, the output should show the following: selinuxuser_tcp_server --> off Is it the case that selinuxuser_tcp_server is not disabled? Run the following command to determine if the httpd_anon_write SELinux boolean is disabled: $ getsebool httpd_anon_write If properly configured, the output should show the following: httpd_anon_write --> off Is it the case that httpd_anon_write is not disabled? Run the following command to determine if the httpd_can_connect_ldap SELinux boolean is disabled: $ getsebool httpd_can_connect_ldap If properly configured, the output should show the following: httpd_can_connect_ldap --> off Is it the case that httpd_can_connect_ldap is not disabled? Run the following command to determine if the xen_use_nfs SELinux boolean is disabled: $ getsebool xen_use_nfs If properly configured, the output should show the following: xen_use_nfs --> off Is it the case that xen_use_nfs is not disabled? Run the following command to determine if the daemons_use_tcp_wrapper SELinux boolean is disabled: $ getsebool daemons_use_tcp_wrapper If properly configured, the output should show the following: daemons_use_tcp_wrapper --> off Is it the case that daemons_use_tcp_wrapper is not disabled? Run the following command to determine if the ftpd_connect_db SELinux boolean is disabled: $ getsebool ftpd_connect_db If properly configured, the output should show the following: ftpd_connect_db --> off Is it the case that ftpd_connect_db is not disabled? Run the following command to determine if the ftpd_use_nfs SELinux boolean is disabled: $ getsebool ftpd_use_nfs If properly configured, the output should show the following: ftpd_use_nfs --> off Is it the case that ftpd_use_nfs is not disabled? Run the following command to determine if the cron_can_relabel SELinux boolean is disabled: $ getsebool cron_can_relabel If properly configured, the output should show the following: cron_can_relabel --> off Is it the case that cron_can_relabel is not disabled? Run the following command to determine if the openvpn_run_unconfined SELinux boolean is disabled: $ getsebool openvpn_run_unconfined If properly configured, the output should show the following: openvpn_run_unconfined --> off Is it the case that openvpn_run_unconfined is not disabled? Run the following command to determine if the zebra_write_config SELinux boolean is disabled: $ getsebool zebra_write_config If properly configured, the output should show the following: zebra_write_config --> off Is it the case that zebra_write_config is not disabled? Run the following command to determine if the virt_rw_qemu_ga_data SELinux boolean is disabled: $ getsebool virt_rw_qemu_ga_data If properly configured, the output should show the following: virt_rw_qemu_ga_data --> off Is it the case that virt_rw_qemu_ga_data is not disabled? Run the following command to determine if the condor_tcp_network_connect SELinux boolean is disabled: $ getsebool condor_tcp_network_connect If properly configured, the output should show the following: condor_tcp_network_connect --> off Is it the case that condor_tcp_network_connect is not disabled? Run the following command to determine if the fcron_crond SELinux boolean is disabled: $ getsebool fcron_crond If properly configured, the output should show the following: fcron_crond --> off Is it the case that fcron_crond is not disabled? Run the following command to determine if the nfsd_anon_write SELinux boolean is disabled: $ getsebool nfsd_anon_write If properly configured, the output should show the following: nfsd_anon_write --> off Is it the case that nfsd_anon_write is not disabled? Run the following command to determine if the logadm_exec_content SELinux boolean is enabled: $ getsebool logadm_exec_content If properly configured, the output should show the following: logadm_exec_content --> on Is it the case that logadm_exec_content is not enabled? Run the following command to determine if the httpd_dbus_sssd SELinux boolean is disabled: $ getsebool httpd_dbus_sssd If properly configured, the output should show the following: httpd_dbus_sssd --> off Is it the case that httpd_dbus_sssd is not disabled? Run the following command to determine if the httpd_manage_ipa SELinux boolean is disabled: $ getsebool httpd_manage_ipa If properly configured, the output should show the following: httpd_manage_ipa --> off Is it the case that httpd_manage_ipa is not disabled? Run the following command to determine if the haproxy_connect_any SELinux boolean is disabled: $ getsebool haproxy_connect_any If properly configured, the output should show the following: haproxy_connect_any --> off Is it the case that haproxy_connect_any is not disabled? Run the following command to determine if the httpd_setrlimit SELinux boolean is disabled: $ getsebool httpd_setrlimit If properly configured, the output should show the following: httpd_setrlimit --> off Is it the case that httpd_setrlimit is not disabled? Run the following command to determine if the antivirus_use_jit SELinux boolean is disabled: $ getsebool antivirus_use_jit If properly configured, the output should show the following: antivirus_use_jit --> off Is it the case that antivirus_use_jit is not disabled? Run the following command to determine if the rsync_full_access SELinux boolean is disabled: $ getsebool rsync_full_access If properly configured, the output should show the following: rsync_full_access --> off Is it the case that rsync_full_access is not disabled? Run the following command to determine if the httpd_run_ipa SELinux boolean is disabled: $ getsebool httpd_run_ipa If properly configured, the output should show the following: httpd_run_ipa --> off Is it the case that httpd_run_ipa is not disabled? Run the following command to determine if the httpd_builtin_scripting SELinux boolean is disabled: $ getsebool httpd_builtin_scripting If properly configured, the output should show the following: httpd_builtin_scripting --> off Is it the case that httpd_builtin_scripting is not disabled? Run the following command to determine if the staff_use_svirt SELinux boolean is disabled: $ getsebool staff_use_svirt If properly configured, the output should show the following: staff_use_svirt --> off Is it the case that staff_use_svirt is not disabled? Run the following command to determine if the user_exec_content SELinux boolean is enabled: $ getsebool user_exec_content If properly configured, the output should show the following: user_exec_content --> on Is it the case that user_exec_content is not enabled? Run the following command to determine if the samba_run_unconfined SELinux boolean is disabled: $ getsebool samba_run_unconfined If properly configured, the output should show the following: samba_run_unconfined --> off Is it the case that samba_run_unconfined is not disabled? Run the following command to determine if the mozilla_plugin_use_spice SELinux boolean is disabled: $ getsebool mozilla_plugin_use_spice If properly configured, the output should show the following: mozilla_plugin_use_spice --> off Is it the case that mozilla_plugin_use_spice is not disabled? Run the following command to determine if the mpd_use_nfs SELinux boolean is disabled: $ getsebool mpd_use_nfs If properly configured, the output should show the following: mpd_use_nfs --> off Is it the case that mpd_use_nfs is not disabled? Run the following command to determine if the httpd_read_user_content SELinux boolean is disabled: $ getsebool httpd_read_user_content If properly configured, the output should show the following: httpd_read_user_content --> off Is it the case that httpd_read_user_content is not disabled? Run the following command to determine if the rsync_client SELinux boolean is disabled: $ getsebool rsync_client If properly configured, the output should show the following: rsync_client --> off Is it the case that rsync_client is not disabled? Run the following command to determine if the dbadm_read_user_files SELinux boolean is disabled: $ getsebool dbadm_read_user_files If properly configured, the output should show the following: dbadm_read_user_files --> off Is it the case that dbadm_read_user_files is not disabled? Run the following command to determine if the deny_ptrace SELinux boolean is disabled: $ getsebool deny_ptrace If properly configured, the output should show the following: deny_ptrace --> off Is it the case that deny_ptrace is not disabled? Run the following command to determine if the nfs_export_all_rw SELinux boolean is enabled: $ getsebool nfs_export_all_rw If properly configured, the output should show the following: nfs_export_all_rw --> on Is it the case that nfs_export_all_rw is not enabled? Run the following command to determine if the rsync_anon_write SELinux boolean is disabled: $ getsebool rsync_anon_write If properly configured, the output should show the following: rsync_anon_write --> off Is it the case that rsync_anon_write is not disabled? Run the following command to determine if the httpd_can_network_memcache SELinux boolean is disabled: $ getsebool httpd_can_network_memcache If properly configured, the output should show the following: httpd_can_network_memcache --> off Is it the case that httpd_can_network_memcache is not disabled? Run the following command to determine if the virt_sandbox_use_audit SELinux boolean is enabled: $ getsebool virt_sandbox_use_audit If properly configured, the output should show the following: virt_sandbox_use_audit --> on Is it the case that virt_sandbox_use_audit is not enabled? Run the following command to determine if the mozilla_read_content SELinux boolean is disabled: $ getsebool mozilla_read_content If properly configured, the output should show the following: mozilla_read_content --> off Is it the case that mozilla_read_content is not disabled? Run the following command to determine if the xserver_object_manager SELinux boolean is disabled: $ getsebool xserver_object_manager If properly configured, the output should show the following: xserver_object_manager --> off Is it the case that xserver_object_manager is not disabled? Run the following command to determine if the httpd_tty_comm SELinux boolean is disabled: $ getsebool httpd_tty_comm If properly configured, the output should show the following: httpd_tty_comm --> off Is it the case that httpd_tty_comm is not disabled? Run the following command to determine if the collectd_tcp_network_connect SELinux boolean is disabled: $ getsebool collectd_tcp_network_connect If properly configured, the output should show the following: collectd_tcp_network_connect --> off Is it the case that collectd_tcp_network_connect is not disabled? Run the following command to determine if the xdm_sysadm_login SELinux boolean is disabled: $ getsebool xdm_sysadm_login If properly configured, the output should show the following: xdm_sysadm_login --> off Is it the case that xdm_sysadm_login is not disabled? Run the following command to determine if the pcp_read_generic_logs SELinux boolean is disabled: $ getsebool pcp_read_generic_logs If properly configured, the output should show the following: pcp_read_generic_logs --> off Is it the case that pcp_read_generic_logs is not disabled? Run the following command to determine if the spamd_enable_home_dirs SELinux boolean is enabled: $ getsebool spamd_enable_home_dirs If properly configured, the output should show the following: spamd_enable_home_dirs --> on Is it the case that spamd_enable_home_dirs is not enabled? Run the following command to determine if the xguest_mount_media SELinux boolean is disabled: $ getsebool xguest_mount_media If properly configured, the output should show the following: xguest_mount_media --> off Is it the case that xguest_mount_media is not disabled? Run the following command to determine if the polipo_session_bind_all_unreserved_ports SELinux boolean is disabled: $ getsebool polipo_session_bind_all_unreserved_ports If properly configured, the output should show the following: polipo_session_bind_all_unreserved_ports --> off Is it the case that polipo_session_bind_all_unreserved_ports is not disabled? Run the following command to determine if the container_connect_any SELinux boolean is disabled: $ getsebool container_connect_any If properly configured, the output should show the following: container_connect_any --> off Is it the case that container_connect_any is not disabled? Run the following command to determine if the tftp_anon_write SELinux boolean is disabled: $ getsebool tftp_anon_write If properly configured, the output should show the following: tftp_anon_write --> off Is it the case that tftp_anon_write is not disabled? Run the following command to determine if the git_system_use_nfs SELinux boolean is disabled: $ getsebool git_system_use_nfs If properly configured, the output should show the following: git_system_use_nfs --> off Is it the case that git_system_use_nfs is not disabled? Run the following command to determine if the virt_use_usb SELinux boolean is disabled: $ getsebool virt_use_usb If properly configured, the output should show the following: virt_use_usb --> off Is it the case that virt_use_usb is not disabled? Run the following command to determine if the nis_enabled SELinux boolean is disabled: $ getsebool nis_enabled If properly configured, the output should show the following: nis_enabled --> off Is it the case that nis_enabled is not disabled? Run the following command to determine if the selinuxuser_mysql_connect_enabled SELinux boolean is disabled: $ getsebool selinuxuser_mysql_connect_enabled If properly configured, the output should show the following: selinuxuser_mysql_connect_enabled --> off Is it the case that selinuxuser_mysql_connect_enabled is not disabled? Run the following command to determine if the samba_share_fusefs SELinux boolean is disabled: $ getsebool samba_share_fusefs If properly configured, the output should show the following: samba_share_fusefs --> off Is it the case that samba_share_fusefs is not disabled? Run the following command to determine if the httpd_enable_ftp_server SELinux boolean is disabled: $ getsebool httpd_enable_ftp_server If properly configured, the output should show the following: httpd_enable_ftp_server --> off Is it the case that httpd_enable_ftp_server is not disabled? Run the following command to determine if the pppd_for_user SELinux boolean is disabled: $ getsebool pppd_for_user If properly configured, the output should show the following: pppd_for_user --> off Is it the case that pppd_for_user is not disabled? Run the following command to determine if the virt_sandbox_use_all_caps SELinux boolean is disabled: $ getsebool virt_sandbox_use_all_caps If properly configured, the output should show the following: virt_sandbox_use_all_caps --> off Is it the case that virt_sandbox_use_all_caps is not disabled? Run the following command to determine if the mozilla_plugin_use_gps SELinux boolean is disabled: $ getsebool mozilla_plugin_use_gps If properly configured, the output should show the following: mozilla_plugin_use_gps --> off Is it the case that mozilla_plugin_use_gps is not disabled? Run the following command to determine if the samba_domain_controller SELinux boolean is disabled: $ getsebool samba_domain_controller If properly configured, the output should show the following: samba_domain_controller --> off Is it the case that samba_domain_controller is not disabled? Run the following command to determine if the boinc_execmem SELinux boolean is disabled: $ getsebool boinc_execmem If properly configured, the output should show the following: boinc_execmem --> off Is it the case that boinc_execmem is not disabled? Run the following command to determine if the use_fusefs_home_dirs SELinux boolean is disabled: $ getsebool use_fusefs_home_dirs If properly configured, the output should show the following: use_fusefs_home_dirs --> off Is it the case that use_fusefs_home_dirs is not disabled? Run the following command to determine if the tmpreaper_use_nfs SELinux boolean is disabled: $ getsebool tmpreaper_use_nfs If properly configured, the output should show the following: tmpreaper_use_nfs --> off Is it the case that tmpreaper_use_nfs is not disabled? Run the following command to determine if the sanlock_use_fusefs SELinux boolean is disabled: $ getsebool sanlock_use_fusefs If properly configured, the output should show the following: sanlock_use_fusefs --> off Is it the case that sanlock_use_fusefs is not disabled? Run the following command to determine if the ssh_keysign SELinux boolean is disabled: $ getsebool ssh_keysign If properly configured, the output should show the following: ssh_keysign --> off Is it the case that ssh_keysign is not disabled? Run the following command to determine if the httpd_tmp_exec SELinux boolean is disabled: $ getsebool httpd_tmp_exec If properly configured, the output should show the following: httpd_tmp_exec --> off Is it the case that httpd_tmp_exec is not disabled? Run the following command to determine if the httpd_use_fusefs SELinux boolean is disabled: $ getsebool httpd_use_fusefs If properly configured, the output should show the following: httpd_use_fusefs --> off Is it the case that httpd_use_fusefs is not disabled? Run the following command to determine if the staff_exec_content SELinux boolean is enabled: $ getsebool staff_exec_content If properly configured, the output should show the following: staff_exec_content --> on Is it the case that staff_exec_content is not enabled? Run the following command to determine if the nscd_use_shm SELinux boolean is enabled: $ getsebool nscd_use_shm If properly configured, the output should show the following: nscd_use_shm --> on Is it the case that nscd_use_shm is not enabled? Run the following command to determine if the global_ssp SELinux boolean is disabled: $ getsebool global_ssp If properly configured, the output should show the following: global_ssp --> off Is it the case that global_ssp is not disabled? Run the following command to determine if the virt_use_fusefs SELinux boolean is disabled: $ getsebool virt_use_fusefs If properly configured, the output should show the following: virt_use_fusefs --> off Is it the case that virt_use_fusefs is not disabled? Run the following command to determine if the gluster_anon_write SELinux boolean is disabled: $ getsebool gluster_anon_write If properly configured, the output should show the following: gluster_anon_write --> off Is it the case that gluster_anon_write is not disabled? Run the following command to determine if the wine_mmap_zero_ignore SELinux boolean is disabled: $ getsebool wine_mmap_zero_ignore If properly configured, the output should show the following: wine_mmap_zero_ignore --> off Is it the case that wine_mmap_zero_ignore is not disabled? Run the following command to determine if the fenced_can_network_connect SELinux boolean is disabled: $ getsebool fenced_can_network_connect If properly configured, the output should show the following: fenced_can_network_connect --> off Is it the case that fenced_can_network_connect is not disabled? Run the following command to determine if the zabbix_can_network SELinux boolean is disabled: $ getsebool zabbix_can_network If properly configured, the output should show the following: zabbix_can_network --> off Is it the case that zabbix_can_network is not disabled? Run the following command to determine if the virt_use_nfs SELinux boolean is disabled: $ getsebool virt_use_nfs If properly configured, the output should show the following: virt_use_nfs --> off Is it the case that virt_use_nfs is not disabled? Run the following command to determine if the prosody_bind_http_port SELinux boolean is disabled: $ getsebool prosody_bind_http_port If properly configured, the output should show the following: prosody_bind_http_port --> off Is it the case that prosody_bind_http_port is not disabled? Run the following command to determine if the use_samba_home_dirs SELinux boolean is disabled: $ getsebool use_samba_home_dirs If properly configured, the output should show the following: use_samba_home_dirs --> off Is it the case that use_samba_home_dirs is not disabled? Run the following command to determine if the cron_userdomain_transition SELinux boolean is enabled: $ getsebool cron_userdomain_transition If properly configured, the output should show the following: cron_userdomain_transition --> on Is it the case that cron_userdomain_transition is not enabled? Run the following command to determine if the spamassassin_can_network SELinux boolean is disabled: $ getsebool spamassassin_can_network If properly configured, the output should show the following: spamassassin_can_network --> off Is it the case that spamassassin_can_network is not disabled? Run the following command to determine if the git_cgi_use_nfs SELinux boolean is disabled: $ getsebool git_cgi_use_nfs If properly configured, the output should show the following: git_cgi_use_nfs --> off Is it the case that git_cgi_use_nfs is not disabled? Run the following command to determine if the secure_mode_insmod SELinux boolean is disabled: $ getsebool secure_mode_insmod If properly configured, the output should show the following: secure_mode_insmod --> off Is it the case that secure_mode_insmod is not disabled? Run the following command to determine if the mysql_connect_any SELinux boolean is disabled: $ getsebool mysql_connect_any If properly configured, the output should show the following: mysql_connect_any --> off Is it the case that mysql_connect_any is not disabled? Run the following command to determine if the samba_load_libgfapi SELinux boolean is disabled: $ getsebool samba_load_libgfapi If properly configured, the output should show the following: samba_load_libgfapi --> off Is it the case that samba_load_libgfapi is not disabled? Run the following command to determine if the samba_portmapper SELinux boolean is disabled: $ getsebool samba_portmapper If properly configured, the output should show the following: samba_portmapper --> off Is it the case that samba_portmapper is not disabled? Run the following command to determine if the httpd_run_preupgrade SELinux boolean is disabled: $ getsebool httpd_run_preupgrade If properly configured, the output should show the following: httpd_run_preupgrade --> off Is it the case that httpd_run_preupgrade is not disabled? Run the following command to determine if the virt_use_xserver SELinux boolean is disabled: $ getsebool virt_use_xserver If properly configured, the output should show the following: virt_use_xserver --> off Is it the case that virt_use_xserver is not disabled? Run the following command to determine if the mplayer_execstack SELinux boolean is disabled: $ getsebool mplayer_execstack If properly configured, the output should show the following: mplayer_execstack --> off Is it the case that mplayer_execstack is not disabled? Run the following command to determine if the selinuxuser_rw_noexattrfile SELinux boolean is disabled: $ getsebool selinuxuser_rw_noexattrfile If properly configured, the output should show the following: selinuxuser_rw_noexattrfile --> off Is it the case that selinuxuser_rw_noexattrfile is not disabled? Run the following command to determine if the neutron_can_network SELinux boolean is disabled: $ getsebool neutron_can_network If properly configured, the output should show the following: neutron_can_network --> off Is it the case that neutron_can_network is not disabled? Run the following command to determine if the ftpd_full_access SELinux boolean is disabled: $ getsebool ftpd_full_access If properly configured, the output should show the following: ftpd_full_access --> off Is it the case that ftpd_full_access is not disabled? Run the following command to determine if the ftpd_use_fusefs SELinux boolean is disabled: $ getsebool ftpd_use_fusefs If properly configured, the output should show the following: ftpd_use_fusefs --> off Is it the case that ftpd_use_fusefs is not disabled? Run the following command to determine if the deny_execmem SELinux boolean is disabled: $ getsebool deny_execmem If properly configured, the output should show the following: deny_execmem --> off Is it the case that deny_execmem is not disabled? Run the following command to determine if the ssh_chroot_rw_homedirs SELinux boolean is disabled: $ getsebool ssh_chroot_rw_homedirs If properly configured, the output should show the following: ssh_chroot_rw_homedirs --> off Is it the case that ssh_chroot_rw_homedirs is not disabled? Run the following command to determine if the httpd_mod_auth_pam SELinux boolean is disabled: $ getsebool httpd_mod_auth_pam If properly configured, the output should show the following: httpd_mod_auth_pam --> off Is it the case that httpd_mod_auth_pam is not disabled? Run the following command to determine if the authlogin_yubikey SELinux boolean is disabled: $ getsebool authlogin_yubikey If properly configured, the output should show the following: authlogin_yubikey --> off Is it the case that authlogin_yubikey is not disabled? Run the following command to determine if the virt_use_samba SELinux boolean is disabled: $ getsebool virt_use_samba If properly configured, the output should show the following: virt_use_samba --> off Is it the case that virt_use_samba is not disabled? Run the following command to determine if the httpd_can_connect_ftp SELinux boolean is disabled: $ getsebool httpd_can_connect_ftp If properly configured, the output should show the following: httpd_can_connect_ftp --> off Is it the case that httpd_can_connect_ftp is not disabled? Run the following command to determine if the abrt_anon_write SELinux boolean is disabled: $ getsebool abrt_anon_write If properly configured, the output should show the following: abrt_anon_write --> off Is it the case that abrt_anon_write is not disabled? Run the following command to determine if the named_tcp_bind_http_port SELinux boolean is disabled: $ getsebool named_tcp_bind_http_port If properly configured, the output should show the following: named_tcp_bind_http_port --> off Is it the case that named_tcp_bind_http_port is not disabled? Run the following command to determine if the squid_use_tproxy SELinux boolean is disabled: $ getsebool squid_use_tproxy If properly configured, the output should show the following: squid_use_tproxy --> off Is it the case that squid_use_tproxy is not disabled? Run the following command to determine if the dhcpd_use_ldap SELinux boolean is disabled: $ getsebool dhcpd_use_ldap If properly configured, the output should show the following: dhcpd_use_ldap --> off Is it the case that dhcpd_use_ldap is not disabled? Run the following command to determine if the tftp_home_dir SELinux boolean is disabled: $ getsebool tftp_home_dir If properly configured, the output should show the following: tftp_home_dir --> off Is it the case that tftp_home_dir is not disabled? Run the following command to determine if the awstats_purge_apache_log_files SELinux boolean is disabled: $ getsebool awstats_purge_apache_log_files If properly configured, the output should show the following: awstats_purge_apache_log_files --> off Is it the case that awstats_purge_apache_log_files is not disabled? Run the following command to determine if the samba_share_nfs SELinux boolean is disabled: $ getsebool samba_share_nfs If properly configured, the output should show the following: samba_share_nfs --> off Is it the case that samba_share_nfs is not disabled? Run the following command to determine if the glance_use_fusefs SELinux boolean is disabled: $ getsebool glance_use_fusefs If properly configured, the output should show the following: glance_use_fusefs --> off Is it the case that glance_use_fusefs is not disabled? Run the following command to determine if the sanlock_use_nfs SELinux boolean is disabled: $ getsebool sanlock_use_nfs If properly configured, the output should show the following: sanlock_use_nfs --> off Is it the case that sanlock_use_nfs is not disabled? Run the following command to determine if the gluster_export_all_rw SELinux boolean is disabled: $ getsebool gluster_export_all_rw If properly configured, the output should show the following: gluster_export_all_rw --> off Is it the case that gluster_export_all_rw is not disabled? Run the following command to determine if the mozilla_plugin_bind_unreserved_ports SELinux boolean is disabled: $ getsebool mozilla_plugin_bind_unreserved_ports If properly configured, the output should show the following: mozilla_plugin_bind_unreserved_ports --> off Is it the case that mozilla_plugin_bind_unreserved_ports is not disabled? Run the following command to determine if the logging_syslogd_use_tty SELinux boolean is enabled: $ getsebool logging_syslogd_use_tty If properly configured, the output should show the following: logging_syslogd_use_tty --> on Is it the case that logging_syslogd_use_tty is not enabled? Run the following command to determine if the login_console_enabled SELinux boolean is enabled: $ getsebool login_console_enabled If properly configured, the output should show the following: login_console_enabled --> on Is it the case that login_console_enabled is not enabled? Run the following command to determine if the glance_api_can_network SELinux boolean is disabled: $ getsebool glance_api_can_network If properly configured, the output should show the following: glance_api_can_network --> off Is it the case that glance_api_can_network is not disabled? Run the following command to determine if the abrt_handle_event SELinux boolean is disabled: $ getsebool abrt_handle_event If properly configured, the output should show the following: abrt_handle_event --> off Is it the case that abrt_handle_event is not disabled? Run the following command to determine if the gluster_export_all_ro SELinux boolean is disabled: $ getsebool gluster_export_all_ro If properly configured, the output should show the following: gluster_export_all_ro --> off Is it the case that gluster_export_all_ro is not disabled? Run the following command to determine if the ksmtuned_use_nfs SELinux boolean is disabled: $ getsebool ksmtuned_use_nfs If properly configured, the output should show the following: ksmtuned_use_nfs --> off Is it the case that ksmtuned_use_nfs is not disabled? Run the following command to determine if the puppetagent_manage_all_files SELinux boolean is disabled: $ getsebool puppetagent_manage_all_files If properly configured, the output should show the following: puppetagent_manage_all_files --> off Is it the case that puppetagent_manage_all_files is not disabled? Run the following command to determine if the httpd_dontaudit_search_dirs SELinux boolean is disabled: $ getsebool httpd_dontaudit_search_dirs If properly configured, the output should show the following: httpd_dontaudit_search_dirs --> off Is it the case that httpd_dontaudit_search_dirs is not disabled? Run the following command to determine if the smbd_anon_write SELinux boolean is disabled: $ getsebool smbd_anon_write If properly configured, the output should show the following: smbd_anon_write --> off Is it the case that smbd_anon_write is not disabled? Run the following command to determine if the cron_system_cronjob_use_shares SELinux boolean is disabled: $ getsebool cron_system_cronjob_use_shares If properly configured, the output should show the following: cron_system_cronjob_use_shares --> off Is it the case that cron_system_cronjob_use_shares is not disabled? Run the following command to determine if the mozilla_plugin_use_bluejeans SELinux boolean is disabled: $ getsebool mozilla_plugin_use_bluejeans If properly configured, the output should show the following: mozilla_plugin_use_bluejeans --> off Is it the case that mozilla_plugin_use_bluejeans is not disabled? Run the following command to determine if the openvpn_enable_homedirs SELinux boolean is disabled: $ getsebool openvpn_enable_homedirs If properly configured, the output should show the following: openvpn_enable_homedirs --> off Is it the case that openvpn_enable_homedirs is not disabled? Run the following command to determine if the mcelog_server SELinux boolean is disabled: $ getsebool mcelog_server If properly configured, the output should show the following: mcelog_server --> off Is it the case that mcelog_server is not disabled? Run the following command to determine if the mcelog_exec_scripts SELinux boolean is enabled: $ getsebool mcelog_exec_scripts If properly configured, the output should show the following: mcelog_exec_scripts --> on Is it the case that mcelog_exec_scripts is not enabled? Run the following command to determine if the sge_use_nfs SELinux boolean is disabled: $ getsebool sge_use_nfs If properly configured, the output should show the following: sge_use_nfs --> off Is it the case that sge_use_nfs is not disabled? Run the following command to determine if the webadm_read_user_files SELinux boolean is disabled: $ getsebool webadm_read_user_files If properly configured, the output should show the following: webadm_read_user_files --> off Is it the case that webadm_read_user_files is not disabled? Run the following command to determine if the piranha_lvs_can_network_connect SELinux boolean is disabled: $ getsebool piranha_lvs_can_network_connect If properly configured, the output should show the following: piranha_lvs_can_network_connect --> off Is it the case that piranha_lvs_can_network_connect is not disabled? Run the following command to determine if the domain_kernel_load_modules SELinux boolean is disabled: $ getsebool domain_kernel_load_modules If properly configured, the output should show the following: domain_kernel_load_modules --> off Is it the case that domain_kernel_load_modules is not disabled? Run the following command to determine if the exim_manage_user_files SELinux boolean is disabled: $ getsebool exim_manage_user_files If properly configured, the output should show the following: exim_manage_user_files --> off Is it the case that exim_manage_user_files is not disabled? Run the following command to determine if the virt_sandbox_use_netlink SELinux boolean is disabled: $ getsebool virt_sandbox_use_netlink If properly configured, the output should show the following: virt_sandbox_use_netlink --> off Is it the case that virt_sandbox_use_netlink is not disabled? Run the following command to determine if the unconfined_chrome_sandbox_transition SELinux boolean is enabled: $ getsebool unconfined_chrome_sandbox_transition If properly configured, the output should show the following: unconfined_chrome_sandbox_transition --> on Is it the case that unconfined_chrome_sandbox_transition is not enabled? Run the following command to determine if the httpd_verify_dns SELinux boolean is disabled: $ getsebool httpd_verify_dns If properly configured, the output should show the following: httpd_verify_dns --> off Is it the case that httpd_verify_dns is not disabled? Run the following command to determine if the virt_read_qemu_ga_data SELinux boolean is disabled: $ getsebool virt_read_qemu_ga_data If properly configured, the output should show the following: virt_read_qemu_ga_data --> off Is it the case that virt_read_qemu_ga_data is not disabled? Run the following command to determine if the glance_use_execmem SELinux boolean is disabled: $ getsebool glance_use_execmem If properly configured, the output should show the following: glance_use_execmem --> off Is it the case that glance_use_execmem is not disabled? Run the following command to determine if the httpd_can_sendmail SELinux boolean is disabled: $ getsebool httpd_can_sendmail If properly configured, the output should show the following: httpd_can_sendmail --> off Is it the case that httpd_can_sendmail is not disabled? Run the following command to determine if the httpd_enable_homedirs SELinux boolean is disabled: $ getsebool httpd_enable_homedirs If properly configured, the output should show the following: httpd_enable_homedirs --> off Is it the case that httpd_enable_homedirs is not disabled? Run the following command to determine if the cdrecord_read_content SELinux boolean is disabled: $ getsebool cdrecord_read_content If properly configured, the output should show the following: cdrecord_read_content --> off Is it the case that cdrecord_read_content is not disabled? Run the following command to determine if the unconfined_login SELinux boolean is enabled: $ getsebool unconfined_login If properly configured, the output should show the following: unconfined_login --> on Is it the case that unconfined_login is not enabled? Run the following command to determine if the logging_syslogd_can_sendmail SELinux boolean is disabled: $ getsebool logging_syslogd_can_sendmail If properly configured, the output should show the following: logging_syslogd_can_sendmail --> off Is it the case that logging_syslogd_can_sendmail is not disabled? Run the following command to determine if the gitosis_can_sendmail SELinux boolean is disabled: $ getsebool gitosis_can_sendmail If properly configured, the output should show the following: gitosis_can_sendmail --> off Is it the case that gitosis_can_sendmail is not disabled? Run the following command to determine if the httpd_use_sasl SELinux boolean is disabled: $ getsebool httpd_use_sasl If properly configured, the output should show the following: httpd_use_sasl --> off Is it the case that httpd_use_sasl is not disabled? Run the following command to determine if the git_system_use_cifs SELinux boolean is disabled: $ getsebool git_system_use_cifs If properly configured, the output should show the following: git_system_use_cifs --> off Is it the case that git_system_use_cifs is not disabled? Run the following command to determine if the virt_use_comm SELinux boolean is disabled: $ getsebool virt_use_comm If properly configured, the output should show the following: virt_use_comm --> off Is it the case that virt_use_comm is not disabled? Run the following command to determine if the selinuxuser_postgresql_connect_enabled SELinux boolean is disabled: $ getsebool selinuxuser_postgresql_connect_enabled If properly configured, the output should show the following: selinuxuser_postgresql_connect_enabled --> off Is it the case that selinuxuser_postgresql_connect_enabled is not disabled? Run the following command to determine if the dbadm_manage_user_files SELinux boolean is disabled: $ getsebool dbadm_manage_user_files If properly configured, the output should show the following: dbadm_manage_user_files --> off Is it the case that dbadm_manage_user_files is not disabled? Run the following command to determine if the httpd_can_network_connect_db SELinux boolean is disabled: $ getsebool httpd_can_network_connect_db If properly configured, the output should show the following: httpd_can_network_connect_db --> off Is it the case that httpd_can_network_connect_db is not disabled? Run the following command to determine if the httpd_enable_cgi SELinux boolean is disabled: $ getsebool httpd_enable_cgi If properly configured, the output should show the following: httpd_enable_cgi --> off Is it the case that httpd_enable_cgi is not disabled? Run the following command to determine if the antivirus_can_scan_system SELinux boolean is enabled: $ getsebool antivirus_can_scan_system If properly configured, the output should show the following: antivirus_can_scan_system --> on Is it the case that antivirus_can_scan_system is not enabled? Run the following command to determine if the zarafa_setrlimit SELinux boolean is disabled: $ getsebool zarafa_setrlimit If properly configured, the output should show the following: zarafa_setrlimit --> off Is it the case that zarafa_setrlimit is not disabled? Run the following command to determine if the samba_export_all_ro SELinux boolean is disabled: $ getsebool samba_export_all_ro If properly configured, the output should show the following: samba_export_all_ro --> off Is it the case that samba_export_all_ro is not disabled? Run the following command to determine if the zoneminder_anon_write SELinux boolean is disabled: $ getsebool zoneminder_anon_write If properly configured, the output should show the following: zoneminder_anon_write --> off Is it the case that zoneminder_anon_write is not disabled? Run the following command to determine if the daemons_enable_cluster_mode SELinux boolean is disabled: $ getsebool daemons_enable_cluster_mode If properly configured, the output should show the following: daemons_enable_cluster_mode --> off Is it the case that daemons_enable_cluster_mode is not disabled? Run the following command to determine if the httpd_can_connect_mythtv SELinux boolean is disabled: $ getsebool httpd_can_connect_mythtv If properly configured, the output should show the following: httpd_can_connect_mythtv --> off Is it the case that httpd_can_connect_mythtv is not disabled? Run the following command to determine if the squid_connect_any SELinux boolean is disabled: $ getsebool squid_connect_any If properly configured, the output should show the following: squid_connect_any --> off Is it the case that squid_connect_any is not disabled? Run the following command to determine if the varnishd_connect_any SELinux boolean is disabled: $ getsebool varnishd_connect_any If properly configured, the output should show the following: varnishd_connect_any --> off Is it the case that varnishd_connect_any is not disabled? Run the following command to determine if the privoxy_connect_any SELinux boolean is disabled: $ getsebool privoxy_connect_any If properly configured, the output should show the following: privoxy_connect_any --> off Is it the case that privoxy_connect_any is not disabled? Run the following command to determine if the xend_run_qemu SELinux boolean is enabled: $ getsebool xend_run_qemu If properly configured, the output should show the following: xend_run_qemu --> on Is it the case that xend_run_qemu is not enabled? Run the following command to determine if the abrt_upload_watch_anon_write SELinux boolean is disabled: $ getsebool abrt_upload_watch_anon_write If properly configured, the output should show the following: abrt_upload_watch_anon_write --> off Is it the case that abrt_upload_watch_anon_write is not disabled? Run the following command to determine if the openshift_use_nfs SELinux boolean is disabled: $ getsebool openshift_use_nfs If properly configured, the output should show the following: openshift_use_nfs --> off Is it the case that openshift_use_nfs is not disabled? Run the following command to determine if the unconfined_mozilla_plugin_transition SELinux boolean is enabled: $ getsebool unconfined_mozilla_plugin_transition If properly configured, the output should show the following: unconfined_mozilla_plugin_transition --> on Is it the case that unconfined_mozilla_plugin_transition is not enabled? Run the following command to determine if the conman_can_network SELinux boolean is disabled: $ getsebool conman_can_network If properly configured, the output should show the following: conman_can_network --> off Is it the case that conman_can_network is not disabled? Run the following command to determine if the cobbler_can_network_connect SELinux boolean is disabled: $ getsebool cobbler_can_network_connect If properly configured, the output should show the following: cobbler_can_network_connect --> off Is it the case that cobbler_can_network_connect is not disabled? Run the following command to determine if the daemons_use_tty SELinux boolean is disabled: $ getsebool daemons_use_tty If properly configured, the output should show the following: daemons_use_tty --> off Is it the case that daemons_use_tty is not disabled? Run the following command to determine if the zoneminder_run_sudo SELinux boolean is disabled: $ getsebool zoneminder_run_sudo If properly configured, the output should show the following: zoneminder_run_sudo --> off Is it the case that zoneminder_run_sudo is not disabled? Run the following command to determine if the postgresql_selinux_unconfined_dbadm SELinux boolean is enabled: $ getsebool postgresql_selinux_unconfined_dbadm If properly configured, the output should show the following: postgresql_selinux_unconfined_dbadm --> on Is it the case that postgresql_selinux_unconfined_dbadm is not enabled? Run the following command to determine if the samba_export_all_rw SELinux boolean is disabled: $ getsebool samba_export_all_rw If properly configured, the output should show the following: samba_export_all_rw --> off Is it the case that samba_export_all_rw is not disabled? Run the following command to determine if the httpd_graceful_shutdown SELinux boolean is enabled: $ getsebool httpd_graceful_shutdown If properly configured, the output should show the following: httpd_graceful_shutdown --> on Is it the case that httpd_graceful_shutdown is not enabled? Run the following command to determine if the pppd_can_insmod SELinux boolean is disabled: $ getsebool pppd_can_insmod If properly configured, the output should show the following: pppd_can_insmod --> off Is it the case that pppd_can_insmod is not disabled? Run the following command to determine if the webadm_manage_user_files SELinux boolean is disabled: $ getsebool webadm_manage_user_files If properly configured, the output should show the following: webadm_manage_user_files --> off Is it the case that webadm_manage_user_files is not disabled? Run the following command to determine if the secure_mode SELinux boolean is disabled: $ getsebool secure_mode If properly configured, the output should show the following: secure_mode --> off Is it the case that secure_mode is not disabled? Run the following command to determine if the cluster_use_execmem SELinux boolean is disabled: $ getsebool cluster_use_execmem If properly configured, the output should show the following: cluster_use_execmem --> off Is it the case that cluster_use_execmem is not disabled? Run the following command to determine if the httpd_serve_cobbler_files SELinux boolean is disabled: $ getsebool httpd_serve_cobbler_files If properly configured, the output should show the following: httpd_serve_cobbler_files --> off Is it the case that httpd_serve_cobbler_files is not disabled? Run the following command to determine if the irssi_use_full_network SELinux boolean is disabled: $ getsebool irssi_use_full_network If properly configured, the output should show the following: irssi_use_full_network --> off Is it the case that irssi_use_full_network is not disabled? Run the following command to determine if the xdm_bind_vnc_tcp_port SELinux boolean is disabled: $ getsebool xdm_bind_vnc_tcp_port If properly configured, the output should show the following: xdm_bind_vnc_tcp_port --> off Is it the case that xdm_bind_vnc_tcp_port is not disabled? Run the following command to determine if the selinuxuser_direct_dri_enabled SELinux boolean is disabled: $ getsebool selinuxuser_direct_dri_enabled If properly configured, the output should show the following: selinuxuser_direct_dri_enabled --> off Is it the case that selinuxuser_direct_dri_enabled is not disabled? Run the following command to determine if the swift_can_network SELinux boolean is disabled: $ getsebool swift_can_network If properly configured, the output should show the following: swift_can_network --> off Is it the case that swift_can_network is not disabled? Run the following command to determine if the httpd_can_connect_zabbix SELinux boolean is disabled: $ getsebool httpd_can_connect_zabbix If properly configured, the output should show the following: httpd_can_connect_zabbix --> off Is it the case that httpd_can_connect_zabbix is not disabled? Run the following command to determine if the mcelog_foreground SELinux boolean is disabled: $ getsebool mcelog_foreground If properly configured, the output should show the following: mcelog_foreground --> off Is it the case that mcelog_foreground is not disabled? Run the following command to determine if the cobbler_use_cifs SELinux boolean is disabled: $ getsebool cobbler_use_cifs If properly configured, the output should show the following: cobbler_use_cifs --> off Is it the case that cobbler_use_cifs is not disabled? Run the following command to determine if the virt_sandbox_use_sys_admin SELinux boolean is disabled: $ getsebool virt_sandbox_use_sys_admin If properly configured, the output should show the following: virt_sandbox_use_sys_admin --> off Is it the case that virt_sandbox_use_sys_admin is not disabled? Run the following command to determine if the virt_use_execmem SELinux boolean is disabled: $ getsebool virt_use_execmem If properly configured, the output should show the following: virt_use_execmem --> off Is it the case that virt_use_execmem is not disabled? Run the following command to determine if the exim_can_connect_db SELinux boolean is disabled: $ getsebool exim_can_connect_db If properly configured, the output should show the following: exim_can_connect_db --> off Is it the case that exim_can_connect_db is not disabled? Run the following command to determine if the cluster_manage_all_files SELinux boolean is disabled: $ getsebool cluster_manage_all_files If properly configured, the output should show the following: cluster_manage_all_files --> off Is it the case that cluster_manage_all_files is not disabled? Run the following command to determine if the xserver_execmem SELinux boolean is disabled: $ getsebool xserver_execmem If properly configured, the output should show the following: xserver_execmem --> off Is it the case that xserver_execmem is not disabled? Run the following command to determine if the cobbler_use_nfs SELinux boolean is disabled: $ getsebool cobbler_use_nfs If properly configured, the output should show the following: cobbler_use_nfs --> off Is it the case that cobbler_use_nfs is not disabled? Run the following command to determine if the cups_execmem SELinux boolean is disabled: $ getsebool cups_execmem If properly configured, the output should show the following: cups_execmem --> off Is it the case that cups_execmem is not disabled? Run the following command to determine if the puppetmaster_use_db SELinux boolean is disabled: $ getsebool puppetmaster_use_db If properly configured, the output should show the following: puppetmaster_use_db --> off Is it the case that puppetmaster_use_db is not disabled? Run the following command to determine if the xserver_clients_write_xshm SELinux boolean is disabled: $ getsebool xserver_clients_write_xshm If properly configured, the output should show the following: xserver_clients_write_xshm --> off Is it the case that xserver_clients_write_xshm is not disabled? Run the following command to determine if the use_ecryptfs_home_dirs SELinux boolean is disabled: $ getsebool use_ecryptfs_home_dirs If properly configured, the output should show the following: use_ecryptfs_home_dirs --> off Is it the case that use_ecryptfs_home_dirs is not disabled? Run the following command to determine if the dbadm_exec_content SELinux boolean is enabled: $ getsebool dbadm_exec_content If properly configured, the output should show the following: dbadm_exec_content --> on Is it the case that dbadm_exec_content is not enabled? Run the following command to determine if the use_nfs_home_dirs SELinux boolean is disabled: $ getsebool use_nfs_home_dirs If properly configured, the output should show the following: use_nfs_home_dirs --> off Is it the case that use_nfs_home_dirs is not disabled? Run the following command to determine if the tor_can_network_relay SELinux boolean is disabled: $ getsebool tor_can_network_relay If properly configured, the output should show the following: tor_can_network_relay --> off Is it the case that tor_can_network_relay is not disabled? Run the following command to determine if the httpd_unified SELinux boolean is disabled: $ getsebool httpd_unified If properly configured, the output should show the following: httpd_unified --> off Is it the case that httpd_unified is not disabled? Run the following command to determine if the mock_enable_homedirs SELinux boolean is disabled: $ getsebool mock_enable_homedirs If properly configured, the output should show the following: mock_enable_homedirs --> off Is it the case that mock_enable_homedirs is not disabled? Run the following command to determine if the httpd_can_network_relay SELinux boolean is disabled: $ getsebool httpd_can_network_relay If properly configured, the output should show the following: httpd_can_network_relay --> off Is it the case that httpd_can_network_relay is not disabled? Run the following command to determine if the xguest_exec_content SELinux boolean is disabled: $ getsebool xguest_exec_content If properly configured, the output should show the following: xguest_exec_content --> off Is it the case that xguest_exec_content is not disabled? Run the following command to determine if the nagios_run_sudo SELinux boolean is disabled: $ getsebool nagios_run_sudo If properly configured, the output should show the following: nagios_run_sudo --> off Is it the case that nagios_run_sudo is not disabled? Run the following command to determine if the virt_transition_userdomain SELinux boolean is disabled: $ getsebool virt_transition_userdomain If properly configured, the output should show the following: virt_transition_userdomain --> off Is it the case that virt_transition_userdomain is not disabled? Run the following command to determine if the httpd_ssi_exec SELinux boolean is disabled: $ getsebool httpd_ssi_exec If properly configured, the output should show the following: httpd_ssi_exec --> off Is it the case that httpd_ssi_exec is not disabled? Run the following command to determine if the ksmtuned_use_cifs SELinux boolean is disabled: $ getsebool ksmtuned_use_cifs If properly configured, the output should show the following: ksmtuned_use_cifs --> off Is it the case that ksmtuned_use_cifs is not disabled? Run the following command to determine if the mpd_use_cifs SELinux boolean is disabled: $ getsebool mpd_use_cifs If properly configured, the output should show the following: mpd_use_cifs --> off Is it the case that mpd_use_cifs is not disabled? Run the following command to determine if the use_lpd_server SELinux boolean is disabled: $ getsebool use_lpd_server If properly configured, the output should show the following: use_lpd_server --> off Is it the case that use_lpd_server is not disabled? Run the following command to determine if the polipo_use_nfs SELinux boolean is disabled: $ getsebool polipo_use_nfs If properly configured, the output should show the following: polipo_use_nfs --> off Is it the case that polipo_use_nfs is not disabled? Run the following command to determine if the lsmd_plugin_connect_any SELinux boolean is disabled: $ getsebool lsmd_plugin_connect_any If properly configured, the output should show the following: lsmd_plugin_connect_any --> off Is it the case that lsmd_plugin_connect_any is not disabled? Run the following command to determine if the ftpd_connect_all_unreserved SELinux boolean is disabled: $ getsebool ftpd_connect_all_unreserved If properly configured, the output should show the following: ftpd_connect_all_unreserved --> off Is it the case that ftpd_connect_all_unreserved is not disabled? Run the following command to determine if the virt_use_rawip SELinux boolean is disabled: $ getsebool virt_use_rawip If properly configured, the output should show the following: virt_use_rawip --> off Is it the case that virt_use_rawip is not disabled? Run the following command to determine if the gpg_web_anon_write SELinux boolean is disabled: $ getsebool gpg_web_anon_write If properly configured, the output should show the following: gpg_web_anon_write --> off Is it the case that gpg_web_anon_write is not disabled? Run the following command to determine if the telepathy_connect_all_ports SELinux boolean is disabled: $ getsebool telepathy_connect_all_ports If properly configured, the output should show the following: telepathy_connect_all_ports --> off Is it the case that telepathy_connect_all_ports is not disabled? Run the following command to determine if the tor_bind_all_unreserved_ports SELinux boolean is disabled: $ getsebool tor_bind_all_unreserved_ports If properly configured, the output should show the following: tor_bind_all_unreserved_ports --> off Is it the case that tor_bind_all_unreserved_ports is not disabled? Run the following command to determine if the dhcpc_exec_iptables SELinux boolean is disabled: $ getsebool dhcpc_exec_iptables If properly configured, the output should show the following: dhcpc_exec_iptables --> off Is it the case that dhcpc_exec_iptables is not disabled? Run the following command to determine if the domain_fd_use SELinux boolean is enabled: $ getsebool domain_fd_use If properly configured, the output should show the following: domain_fd_use --> on Is it the case that domain_fd_use is not enabled? Run the following command to determine if the polipo_use_cifs SELinux boolean is disabled: $ getsebool polipo_use_cifs If properly configured, the output should show the following: polipo_use_cifs --> off Is it the case that polipo_use_cifs is not disabled? Run the following command to determine if the samba_create_home_dirs SELinux boolean is disabled: $ getsebool samba_create_home_dirs If properly configured, the output should show the following: samba_create_home_dirs --> off Is it the case that samba_create_home_dirs is not disabled? Run the following command to determine if the mmap_low_allowed SELinux boolean is disabled: $ getsebool mmap_low_allowed If properly configured, the output should show the following: mmap_low_allowed --> off Is it the case that mmap_low_allowed is not disabled? Run the following command to determine if the selinuxuser_share_music SELinux boolean is disabled: $ getsebool selinuxuser_share_music If properly configured, the output should show the following: selinuxuser_share_music --> off Is it the case that selinuxuser_share_music is not disabled? Run the following command to determine if the ftpd_use_cifs SELinux boolean is disabled: $ getsebool ftpd_use_cifs If properly configured, the output should show the following: ftpd_use_cifs --> off Is it the case that ftpd_use_cifs is not disabled? Run the following command to determine if the xend_run_blktap SELinux boolean is enabled: $ getsebool xend_run_blktap If properly configured, the output should show the following: xend_run_blktap --> on Is it the case that xend_run_blktap is not enabled? Run the following command to determine if the mcelog_client SELinux boolean is disabled: $ getsebool mcelog_client If properly configured, the output should show the following: mcelog_client --> off Is it the case that mcelog_client is not disabled? Run the following command to determine if the cluster_can_network_connect SELinux boolean is disabled: $ getsebool cluster_can_network_connect If properly configured, the output should show the following: cluster_can_network_connect --> off Is it the case that cluster_can_network_connect is not disabled? Run the following command to determine if the selinuxuser_execmod SELinux boolean is enabled: $ getsebool selinuxuser_execmod If properly configured, the output should show the following: selinuxuser_execmod --> on Is it the case that selinuxuser_execmod is not enabled? Run the following command to determine if the httpd_use_nfs SELinux boolean is disabled: $ getsebool httpd_use_nfs If properly configured, the output should show the following: httpd_use_nfs --> off Is it the case that httpd_use_nfs is not disabled? Run the following command to determine if the cobbler_anon_write SELinux boolean is disabled: $ getsebool cobbler_anon_write If properly configured, the output should show the following: cobbler_anon_write --> off Is it the case that cobbler_anon_write is not disabled? Run the following command to determine if the selinuxuser_udp_server SELinux boolean is disabled: $ getsebool selinuxuser_udp_server If properly configured, the output should show the following: selinuxuser_udp_server --> off Is it the case that selinuxuser_udp_server is not disabled? Run the following command to determine if the gssd_read_tmp SELinux boolean is enabled: $ getsebool gssd_read_tmp If properly configured, the output should show the following: gssd_read_tmp --> on Is it the case that gssd_read_tmp is not enabled? Run the following command to determine if the kdumpgui_run_bootloader SELinux boolean is disabled: $ getsebool kdumpgui_run_bootloader If properly configured, the output should show the following: kdumpgui_run_bootloader --> off Is it the case that kdumpgui_run_bootloader is not disabled? Run the following command to determine if the telepathy_tcp_connect_generic_network_ports SELinux boolean is disabled: $ getsebool telepathy_tcp_connect_generic_network_ports If properly configured, the output should show the following: telepathy_tcp_connect_generic_network_ports --> off Is it the case that telepathy_tcp_connect_generic_network_ports is not disabled? Run the following command to determine if the rsync_export_all_ro SELinux boolean is disabled: $ getsebool rsync_export_all_ro If properly configured, the output should show the following: rsync_export_all_ro --> off Is it the case that rsync_export_all_ro is not disabled? Run the following command to determine if the xguest_connect_network SELinux boolean is disabled: $ getsebool xguest_connect_network If properly configured, the output should show the following: xguest_connect_network --> off Is it the case that xguest_connect_network is not disabled? Run the following command to determine if the samba_enable_home_dirs SELinux boolean is disabled: $ getsebool samba_enable_home_dirs If properly configured, the output should show the following: samba_enable_home_dirs --> off Is it the case that samba_enable_home_dirs is not disabled? Run the following command to determine if the virt_use_sanlock SELinux boolean is disabled: $ getsebool virt_use_sanlock If properly configured, the output should show the following: virt_use_sanlock --> off Is it the case that virt_use_sanlock is not disabled? Run the following command to determine if the saslauthd_read_shadow SELinux boolean is disabled: $ getsebool saslauthd_read_shadow If properly configured, the output should show the following: saslauthd_read_shadow --> off Is it the case that saslauthd_read_shadow is not disabled? Run the following command to determine if the xdm_write_home SELinux boolean is disabled: $ getsebool xdm_write_home If properly configured, the output should show the following: xdm_write_home --> off Is it the case that xdm_write_home is not disabled? Run the following command to determine if the named_write_master_zones SELinux boolean is disabled: $ getsebool named_write_master_zones If properly configured, the output should show the following: named_write_master_zones --> off Is it the case that named_write_master_zones is not disabled? Run the following command to determine if the polipo_session_users SELinux boolean is disabled: $ getsebool polipo_session_users If properly configured, the output should show the following: polipo_session_users --> off Is it the case that polipo_session_users is not disabled? Run the following command to determine if the sysadm_exec_content SELinux boolean is enabled: $ getsebool sysadm_exec_content If properly configured, the output should show the following: sysadm_exec_content --> on Is it the case that sysadm_exec_content is not enabled? Run the following command to determine if the xguest_use_bluetooth SELinux boolean is disabled: $ getsebool xguest_use_bluetooth If properly configured, the output should show the following: xguest_use_bluetooth --> off Is it the case that xguest_use_bluetooth is not disabled? Run the following command to determine if the unprivuser_use_svirt SELinux boolean is disabled: $ getsebool unprivuser_use_svirt If properly configured, the output should show the following: unprivuser_use_svirt --> off Is it the case that unprivuser_use_svirt is not disabled? Run the following command to determine if the kerberos_enabled SELinux boolean is enabled: $ getsebool kerberos_enabled If properly configured, the output should show the following: kerberos_enabled --> on Is it the case that kerberos_enabled is not enabled? Run the following command to determine if the sge_domain_can_network_connect SELinux boolean is disabled: $ getsebool sge_domain_can_network_connect If properly configured, the output should show the following: sge_domain_can_network_connect --> off Is it the case that sge_domain_can_network_connect is not disabled? Run the following command to determine if the sanlock_use_samba SELinux boolean is disabled: $ getsebool sanlock_use_samba If properly configured, the output should show the following: sanlock_use_samba --> off Is it the case that sanlock_use_samba is not disabled? Run the following command to determine if the irc_use_any_tcp_ports SELinux boolean is disabled: $ getsebool irc_use_any_tcp_ports If properly configured, the output should show the following: irc_use_any_tcp_ports --> off Is it the case that irc_use_any_tcp_ports is not disabled? Run the following command to determine if the ftpd_anon_write SELinux boolean is disabled: $ getsebool ftpd_anon_write If properly configured, the output should show the following: ftpd_anon_write --> off Is it the case that ftpd_anon_write is not disabled? Run the following command to determine if the guest_exec_content SELinux boolean is disabled: $ getsebool guest_exec_content If properly configured, the output should show the following: guest_exec_content --> off Is it the case that guest_exec_content is not disabled? Run the following command to determine if the selinuxuser_execheap SELinux boolean is disabled: $ getsebool selinuxuser_execheap If properly configured, the output should show the following: selinuxuser_execheap --> off Is it the case that selinuxuser_execheap is not disabled? Run the following command to determine if the secure_mode_policyload SELinux boolean is disabled: $ getsebool secure_mode_policyload If properly configured, the output should show the following: secure_mode_policyload --> off Is it the case that secure_mode_policyload is not disabled? Run the following command to determine if the httpd_mod_auth_ntlm_winbind SELinux boolean is disabled: $ getsebool httpd_mod_auth_ntlm_winbind If properly configured, the output should show the following: httpd_mod_auth_ntlm_winbind --> off Is it the case that httpd_mod_auth_ntlm_winbind is not disabled? Run the following command to determine if the httpd_use_openstack SELinux boolean is disabled: $ getsebool httpd_use_openstack If properly configured, the output should show the following: httpd_use_openstack --> off Is it the case that httpd_use_openstack is not disabled? Run the following command to determine if the httpd_use_cifs SELinux boolean is disabled: $ getsebool httpd_use_cifs If properly configured, the output should show the following: httpd_use_cifs --> off Is it the case that httpd_use_cifs is not disabled? Run the following command to determine if the postgresql_selinux_users_ddl SELinux boolean is enabled: $ getsebool postgresql_selinux_users_ddl If properly configured, the output should show the following: postgresql_selinux_users_ddl --> on Is it the case that postgresql_selinux_users_ddl is not enabled? Run the following command to determine if the nfs_export_all_ro SELinux boolean is enabled: $ getsebool nfs_export_all_ro If properly configured, the output should show the following: nfs_export_all_ro --> on Is it the case that nfs_export_all_ro is not enabled? Run the following command to determine if the daemons_dump_core SELinux boolean is disabled: $ getsebool daemons_dump_core If properly configured, the output should show the following: daemons_dump_core --> off Is it the case that daemons_dump_core is not disabled? Run the following command to determine if the postfix_local_write_mail_spool SELinux boolean is enabled: $ getsebool postfix_local_write_mail_spool If properly configured, the output should show the following: postfix_local_write_mail_spool --> on Is it the case that postfix_local_write_mail_spool is not enabled? Run the following command to determine if the xdm_exec_bootloader SELinux boolean is disabled: $ getsebool xdm_exec_bootloader If properly configured, the output should show the following: xdm_exec_bootloader --> off Is it the case that xdm_exec_bootloader is not disabled? Run the following command to determine if the httpd_dbus_avahi SELinux boolean is disabled: $ getsebool httpd_dbus_avahi If properly configured, the output should show the following: httpd_dbus_avahi --> off Is it the case that httpd_dbus_avahi is not disabled? Run the following command to determine if the exim_read_user_files SELinux boolean is disabled: $ getsebool exim_read_user_files If properly configured, the output should show the following: exim_read_user_files --> off Is it the case that exim_read_user_files is not disabled? Run the following command to determine if the cvs_read_shadow SELinux boolean is disabled: $ getsebool cvs_read_shadow If properly configured, the output should show the following: cvs_read_shadow --> off Is it the case that cvs_read_shadow is not disabled? Run the following command to determine if the racoon_read_shadow SELinux boolean is disabled: $ getsebool racoon_read_shadow If properly configured, the output should show the following: racoon_read_shadow --> off Is it the case that racoon_read_shadow is not disabled? Run the following command to determine if the git_system_enable_homedirs SELinux boolean is disabled: $ getsebool git_system_enable_homedirs If properly configured, the output should show the following: git_system_enable_homedirs --> off Is it the case that git_system_enable_homedirs is not disabled? Run the following command to determine if the fips_mode SELinux boolean is enabled: $ getsebool fips_mode If properly configured, the output should show the following: fips_mode --> on Is it the case that fips_mode is not enabled? Run the following command to determine if the httpd_can_network_connect_cobbler SELinux boolean is disabled: $ getsebool httpd_can_network_connect_cobbler If properly configured, the output should show the following: httpd_can_network_connect_cobbler --> off Is it the case that httpd_can_network_connect_cobbler is not disabled? Run the following command to determine if the polyinstantiation_enabled SELinux boolean is disabled: $ getsebool polyinstantiation_enabled If properly configured, the output should show the following: polyinstantiation_enabled --> off Is it the case that polyinstantiation_enabled is not disabled? Run the following command to determine if the icecast_use_any_tcp_ports SELinux boolean is disabled: $ getsebool icecast_use_any_tcp_ports If properly configured, the output should show the following: icecast_use_any_tcp_ports --> off Is it the case that icecast_use_any_tcp_ports is not disabled? Run the following command to determine if the selinuxuser_use_ssh_chroot SELinux boolean is disabled: $ getsebool selinuxuser_use_ssh_chroot If properly configured, the output should show the following: selinuxuser_use_ssh_chroot --> off Is it the case that selinuxuser_use_ssh_chroot is not disabled? Run the following command to determine if the authlogin_nsswitch_use_ldap SELinux boolean is disabled: $ getsebool authlogin_nsswitch_use_ldap If properly configured, the output should show the following: authlogin_nsswitch_use_ldap --> off Is it the case that authlogin_nsswitch_use_ldap is not disabled? Run the following command to determine if the virt_sandbox_use_mknod SELinux boolean is disabled: $ getsebool virt_sandbox_use_mknod If properly configured, the output should show the following: virt_sandbox_use_mknod --> off Is it the case that virt_sandbox_use_mknod is not disabled? Run the following command to determine if the selinuxuser_ping SELinux boolean is enabled: $ getsebool selinuxuser_ping If properly configured, the output should show the following: selinuxuser_ping --> on Is it the case that selinuxuser_ping is not enabled? Run the following command to determine if the logging_syslogd_run_nagios_plugins SELinux boolean is disabled: $ getsebool logging_syslogd_run_nagios_plugins If properly configured, the output should show the following: logging_syslogd_run_nagios_plugins --> off Is it the case that logging_syslogd_run_nagios_plugins is not disabled? Run the following command to determine if the mpd_enable_homedirs SELinux boolean is disabled: $ getsebool mpd_enable_homedirs If properly configured, the output should show the following: mpd_enable_homedirs --> off Is it the case that mpd_enable_homedirs is not disabled? Run the following command to determine if the ftpd_use_passive_mode SELinux boolean is disabled: $ getsebool ftpd_use_passive_mode If properly configured, the output should show the following: ftpd_use_passive_mode --> off Is it the case that ftpd_use_passive_mode is not disabled? Run the following command to determine if the secadm_exec_content SELinux boolean is enabled: $ getsebool secadm_exec_content If properly configured, the output should show the following: secadm_exec_content --> on Is it the case that secadm_exec_content is not enabled? Run the following command to determine if the postgresql_selinux_transmit_client_label SELinux boolean is disabled: $ getsebool postgresql_selinux_transmit_client_label If properly configured, the output should show the following: postgresql_selinux_transmit_client_label --> off Is it the case that postgresql_selinux_transmit_client_label is not disabled? Run the following command to determine if the git_session_users SELinux boolean is disabled: $ getsebool git_session_users If properly configured, the output should show the following: git_session_users --> off Is it the case that git_session_users is not disabled? Inspect /etc/default/grub for any instances of selinux=0 in the kernel boot arguments. Presence of selinux=0 indicates that SELinux is disabled at boot time. Is it the case that SELinux is disabled at boot time? Check the file /etc/selinux/config and ensure the following line appears: SELINUXTYPE= Is it the case that it does not? To check for unlabeled device files, run the following command: $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" It should produce no output in a well-configured system. Is it the case that there is output? To verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures, run the following command: $ sudo semanage login -l All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t). All authorized non-administrative users must be mapped to the user_u role or the appropriate domain (user_t). Is it the case that non-admin users are not confined correctly? Check the file /etc/selinux/config and ensure the following line appears: SELINUX= Is it the case that SELINUX is not set to enforcing? To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs The DoD requirement is 15. Is it the case that it is not set to the required value? To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The DoD requirement is 7. Is it the case that it is not set to the required value? To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs Is it the case that it is not equal to or greater than the required value? To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD and FISMA requirement is 60. A value of 180 days is sufficient for many environments. Is it the case that PASS_MAX_DAYS is not set equal to or greater than the required value? Check whether the minimum time period between password changes for each user account is one day or greater by running the following command for each user: $ sudo chage -l USER | grep Minimum The output for each user should return something similary to the following: Minimum number of days between password change\t\t: 1 Is it the case that existing passwords are not configured correctly? Check whether the maximum time period for existing passwords is restricted to 60 days by running the following command for each user: $ sudo chage -l USER | grep Maximum The output for each user should return something similary to the following: Maximum number of days between password change\t\t: 60 Is it the case that existing passwords are not configured correctly? To check for serial port entries which permit root login, run the following command: $ sudo grep ^ttyS/[0-9] /etc/securetty If any output is returned, then root login over serial ports is permitted. Is it the case that root login over serial ports is permitted? To view the root user's PATH, run the following command: $ sudo env | grep PATH If correctly configured, the PATH must: use vendor default settings, have no empty entries, and have no entries beginning with a character other than a slash (/). Is it the case that any of these conditions are not met? To ensure root may not directly login to the system over physical consoles, run the following command: cat /etc/securetty If any output is returned, this is a finding. Is it the case that the /etc/securetty file is not empty? Check the root home directory for a .mozilla directory. If one exists, ensure browsing is limited to local service administration. Is it the case that this is not the case? To obtain a listing of all users and the contents of their shadow password field, run the command: $ sudo awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than UID_MIN, other than root. Value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration, UID_MIN is set to 500. Is it the case that it is not? To check for virtual console entries which permit root login, run the following command: $ sudo grep ^vc/[0-9] /etc/securetty If any output is returned, then root logins over virtual console devices is permitted. Is it the case that root login over virtual console devices is permitted? To obtain a listing of all users, their UIDs, and their shells, run the command: $ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than UID_MIN, other than root. Value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000. Is it the case that any system account (other than root) has a login shell? To list all password file entries for accounts with UID 0, run the following command: $ awk -F: '($3 == \"0\") {print}' /etc/passwd This should print only one line, for the user root. If there is a finding, change the UID of the failing (non-root) user. If the account is associated with the system commands or applications the UID should be changed to one greater than 0 but less than 1000. Otherwise assign a UID of greater than 1000 that has not already been assigned. Is it the case that any account other than root has a UID of 0? Verify that the system is integrated with a centralized authentication mechanism such as as Active Directory, Kerberos, Directory Server, etc. that has automated account mechanisms in place. Is it the case that the system is not using a centralized authentication mechanism, or it is not automated? Run the following command to check for duplicate account names: $ sudo pwck -qr If there are no duplicate names, no line will be returned. Is it the case that a line is returned? To verify the INACTIVE setting, run the following command: $ grep "INACTIVE" /etc/default/useradd The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: $ grep "INACTIVE" /etc/default/useradd INACTIVE= Is it the case that the value of INACTIVE is greater than the expected value? For every temporary and emergency account, run the following command to obtain its account aging and expiration information: $ sudo chage -l USER Verify each of these accounts has an expiration date set as documented. Is it the case that any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame? To check the system for the existence of any .netrc files, run the following command: $ sudo find /home -xdev -name .netrc Is it the case that any .netrc files exist? To verify that null passwords cannot be used, run the following command: $ grep nullok /etc/pam.d/system-auth If this produces any output, it may be possible to log into accounts with empty passwords. Remove any instances of the nullok option to prevent logins with empty passwords. Is it the case that NULL passwords can be used? To check that no password hashes are stored in /etc/passwd, run the following command: awk '!/\S:x|\*/ {print}' /etc/passwd If it produces any output, then a password hash is stored in /etc/passwd. Is it the case that any stored hashes are found in /etc/passwd? To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: $ sudo pwck -qr There should be no output. Is it the case that GIFs referenced in /etc/passwd are returned as not defined in /etc/group? Run the following command to determine if the screen package is installed: $ rpm -q screen Is it the case that the package is not installed? To verify the operating system has the packages required for multifactor authentication installed, run the following command: $ sudo yum list installed esc pam_pkcs11 authconfig-gtk Is it the case that smartcard software is not installed? To verify that is configured as the smart card driver, run the following command changing ARCH for the architecture of your operating system: $ grep card_drivers /etc/opensc-ARCH The output should return something similar to: card_drivers = ; Is it the case that the smart card driver is not configured correctly? To verify that opensc is configured in the NSS database, run the following command: $ pkcs11-switch The output should return opensc Is it the case that opensc is not in use by the nss database? To verify the operating system implements certificate status checking for PKI authentication, run the following command: $ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf The output should return multiple lines similiar to the following: cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; Is it the case that ocsp_on is not configured? To verify that is configured as the smart card driver, run the following command changing ARCH for the architecture of your operating system: $ grep card_drivers /etc/opensc-ARCH The output should return something similar to: card_drivers = ; Is it the case that the smart card driver is not configured correctly? Run the following command to determine if the pcsc-lite package is installed: $ rpm -q pcsc-lite Is it the case that the package is not installed? Run the following command to determine the current status of the pcscd service: $ systemctl is-active pcscd If the service is running, it should return the following: active Is it the case that the pcscd service is not enabled? Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication: SIPRNET systemsStandalone systemsApplication accountsTemporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIVOperational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALTTest systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT. Is it the case that non-exempt accounts are not using CAC authentication? Run the following command to determine if the opensc package is installed: $ rpm -q opensc Is it the case that the package is not installed? To check if authentication is required for single-user mode, run the following command: $ grep sulogin /usr/lib/systemd/system/rescue.service The output should be similar to the following, and the line must begin with ExecStart and /sbin/sulogin. ExecStart=-/sbin/sulogin Is it the case that the output is different? To ensure the system is configured to ignore the Ctrl-Alt-Del setting, enter the following command: $ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf The output should return: CtrlAltDelBurstAction=none Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.? Inspect /etc/default/grub for any instances of systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments. Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates that interactive boot is enabled at boot time. Is it the case that Interactive boot is enabled at boot time? To ensure the system is configured to mask the Ctrl-Alt-Del sequence, enter the following command: $ sudo ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target or $ sudo systemctl mask ctrl-alt-del.target Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? To check that the debug-shell service is disabled in system boot configuration, run the following command: $ systemctl is-enabled debug-shell Output should indicate the debug-shell service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled debug-shelldisabled Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration: $ systemctl is-active debug-shell If the service is not running the command will return the following output: inactive Is it the case that ? To ensure write permissions are disabled for group and other for each element in root's path, run the following command: # ls -ld DIR Is it the case that group or other write permissions exist? Verify the UMASK setting is not configured for interactive users, run the following command: $ sudo grep -ri "UMASK" /home There should be no output. Is it the case that the above command returns no output, or if the umask is configured incorrectly? Verify the UMASK setting is configured correctly in the /etc/login.defs file by running the following command: # grep -i "UMASK" /etc/login.defs All output must show the value of umask set as shown in the below: # grep -i "UMASK" /etc/login.defs umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? Verify the umask setting is configured correctly in the /etc/bashrc file by running the following command: # grep "umask" /etc/bashrc All output must show the value of umask set as shown below: # grep "umask" /etc/bashrc umask umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? Verify the umask setting is configured correctly in the /etc/csh.cshrc file by running the following command: # grep "umask" /etc/csh.cshrc All output must show the value of umask set as shown in the below: # grep "umask" /etc/csh.cshrc umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? Verify the umask setting is configured correctly in the /etc/profile file by running the following command: # grep "umask" /etc/profile All output must show the value of umask set as shown in the below: # grep "umask" /etc/profile umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? Run the following command to ensure the TMOUT value is configured for all users on the system: $ sudo grep TMOUT /etc/profile The output should return the following: TMOUT= Is it the case that value of TMOUT is not less than or equal to expected setting? To ensure the user home directory is not group-writable or world-readable, run the following: # ls -ld /home/USER Is it the case that the user home directory is group-writable or world-readable? To verify all local initialization files for interactive users are owned by the primary user, run the following command: $ sudo ls -al /home/USER/.* The user initialization files should be owned by USER. Is it the case that they are not? To verify the assigned home directory of all interactive users on the system exist, run the following command: $ sudo pwck -r The output should not return any interactive users. Is it the case that users home directory does not exist? To verify that local initialization files do not execute world-writable programs, execute the following command: $ sudo find /home -perm -002 -type f -exec ls -ld {} -name ".[^.]*"\; There should be no output. Is it the case that files are executing world-writable programs? Check if the system is configured to create home directories for local interactive users with the following command: $ sudo grep create_home /etc/login.defs Is it the case that the value of CREATE_HOME is not set to yes, is missing, or the line is commented out? Verify the FAIL_DELAY setting is configured correctly in the /etc/login.defs file by running the following command: $ sudo grep -i "FAIL_DELAY" /etc/login.defs All output must show the value of FAIL_DELAY set as shown in the below: $ sudo grep -i "FAIL_DELAY" /etc/login.defs fail_delay Is it the case that the above command returns no output, or FAIL_DELAY is configured less than the expected value? To verify all files and directories in interactive user home directory are group-owned by a group the user is a member of, run the following command: $ sudo ls -lLR /home/USER Is it the case that the group ownership is incorrect? To verify that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory, run the following command: $ sudo grep -r PATH /home/ Inspect the output for any PATH is references directories outside the home directory. Is it the case that paths contain more than local home directories? To verify all files and directories contained in interactive user home directory, excluding local initialization files, have a mode of 0750, run the following command: $ sudo ls -lLR /home/USER Is it the case that home directory files or folders have incorrect permissions? Run the following command to ensure the maxlogins value is configured for all users on the system: # grep "maxlogins" /etc/security/limits.conf You should receive output similar to the following: *\t\thard\tmaxlogins\t Is it the case that maxlogins is not equal to or less than the expected value? To verify the assigned home directory of all interactive users is group- owned by that users primary GID, run the following command: $ sudo ls -ld $ (egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) Is it the case that the group ownership is incorrect? To verify interactive users on the system have a home directory assigned, run the following command: $ sudo awk -F":" '{print $1 ":" $6}' /etc/passwd Inspect the output and verify that all interactive users have a home directory defined. Is it the case that users home directory is not defined? To verify that all user initialization files have a mode of 0740 or less permissive, run the following command: $ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \) There should be no output. Is it the case that they are not 0740 or more permissive? To verify the home directory ownership, run the following command: $ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) Is it the case that the user ownership is incorrect? To verify all files and directories in interactive users home directory are owned by the user, run the following command: $ sudo ls -lLR /home/USER Is it the case that the user ownership is incorrect? To verify the local initialization files of all local interactive users are group- owned by the appropriate user, inspect the primary group of the respective users in /etc/passwd and verify all initialization files under the respective users home directory. Check the group owner of all local interactive users initialization files. Is it the case that they are not? To verify the assigned home directory of all interactive user home directories have a mode of 0750 or less permissive, run the following command: $ sudo ls -l /home Inspect the output for any directories with incorrect permissions. Is it the case that they are more permissive? To ensure a login warning banner is enabled, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/* If properly configured, the output should be true. To ensure a login warning banner is locked and cannot be changed by a user, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. Is it the case that it is not? To ensure the login warning banner text is properly set, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/* If properly configured, the proper banner text will appear. To ensure the login warning banner text is locked and cannot be changed by a user, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-text. Is it the case that it does not? To ensure a login warning banner is enabled, run the following: $ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_enable Search for the banner_message_enable schema. If properly configured, the default value should be true. Is it the case that it is not? To ensure the login warning banner text is properly set, run the following: $ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_text If properly configured, the proper banner text will appear within this schema. Is it the case that it does not? To check if the system login banner is compliant, run the following command: $ cat /etc/issue Is it the case that it does not display the required banner? Inspect /etc/login.defs and ensure the following line appears: ENCRYPT_METHOD SHA512 Is it the case that it does not? Inspect /etc/libuser.conf and ensure the following line appears in the [default] section: crypt_style = sha512 Is it the case that it does not? Inspect the password section of /etc/pam.d/system-auth and ensure that the pam_unix.so module includes the argument sha512: $ grep sha512 /etc/pam.d/system-auth Is it the case that it does not? To ensure that even the root account is locked after a defined number of failed password attempts, run the following command: $ grep even_deny_root /etc/pam.d/system-auth The output should show even_deny_root. Is it the case that that is not the case? To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth The output should show unlock_time=<some-large-number> or never. Is it the case that unlock_time is less than the expected value? To verify the password reuse setting is compliant, run the following command: $ grep remember /etc/pam.d/system-auth The output should show the following at the end of the line: remember= Is it the case that the value of remember is not set equal to or greater than the expected setting? To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is or greater. If the fail_interval parameter is not set, the default setting of 900 seconds is acceptable. Is it the case that fail_interval is less than the required value? To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth The output should show deny=. Is it the case that that is not the case? To check how many characters are required in a password, run the following command: $ grep minlen /etc/security/pwquality.conf Your output should contain minlen = Is it the case that minlen is not found, or not equal to or greater than the required value? To check the value for maximum consecutive repeating characters, run the following command: $ grep maxclassrepeat /etc/security/pwquality.conf For DoD systems, the output should show maxclassrepeat=4. Is it the case that that is not the case? To check the maximum value for consecutive repeating characters, run the following command: $ grep maxrepeat /etc/security/pwquality.conf Look for the value of the maxrepeat parameter. The DoD requirement is 3, which would appear as maxrepeat=3. Is it the case that maxrepeat is not found or not greater than or equal to the required value? To check how many digits are required in a password, run the following command: $ grep dcredit /etc/security/pwquality.conf The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit = -1. Is it the case that dcredit is not found or not equal to or less than the required value? To check how many categories of characters must be used in password during a password change, run the following command: $ grep minclass /etc/security/pwquality.conf The minclass parameter will indicate how many character classes must be used. If the requirement was for the password to contain characters from three different categories, then this would appear as minclass = 3. Is it the case that minclass is not found or not set equal to or greater than the required value? To check how many characters must differ during a password change, run the following command: $ grep difok /etc/security/pwquality.conf The difok parameter will indicate how many characters must differ. Is it the case that difok is not found or not equal to or greater than the required value? To check how many special characters are required in a password, run the following command: $ grep ocredit /etc/security/pwquality.conf The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit = -1. Is it the case that ocredit is not found or not equal to or less than the required value? To check how many lowercase characters are required in a password, run the following command: $ grep lcredit /etc/security/pwquality.conf The lcredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit = -1. Is it the case that lcredit is not found or not less than or equal to the required value? To check how many uppercase characters are required in a password, run the following command: $ grep ucredit /etc/security/pwquality.conf The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit = -1. Is it the case that ucredit is not found or not set less than or equal to the required value? To check how many retry attempts are permitted on a per-session basis, run the following command: $ grep pam_pwquality /etc/pam.d/system-auth The retry parameter will indicate how many attempts are permitted. The DoD required value is less than or equal to 3. This would appear as retry=3, or a lower value. Is it the case that it is not the required value? To check how many retry attempts are permitted on a per-session basis, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The retry parameter will indicate how many attempts are permitted. The DoD required value is less than or equal to 3. This would appear as retry=3, or a lower value. Is it the case that it is not the required value? To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit=-1. Is it the case that ocredit is not found or not set to the required value? To check how many digits are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit=-1. Is it the case that dcredit is not found or not set to the required value? To check how many categories of characters must be used in password during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The minclass parameter will indicate how many character classes must be used. If the requirement was for the password to contain characters from three different categories, then this would appear as minclass=3. Is it the case that minclass is not found or not set to the required value? To check how many uppercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit=-1. Is it the case that ucredit is not found or not set to the required value? To check how many lowercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The lcredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit=-1. Is it the case that lcredit is not found or not set to the required value? To check how many characters are required in a password, run the following command: $ grep cracklib /etc/pam.d/system-auth Your output should contain minlen= Is it the case that minlen is not found or not set to the required value (or higher)? To check the maximum value for consecutive repeating characters, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth Look for the value of the maxrepeat parameter. The DoD requirement is 3. Is it the case that maxrepeat is not found or not set to the required value? To check how many characters must differ during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The difok parameter will indicate how many characters must differ. The DoD requires four characters differ during a password change. This would appear as difok=4. Is it the case that difok is not found or not set to the required value? To ensure that last logon/access notification is configured correctly, run the following command: $ grep pam_lastlog.so /etc/pam.d/postlogin The output should show output showfailed. Is it the case that that is not the case? Check the system partitions to determine if they are encrypted with the following command: blkid Output will be similar to: /dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2 " TYPE="crypto_LUKS" /dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2 " TYPE="crypto_LUKS" Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. Is it the case that partitions do not have a type of crypto_LUKS? Run the following command to determine if /home is on its own partition or logical volume: $ mount | grep "on /home" If /home has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /srv is on its own partition or logical volume: $ mount | grep "on /srv" If /srv has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /var/tmp is on its own partition or logical volume: $ mount | grep "on /var/tmp" If /var/tmp has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /tmp is on its own partition or logical volume: $ mount | grep "on /tmp" If /tmp has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /var is on its own partition or logical volume: $ mount | grep "on /var" If /var has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /var/log/audit is on its own partition or logical volume: $ mount | grep "on /var/log/audit" If /var/log/audit has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /var/log is on its own partition or logical volume: $ mount | grep "on /var/log" If /var/log has its own partition or volume group, a line will be returned. Is it the case that no line is returned? To determine if NOPASSWD or !authenticate have been configured for sudo, run the following command: $ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that nopasswd and/or !authenticate is enabled in sudo? To determine if NOPASSWD has been configured for the vdsm user for sudo, run the following command: $ sudo grep -ri nopasswd /etc/sudoers.d/ The command should return output only for the vdsm user. Is it the case that nopasswd is set for any users beyond vdsm? To determine if !authenticate has not been configured for sudo, run the following command: $ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that !authenticate is enabled in sudo? To determine if NOPASSWD has been configured for sudo, run the following command: $ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that nopasswd is enabled in sudo? To verify that the installed operating system is supported, run the following command: $ grep -i "red hat" /etc/redhat-release The output should contain something similar to: Red Hat Enterprise Linux 7 Is it the case that the installed operating system is not supported? To verify that the installed operating system is supported or certified, run the following command: $ grep -i "red hat" /etc/redhat-release The output should contain something similar to: Red Hat Enterprise Linux 7 Is it the case that the installed operating system is not FIPS 140-2 certified? Run the following command to determine if the dracut-fips package is installed: $ rpm -q dracut-fips Is it the case that the package is not installed? To verify that FIPS is enabled properly in grub, run the following command: $ grep fips /etc/default/grub The output should contain fips=1 Is it the case that FIPS is not configured or enabled in grub? To verify that HBSS PA is installed, run the following command(s): $ sudo ls /opt/McAfee/auditengine/bin/auditmanager Is it the case that the HBSS PA module is not installed? To verify that HBSS ACCM is installed, run the following command(s): $ sudo ls /opt/McAfee/accm/bin/accm Is it the case that the HBSS ACCM module is not installed? To verify that McAfee HIPS is installed, run the following command(s): $ rpm -q MFEhiplsm Is it the case that the HBSS HIPS module is not installed? Run the following command to determine the current status of the nails service: $ systemctl is-active nails If the service is running, it should return the following: active Is it the case that ? To verify that McAfee VirusScan Enterprise for Linux is installed and running, run the following command(s): $ sudo systemctl status nails $ rpm -q McAfeeVSEForLinux Is it the case that virus scanning software is not installed or running? To check on the age of McAfee virus definition files, run the following command: $ sudo cd /opt/NAI/LinuxShield/engine/dat $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat Is it the case that signatures are out of date? To verify that McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) are installed, run the following command(s): $ rpm -q MFEcma $ rpm -q MFErt Is it the case that the HBSS HIPS module is not installed? Verify that the system backups user data. Is it the case that it is not? Inspect the system for a cron job or system service which executes a virus scanning tool regularly. To verify the McAfee VSEL system service is operational, run the following command: $ sudo /sbin/service nails status To check on the age of uvscan virus definition files, run the following command: $ sudo cd /opt/NAI/LinuxShield/engine/dat $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat Is it the case that virus scanning software does not run continuously, or at least daily, or has signatures that are out of date? Inspect the system to determine if intrusion detection software has been installed. Verify this intrusion detection software is active. Is it the case that no host-based intrusion detection tools are installed? The following command will list which files on the system have permissions different from what is expected by the RPM database: $ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' Is it the case that there is output? The following command will list which files on the system have ownership different from what is expected by the RPM database: $ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }' Is it the case that there is output? The following command will list which files on the system have file hashes different from what is expected by the RPM database. $ rpm -Va | awk '$1 ~ /..5/ && $2 != "c"' Is it the case that there is output? Run the following command to determine if the aide package is installed: $ rpm -q aide Is it the case that the package is not installed? To determine that AIDE is verifying extended file attributes, run the following command: $ grep xattrs /etc/aide.conf Verify that the xattrs option is added to the correct ruleset. Is it the case that the xattrs option is missing or not added to the correct ruleset? To determine that AIDE is verifying ACLs, run the following command: $ grep acl /etc/aide.conf Verify that the acl option is added to the correct ruleset. Is it the case that the acl option is missing or not added to the correct ruleset? To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command: $ grep sha512 /etc/aide.conf Verify that the sha512 option is added to the correct ruleset. Is it the case that the sha512 option is missing or not added to the correct ruleset? To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details? To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return some similiar to the following: 05 4 * * * root /usr/sbin/aide --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that there is no output? To find the location of the AIDE databse file, run the following command: $ sudo ls -l DBDIR/database_file_name Is it the case that there is no database file? To determine whether yum has been configured to disable gpgcheck for any repos, inspect all files in /etc/yum.repos.d and ensure the following does not appear in any sections: gpgcheck=0 A value of 0 indicates that gpgcheck has been disabled for that repo. Is it the case that GPG checking is disabled? If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available: $ sudo yum check-update If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: $ rpm -qa -last Compare this to Red Hat Security Advisories (RHSA) listed at https://access.redhat.com/security/updates/active/ to determine if the system is missing applicable updates. Is it the case that updates are not installed? To verify that localpkg_gpgcheck is configured properly, run the following command: $ grep localpkg_gpgcheck /etc/yum.conf The output should return something similar to: localpkg_gpgcheck=1 Is it the case that gpgcheck is not enabled or configured correctly to verify local packages? To ensure that the GPG key is installed, run: $ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey The command should return the string below: gpg(Red Hat, Inc. (release key 2) <security@redhat.com> Is it the case that the Red Hat GPG Key is not installed? To verify that repo_gpgcheck is configured properly, run the following command: $ grep repo_gpgcheck /etc/yum.conf The output should return something similar to: repo_gpgcheck=1 Is it the case that gpgcheck is not enabled or configured correctly to verify repository metadata? To verify that clean_requirements_on_remove is configured properly, run the following command: $ grep clean_requirements_on_remove /etc/yum.conf The output should return something similar to: clean_requirements_on_remove=1 Is it the case that clean_requirements_on_remove is not enabled or configured correctly? To determine whether yum is configured to use gpgcheck, inspect /etc/yum.conf and ensure the following appears in the [main] section: gpgcheck=1 A value of 1 indicates that gpgcheck is enabled. Absence of a gpgcheck line or a setting of 0 indicates that it is disabled. Is it the case that GPG checking is not enabled? To ensure the screensaver is configured to be blank, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/mode If properly configured, the output should be blank-only Is it the case that it is not? To check the status of the idle screen lock activation, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/lock_enabled If properly configured, the output should be true. Is it the case that it is not? To check the screensaver locking keybindings, run the following command: $ gconftool-2 -g /apps/gnome_settings_daemon/keybindings/screensaver If properly configured, the output should be <Control><Alt>l. Is it the case that GNOME screensaver locking keybindings are configured and cannot be changed? To ensure that users cannot change session idle and lock settings, run the following: $ grep 'idle-delay' /etc/dconf/db/local.d/locks/* If properly configured, the output should return: /org/gnome/desktop/session/idle-delay Is it the case that GNOME3 session settings are not locked or configured properly? To check that the screen locks immediately when activated, run the following command: $ gsettings get org.gnome.desktop.screensaver lock-delay If properly configured, the output should be 'uint32 '. To ensure that users cannot change how long until the the screensaver locks, run the following: $ grep lock-delay /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-delay should be /org/gnome/desktop/screensaver/lock-delay Is it the case that the screensaver lock delay is missing, or is set to a value greater than 5? To ensure the splash screen is configured not to show user name, run the following command: $ gsettings get org.gnome.desktop.screensaver show-full-name-in-top-bar If properly configured, the output should be false. To ensure that users cannot enable user name on the lock screen, run the following: $ grep show-full-name-in-top-bar /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/show-full-name-in-top-bar Is it the case that it is not set or configured properly? To ensure that users cannot change session idle and lock settings, run the following: $ grep 'lock-delay' /etc/dconf/db/local.d/locks/* If properly configured, the output should return: /org/gnome/desktop/screensaver/lock-delay Is it the case that GNOME3 session settings are not locked or configured properly? To check the screensaver mandatory use status, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/idle_activation_enabled If properly configured, the output should be true. Is it the case that it is not? To check the screensaver mandatory use status, run the following command: $ gsettings get org.gnome.desktop.screensaver idle-activation-enabled If properly configured, the output should be true. To ensure that users cannot disable the screensaver idle inactivity setting, run the following: $ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled Is it the case that idle_activation_enabled is not enabled or configured? To check the current idle time-out value, run the following command: $ gconftool-2 -g /desktop/gnome/session/max_idle_action If properly configured, the output should be forced-logout. Is it the case that it is not? To check the current idle time-out value, run the following command: $ gsettings get org.gnome.desktop.session idle-delay If properly configured, the output should be 'uint32 '. To ensure that users cannot change the screensaver inactivity timeout setting, run the following: $ grep idle-delay /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/session/idle-delay Is it the case that idle-delay is not equal to or less than the expected value? To ensure that users cannot change how long until the the screensaver locks, run the following: $ grep lock-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled Is it the case that screensaver locking is not locked? To check the current idle time-out value, run the following command: $ gconftool-2 -g /desktop/gnome/session/max_idle_time If properly configured, the output should be . Is it the case that it is not? To ensure the screensaver is configured to be blank, run the following command: $ gsettings get org.gnome.desktop.screensaver picture-uri If properly configured, the output should be ''. To ensure that users cannot set the screensaver background, run the following: $ grep picture-uri /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri Is it the case that it is not set or configured properly? To check the current idle time-out value, run the following command: $ gconftool-2 -g /desktop/gnome/session/idle_delay If properly configured, the output should be . Is it the case that it is not? To check the status of the idle screen lock activation, run the following command: $ gsettings get org.gnome.desktop.screensaver lock-enabled If properly configured, the output should be true. To ensure that users cannot change how long until the the screensaver locks, run the following: $ grep lock-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly? To ensure that users cannot disable the screensaver idle inactivity setting, run the following: $ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled Is it the case that idle_activation_enabled is not locked? These settings can be verified by running the following: $ gconftool-2 -g /apps/nautilus/preferences/media_automount The output should return false. $ gconftool-2 -g /apps/nautilus/preferences/media_autorun_never The output should return true. Is it the case that GNOME automounting is not disabled? These settings can be verified by running the following: $ gconftool-2 -g /desktop/gnome/thumbnailers/disable_all The output should return true. Is it the case that GNOME thumbnailers are not disabled? These settings can be verified by running the following: $ gsettings get org.gnome.desktop.thumbnailers disable-all If properly configured, the output should be true. To ensure that users cannot how long until the the screensaver locks, run the following: $ grep disable-all /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/thumbnailers/disable-all Is it the case that GNOME thumbnailers are not disabled? These settings can be verified by running the following: $ gsettings get org.gnome.desktop.media-handling automount $ gsettings get org.gnome.desktop.media-handling automount-open $ gsettings get org.gnome.desktop.media-handling autorun-never If properly configured, the output for automount should be false. If properly configured, the output for automount-openshould be false. If properly configured, the output for autorun-never should be true. To ensure that users cannot enable automount and autorun in GNOME3, run the following: $ grep 'automount\|autorun' /etc/dconf/db/local.d/locks/* If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/auto-open If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never Is it the case that GNOME automounting is not disabled? To ensure that system location tracking is not active, run the following command: $ gsettings get org.gnome.system.location enabled $ gsettings get org.gnome.clocks geolocation If properly configured, the output should be false. To ensure that users cannot enable system location tracking, run the following: $ grep location /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/system/location/enabled and /org/gnome/clocks/geolocation. Is it the case that geolocation is enabled and not disabled? To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, run the following command: $ gconftool-2 -g /apps/gnome_settings_daemon/keybindings/power The output should return nothing. Is it the case that GNOME is configured to reboot when Ctrl-Alt-Del is pressed? To check the status of the idle screen lock activation, run the following command: $ gconftool-2 -g /apps/panel/applets/clock/prefs/show_weather If properly configured, the output should be false. Is it the case that it is not? To check the status of the idle screen lock activation, run the following command: $ gconftool-2 -g /apps/panel/applets/clock/prefs/show_temperature If properly configured, the output should be false. Is it the case that it is not? To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, run the following command: $ gsettings get org.gnome.settings-daemon.plugins.media-keys logout If properly configured, the output should be ''. To ensure that users cannot enable the Ctrl-Alt-Del sequence, run the following: $ grep logout /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/settings-daemon/plugins/media-keys/logout Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? To ensure that the GUI power settings are not active, run the following command: $ gsettings get org.gnome.settings-daemon.plugins.power active If properly configured, the output should be false. To ensure that users cannot enable the power settings, run the following: $ grep power /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/settings-daemon/plugins/power/active Is it the case that power settings are enabled and are not disabled? To ensure the GUI does not allow user administratrion capabilities to all users, run the following command: $ gsettings get org.gnome.desktop.lockdown user-administration-disabled If properly configured, the output should be true. To ensure that users cannot enable user administration, run the following: $ grep user-administration /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/lockdown/user-administration-disabled Is it the case that user administration is not configured or disabled? To ensure smart card authentication on the login screen is enabled, run the following command: $ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/* The output should be true. To ensure that users cannot disable smart card authentication on the login screen, run the following: $ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication Is it the case that enable-smartcard-authentication has not been configured or is disabled? To ensure disable and restart on the login screen are disabled, run the following command: $ grep disable-restart-buttons /etc/dconf/db/gdm.d/* The output should be true. To ensure that users cannot enable disable and restart on the login screen, run the following: $ grep disable-restart-buttons /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons Is it the case that disable-restart-buttons has not been configured or is not disabled? To ensure disable and restart on the login screen are disabled, run the following command: $ gconftool-2 -g /apps/gdm/simple-greeter/disable_restart_buttons The output should be true. Is it the case that disable-restart-buttons has not been configured or is not disabled? To verify that automatic logins are disabled, run the following command: $ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf The output should show the following: [daemon] AutomaticLoginEnable=false Is it the case that GDM allows users to automatically login? To ensure the login screen resets after a specified number of failures, run the following command: $ grep allowed-failures /etc/dconf/db/gdm.d/* The output should be 3 or less. To ensure that users cannot change or configure the resets after a specified number of failures on the login screen, run the following: $ grep allowed-failures /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/allowed-failures Is it the case that allowed-failures is not equal to or less than the expected value? To ensure the user list is disabled, run the following command: $ grep disable-user-list /etc/dconf/db/gdm.d/* The output should be true. To ensure that users cannot enable displaying the user list, run the following: $ grep disable-user-list /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/disable-user-list Is it the case that disable-user-list has not been configured or is not disabled? To ensure the user list is disabled, run the following command: $ gconftool-2 -g /apps/gdm/simple-greeter/disable_user_list The output should be true. Is it the case that it is not? To verify that timed logins are disabled, run the following command: $ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf The output should show the following: [daemon] TimedLoginEnable=false Is it the case that GDM allows a guest to login without credentials? To ensure that WIFI connections cannot be created, run the following command: $ gconftool-2 -g /apps/nm-applet/disable-wifi-create The output should return true. Is it the case that WIFI connections can be created through GNOME? To ensure that WIFI connections caanot be created, run the following command: $ gsettings get org.gnome.nm-applet disable-wifi-create If properly configured, the output should be true. To ensure that users cannot enable WIFI connection creation, run the following: $ grep wifi-create /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/nm-applet/disable-wifi-create Is it the case that WIFI connections can be created through GNOME? To ensure that wireless network notification is disabled, run the following command: $ gsettings get org.gnome.nm-applet suppress-wireless-networks-available If properly configured, the output should be true. To ensure that users cannot enable wireless notification, run the following: $ grep wireless-networks-available /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/nm-applet/suppress-wireless-networks-available Is it the case that wireless network notification is enabled and not disabled? To ensure that wireless network notification is disabled, run the following command: $ gconftool-2 -g /apps/nm-applet/disable-connected-notifications The output should return true. Is it the case that wireless connecting network notification is enabled and not disabled? To ensure that wireless network notification is disabled, run the following command: $ gconftool-2 -g /apps/nm-applet/disable-disconnected-notifications The output should return true. Is it the case that wireless disconnecting network notification is enabled and not disabled? To ensure that remote access connections are encrypted, run the following command: $ gsettings get org.gnome.Vino require-encrpytion If properly configured, the output should be true. To ensure that users cannot disable encrypted remote connections, run the following: $ grep require-encryption /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/Vino/require-encryption Is it the case that remote access connections are not encrypted? To ensure that remote access requires credentials, run the following command: $ gsettings get org.gnome.Vino authentication-methods If properly configured, the output should be false. To ensure that users cannot disable credentials for remote access, run the following: $ grep authentication-methods /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/Vino/authentication-methods Is it the case that wireless network notification is enabled and not disabled? To ensure the gdm package group is removed, run the following command: $ rpm -qi gdm The output should be: package gdm is not installed Is it the case that gdm has not been removed? To verify that the DConf uses text files as data backend, put the line service-db:keyfile/user at the top of the file /etc/dconf/profile/user Is it the case that DConf uses the binary database as data backend? In order to be sure that the databases are up-to-date, run the dconf update command as the administrator. Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles? To verify that the DConf User profile is configured correctly, run the following command: $ cat /etc/dconf/profile/user The output should show the following: user-db:user system-db:local system-db:site system-db:distro Is it the case that DConf User profile does not exist or is not configured correctly? To check the permissions of /etc/shadow, run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/shadow has unix mode ----------? To check the ownership of /etc/shadow, run the command: $ ls -lL /etc/shadow If properly configured, the output should indicate the following owner: root Is it the case that /etc/shadow has owner root? To check the ownership of /etc/gshadow, run the command: $ ls -lL /etc/gshadow If properly configured, the output should indicate the following owner: root Is it the case that /etc/gshadow has owner root? To check the permissions of /etc/passwd, run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/group has unix mode -rw-r--r--? To check the group ownership of /etc/gshadow, run the command: $ ls -lL /etc/gshadow If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/gshadow has group owner root? To check the ownership of /etc/passwd, run the command: $ ls -lL /etc/passwd If properly configured, the output should indicate the following owner: root Is it the case that /etc/passwd has owner root? To check the group ownership of /etc/shadow, run the command: $ ls -lL /etc/shadow If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/shadow has group owner root? To check the ownership of /etc/group, run the command: $ ls -lL /etc/group If properly configured, the output should indicate the following owner: root Is it the case that /etc/group has owner root? To check the group ownership of /etc/group, run the command: $ ls -lL /etc/group If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/group has group owner root? To check the permissions of /etc/gshadow, run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: ---------- Is it the case that /etc/gshadow has unix mode ----------? To check the group ownership of /etc/passwd, run the command: $ ls -lL /etc/passwd If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/passwd has group owner root? To check the permissions of /etc/passwd, run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/passwd has unix mode -rw-r--r--? System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin To find system executables that are group-writable or world-writable, run the following command for each directory DIR which contains system executables: $ sudo find -L DIR -perm /022 -type f Is it the case that any system executables are found to be group or world writable? Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 For each of these directories, run the following command to find files not owned by root: $ sudo find -L $DIR ! -user root -exec chown root {} \; Is it the case that any of these files are not owned by root? System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin To find system executables that are not owned by root, run the following command for each directory DIR which contains system executables: $ sudo find DIR/ \! -user root Is it the case that any system executables are found to not be owned by root? Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 To find shared libraries that are group-writable or world-writable, run the following command for each directory DIR which contains shared libraries: $ sudo find -L DIR -perm /022 -type f Is it the case that any of these files are group-writable or world-writable? To find world-writable files, run the following command: $ sudo find / -xdev -type f -perm -002 Is it the case that there is output? The status of the fs.protected_symlinks kernel parameter can be queried by running the following command: $ sysctl fs.protected_symlinks The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r fs.protected_symlinks /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition PART: $ sudo find PART -xdev -type d -perm -0002 -uid +499 -print Is it the case that there is output? The following command will discover and print any files on local partitions which do not belong to a valid group. $ sudo find / -xdev -fstype local -nogroup Either remove all files and directories from the system that do not have a valid group, or assign a valid group with the chgrp command: $ sudo chgrp group file Is it the case that there is output? The following command will discover and print any files on local partitions which do not belong to a valid user. $ sudo find / -xdev -fstype local -nouser Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the chown command: $ sudo chown user file Is it the case that files exist that are not owned by a valid user? The status of the fs.protected_hardlinks kernel parameter can be queried by running the following command: $ sysctl fs.protected_hardlinks The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r fs.protected_hardlinks /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? To find world-writable files, run the following command: $ sudo find / -xdev -type f -perm -002 Is it the case that there is output? To find world-writable directories that lack the sticky bit, run the following command: $ sudo find / -xdev -type d -perm 002 ! -perm 1000 Is it the case that any world-writable directories are missing the sticky bit? To check the permissions of /boot/Sysem.map-*, run the command: $ ls -l /boot/Sysem.map-* If properly configured, the output should indicate the following permissions: -rw------- Is it the case that ? To find world-writable files, run the following command: $ sudo find / -xdev -type f -perm -002 Is it the case that only authorized files appear in the output of the find command? If the system is configured to prevent the loading of the usb-storage kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? To check that the autofs service is disabled in system boot configuration, run the following command: $ systemctl is-enabled autofs Output should indicate the autofs service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled autofsdisabled Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: $ systemctl is-active autofs If the service is not running the command will return the following output: inactive Is it the case that ? To verify that binaries cannot be directly executed from removable media, run the following command: $ grep -v noexec /etc/fstab The resulting output will show partitions which do not have the noexec flag. Verify all partitions in the output are not removable media. Is it the case that removable media partitions are present? To check the value of the umask, run the following command: $ grep umask /etc/init.d/functions The output should show . Is it the case that it does not? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If they include slub_debug=P, then SLUB/SLAB poisoning is enabled at boot time. To ensure slub_debug=P is configured on all installed kernels, the following command may be used: $ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P Is it the case that SLUB/SLAB poisoning is not enabled? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If they include page_poison=1, then page poisoning is enabled at boot time. To ensure page_poison=1 is configured on all installed kernels, the following command may be used: $ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1 Is it the case that page allocator poisoning is not enabled? The status of the fs.suid_dumpable kernel parameter can be queried by running the following command: $ sysctl fs.suid_dumpable The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r fs.suid_dumpable /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? To verify that core dumps are disabled for all users, run the following command: $ grep core /etc/security/limits.conf The output should be: * hard core 0 Is it the case that it is not? The status of the kernel.kptr_restrict kernel parameter can be queried by running the following command: $ sysctl kernel.kptr_restrict The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.kptr_restrict /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? To verify ExecShield is enabled on 64-bit Red Hat Enterprise Linux 7 systems, run the following command: $ dmesg | grep '[NX|DX]*protection' The output should not contain 'disabled by kernel command line option'. To verify that ExecShield has not been disabled in the kernel configuration, run the following command: $ sudo grep noexec /boot/grub2/grub.cfg The output should not return noexec=off. For 32-bit Red Hat Enterprise Linux 7 systems, run the following command: $ sysctl kernel.exec-shield The output should be: To set the runtime status of the kernel.exec-shield kernel parameter, run the following command: $ sudo sysctl -w kernel.exec-shield=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.exec-shield = 1 Is it the case that ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration.? The status of the kernel.randomize_va_space kernel parameter can be queried by running the following command: $ sysctl kernel.randomize_va_space The output of the command should indicate a value of 2. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the kernel.kexec_load_disabled kernel parameter can be queried by running the following command: $ sysctl kernel.kexec_load_disabled The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.kexec_load_disabled /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If they include vsyscall=none, then virtyal syscalls are not enabled at boot time. To ensure vsyscall=none is configured on all installed kernels, the following command may be used: $ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none Is it the case that vsyscalls are enabled? The status of the kernel.yama.ptrace_scope kernel parameter can be queried by running the following command: $ sysctl kernel.yama.ptrace_scope The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.yama.ptrace_scope /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the kernel.dmesg_restrict kernel parameter can be queried by running the following command: $ sysctl kernel.dmesg_restrict The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.dmesg_restrict /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? draft Guide to the Secure Configuration of Red Hat Enterprise Linux 7 (PCI-DSS centric) This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide. Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. The SCAP Security Guide Project https://www.open-scap.org/security-policies/scap-security-guide Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. 0.1.43 SCAP Security Guide Project SCAP Security Guide Project Frank J Cameron (CAM1244) <cameron@ctc.com> 0x66656c6978 <0x66656c6978@users.noreply.github.com> Gabe Alford <redhatrises@gmail.com> Firas AlShafei <firas.alshafei@us.abb.com> Christopher Anderson <cba@fedoraproject.org> angystardust <angystardust@users.noreply.github.com> Chuck Atkins <chuck.atkins@kitware.com> Ryan Ballanger <root@rballang-admin-2.fastenal.com> Alex Baranowski <alex@euro-linux.com> Molly Jo Bault <Molly.Jo.Bault@ballardtech.com> Gabriel Becker <ggasparb@redhat.com> Alexander Bergmann <abergmann@suse.com> Jose Luis BG <bgjoseluis@gmail.com> Joseph Bisch <joseph.bisch@gmail.com> Jeffrey Blank <blank@eclipse.ncsc.mil> Olivier Bonhomme <ptitoliv@ptitoliv.net> Ted Brunell <tbrunell@redhat.com> Blake Burkhart <blake.burkhart@us.af.mil> Patrick Callahan <pmc@patrickcallahan.com> Nick Carboni <ncarboni@redhat.com> James Cassell <james.cassell@ll.mit.edu> Frank Caviggia <fcaviggi@ra.iad.redhat.com> Eric Christensen <echriste@redhat.com> Caleb Cooper <coopercd@ornl.gov> Deric Crago <deric.crago@gmail.com> Maura Dailey <maura@eclipse.ncsc.mil> Klaas Demter <demter@atix.de> dhanushkar-wso2 <dhanushkar@wso2.com> Andrew DiPrinzio <andrew.diprinzio@jhuapl.edu> Jean-Baptiste Donnette <jean-baptiste.donnette@epita.fr> drax <applezip@gmail.com> Greg Elin <gregelin@gitmachines.com> Leah Fisher <lfisher047@gmail.com> Alijohn Ghassemlouei <alijohn.ghassemlouei@sapns2.com> Andrew Gilmore <agilmore2@gmail.com> Joshua Glemza <jglemza@nasa.gov> Loren Gordon <lorengordon@users.noreply.github.com> Patrik Greco <sikevux@sikevux.se> Steve Grubb <sgrubb@redhat.com> Marek Haicman <mhaicman@redhat.com> Rebekah Hayes <rhayes@corp.rivierautilities.com> Trey Henefield <thenefield@gmail.com> Henning Henkel <henning.henkel@helvetia.ch> hex2a <hex2a@users.noreply.github.com> John Hooks <jhooks@starscream.pa.jhbcomputers.com> Robin Price II <robin@redhat.com> Jeremiah Jahn <jeremiah@goodinassociates.com> Stephan Joerrens <Stephan.Joerrens@fiduciagad.de> Kai Kang <kai.kang@windriver.com> Charles Kernstock <charles.kernstock@ultra-ats.com> Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> Peter 'Pessoft' Kolínek <github@pessoft.com> Luke Kordell <luke.t.kordell@lmco.com> kspargur <kspargur@kspargur.csb> Amit Kumar <amitkuma@redhat.com> Fen Labalme <fen@civicactions.com> Ian Lee <lee1001@llnl.gov> Jarrett Lee <jarrettl@umd.edu> Jan Lieskovsky <jlieskov@redhat.com> Lee Kinser <lee.kinser@gmail.com> Šimon Lukašík <slukasik@redhat.com> Milan Lysonek <mlysonek@redhat.com> Fredrik Lysén <fredrik@pipemore.se> Matus Marhefka <mmarhefk@redhat.com> Jamie Lorwey Martin <jlmartin@redhat.com> Michael McConachie <michael@redhat.com> Khary Mendez <kharyam@gmail.com> Rodney Mercer <rmercer@harris.com> Matt Micene <nzwulfin@gmail.com> Brian Millett <bmillett@gmail.com> Mixer9 <35545791+Mixer9@users.noreply.github.com> mmosel <mmosel@kde.example.com> Zbynek Moravec <zmoravec@redhat.com> Kazuo Moriwaka <moriwaka@users.noreply.github.com> Michael Moseley <michael@eclipse.ncsc.mil> Joe Nall <joe@nall.com> Neiloy <neiloy@redhat.com> Axel Nennker <axel@nennker.de> Michele Newman <mnewman@redhat.com> Sean O'Keeffe <seanokeeffe797@gmail.com> Ilya Okomin <ilya.okomin@oracle.com> Kaustubh Padegaonkar <theTuxRacer@gmail.com> Michael Palmiotto <mpalmiotto@tresys.com> Max R.D. Parmer <maxp@trystero.is> pcactr <paul.c.arnold4.ctr@mail.mil> Kenneth Peeples <kennethwpeeples@gmail.com> Nathan Peters <Nathaniel.Peters@ca.com> Frank Lin PIAT <fpiat@klabs.be> Stefan Pietsch <mail.ipv4v6+gh@gmail.com> Martin Preisler <mpreisle@redhat.com> Wesley Ceraso Prudencio <wcerasop@redhat.com> Raphael Sanchez Prudencio <rsprudencio@redhat.com> T.O. Radzy Radzykewycz <radzy@windriver.com> Kenyon Ralph <kenyon@kenyonralph.com> Rick Renshaw <Richard_Renshaw@xtoenergy.com> Chris Reynolds <c.reynolds82@gmail.com> Pat Riehecky <riehecky@fnal.gov> rlucente-se-jboss <rlucente@redhat.com> Joshua Roys <roysjosh@gmail.com> rrenshaw <bofh69@yahoo.com> Chris Ruffalo <chris.ruffalo@gmail.com> Ray Shaw (Cont ARL/CISD) rvshaw <rvshaw@esme.arl.army.mil> Willy Santos <wsantos@redhat.com> Gautam Satish <gautams@hpe.com> Watson Sato <wsato@redhat.com> Satoru SATOH <satoru.satoh@gmail.com> Alexander Scheel <ascheel@redhat.com> Spencer Shimko <sshimko@tresys.com> Thomas Sjögren <konstruktoid@users.noreply.github.com> Francisco Slavin <fslavin@tresys.com> David Smith <dsmith@eclipse.ncsc.mil> Kevin Spargur <kspargur@redhat.com> Kenneth Stailey <kstailey.lists@gmail.com> Leland Steinke <leland.j.steinke.ctr@mail.mil> Brian Stinson <brian@bstinson.com> Philippe Thierry <phil@reseau-libre.net> Paul Tittle <ptittle@cmf.nrl.navy.mil> tomas.hudik <tomas.hudik@embedit.cz> Jeb Trayer <jeb.d.trayer@uscg.mil> Matěj Týč <matyc@redhat.com> VadimDor <29509093+VadimDor@users.noreply.github.com> Shawn Wells <shawn@redhat.com> Daniel E. White <linuxdan@users.noreply.github.com> Roy Williams <roywilli@roywilli.redhat.com> Rob Wilmoth <rwilmoth@redhat.com> Lucas Yamanishi <lucas.yamanishi@onyxpoint.com> Xirui Yang <xirui.yang@oracle.com> Kevin Zimmerman <kevin.zimmerman@kitware.com> Jan Černý <jcerny@redhat.com> Michal Šrubař <msrubar@redhat.com> https://github.com/OpenSCAP/scap-security-guide/releases/latest PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7 Ensures PCI-DSS v3.2.1 related security configuration settings are applied. 2. Do not use vendor-supplied defaults for system passwords and other 2.1 Always change vendor-supplied 2.1.1 For wireless environments 2.1.1.a Interview responsible personnel and examine 2.1.1.b Interview personnel and examine policies and 2.1.1.c Examine vendor documentation and login to 2.1.1.d Examine vendor documentation and observe 2.1.1.e Examine vendor documentation and observe 2.1.a Choose a sample of system components, and attempt 2.1.b For the sample of system components, verify that all 2.1.c Interview personnel and examine supporting 2.2 Develop configuration standards for 2.2.1 Implement only one primary 2.2.1.a Select a sample of system components and 2.2.1.b If virtualization technologies are used, inspect the 2.2.2 Enable only necessary services, 2.2.2.a Select a sample of system components and 2.2.2.b Identify any enabled insecure services, daemons, 2.2.3 Implement additional security 2.2.3.a Inspect configuration settings to verify that security 2.2.4 Configure system security 2.2.4.a Interview system administrators and/or security 2.2.4.b Examine the system configuration standards to 2.2.4.c Select a sample of system components and 2.2.5 Remove all unnecessary 2.2.5.a Select a sample of system components and 2.2.5.b . Examine the documentation and security 2.2.5.c . Examine the documentation and security 2.2.a 2.2.b Examine policies and interview personnel to 2.2.c Examine policies and interview personnel to 2.2.d Verify that system configuration standards include the 2.3 Encrypt all non-console 2.3.a Observe an administrator log on to each system and 2.3.b Review services and parameter files on systems to 2.3.c Observe an administrator log on to each system to 2.3.d Examine vendor documentation and interview 2.4 Maintain an inventory of system 2.4.a Examine system inventory to verify that a list of 2.4.b Interview personnel to verify the documented inventory 2.5 Ensure that security policies and 2.6 Shared hosting providers must 3. Protect stored cardholder data 3.1 Keep cardholder data storage to a 3.1.a Examine the data retention and disposal policies, 3.1.b Interview personnel to verify that: 3.1.c For a sample of system components that store cardholder 3.2 Do not store sensitive authentication 3.2.1 Do not store the full contents of 3.2.2 Do not store the card verification 3.2.3 Do not store the personal 3.2.a For issuers and/or companies that support issuing 3.2.b For issuers and/or companies that support issuing 3.2.c For all other entities, if sensitive authentication data is 3.2.d For all other entities, if sensitive authentication data is 3.3 Mask PAN when displayed (the first 3.3.a Examine written policies and procedures for masking the 3.3.b Examine system configurations to verify that full PAN is 3.3.c Examine displays of PAN (for example, on screen, on 3.4 Render PAN unreadable anywhere it 3.4.1 If disk encryption is used (rather 3.4.1.a If disk encryption is used, inspect the configuration 3.4.1.b Observe processes and interview personnel to verify 3.4.1.c Examine the configurations and observe the 3.4.a Examine documentation about the system used to protect 3.4.b Examine several tables or files from a sample of data 3.4.c Examine a sample of removable media (for example, 3.4.d Examine a sample of audit logs to confirm that the PAN is 3.4.e If 3.5 Document and implement 3.5.1 Restrict access to cryptographic 3.5.2 Store secret and private keys 3.5.2.a Examine documented procedures to verify that 3.5.2.b Examine system configurations and key storage 3.5.2.c Wherever key-encrypting keys are used, examine 3.5.3 Store cryptographic keys in the 3.6 Fully document and implement all 3.6.1 Generation of strong 3.6.1.a Verify that key-management procedures specify how 3.6.1.b Observe the method for generating keys to verify that 3.6.2 Secure cryptographic key 3.6.2.a Verify that key-management procedures specify how 3.6.2.b Observe the method for distributing keys to verify that 3.6.3 Secure cryptographic key storage 3.6.3.a Verify that key-management procedures specify how 3.6.3.b Observe the method for storing keys to verify that 3.6.4 Cryptographic key changes for 3.6.4.a Verify that key-management procedures include a 3.6.4.b Interview personnel to verify that keys are changed at 3.6.5 Retirement or replacement (for 3.6.5.a Verify that key-management procedures specify 3.6.5.b Interview personnel to verify the following processes 3.6.6 If manual clear-text cryptographic 3.6.6.a Verify that manual clear-text key-management 3.6.7 Prevention of unauthorized 3.6.7.a Verify that key-management procedures specify 3.6.7.b Interview personnel and/or observe processes to 3.6.8 Requirement for cryptographic 3.6.8.a Verify that key-management procedures specify 3.6.8.b Observe documentation or other evidence showing 3.6.b Examine the key-management procedures and processes 3.7 Ensure that security policies and 4. Encrypt transmission of cardholder data across open, public networks 4.1 Use strong cryptography and security Install libreswan Package The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The libreswan package can be installed with the following command: $ sudo yum install libreswan 12 15 3 5 8 APO13.01 DSS01.04 DSS05.02 DSS05.03 DSS05.04 CCI-001130 CCI-001131 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.15.1.1 A.15.2.1 A.6.2.1 A.6.2.2 AC-17 MA-4 SC-9 PR.AC-3 PR.MA-2 PR.PT-4 Req-4.1 Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. CCE-80170-4 package_install libreswan - name: Ensure libreswan is installed package: name: libreswan state: present tags: - package_libreswan_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80170-4 - NIST-800-53-AC-17 - NIST-800-53-MA-4 - NIST-800-53-SC-9 - PCI-DSS-Req-4.1 include install_libreswan class install_libreswan { package { 'libreswan': ensure => 'installed', } } package --add=libreswan 4.1.1 Ensure wireless networks transmitting 4.1.a Identify all locations where cardholder data is 4.1.b Review documented policies and procedures to verify 4.1.c Select and observe a sample of inbound and outbound 4.1.d Examine keys and certificates to verify that only 4.1.e Examine system configurations to verify that the 4.1.f Examine system configurations to verify that the proper 4.1.g For TLS implementations, examine system 4.2 Never send unprotected PANs by end- 4.2.a If end-user messaging technologies are used to send 4.2.b Review written policies to verify the existence of a 4.3 Ensure that security policies and 5. Protect all systems against malware and regularly update anti-virus 5.1 Deploy anti-virus software on all 5.1.1 Ensure that anti-virus programs 5.1.2 For systems considered to be not 5.2 Ensure that all anti-virus mechanisms 5.2.a Examine policies and procedures to verify that anti-virus 5.2.b Examine anti-virus configurations, including the master 5.2.c Examine a sample of system components, including all 5.2.d Examine anti-virus configurations, including the master 5.3 Ensure that anti-virus mechanisms 5.3.a Examine anti-virus configurations, including the master 5.3.b Examine anti-virus configurations, including the master 5.3.c Interview responsible personnel and observe processes to 5.4 Ensure that security policies and 6. Develop and maintain secure systems and applications 6.1 Establish a process to identify security 6.1.a Examine policies and procedures to verify that 6.1.b Interview responsible personnel and observe 6.2 Ensure that all system components and Ensure gpgcheck Enabled for All yum Package Repositories To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: gpgcheck=0 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) CM-11(a) SI-7 MA-1(b) PR.DS-6 PR.DS-8 PR.IP-1 FAU_GEN.1.1.c Req-6.2 SRG-OS-000366-GPOS-00153 SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." CCE-26876-3 sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* # - name: Find All yum Repositories find: paths: "/etc/yum.repos.d/" patterns: "*.repo" contains: ^\[.+]$ register: yum_find tags: - ensure_gpgcheck_never_disabled - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26876-3 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - name: Ensure gpgcheck Enabled For All yum Package Repositories with_items: "{{ yum_find.files }}" lineinfile: create: yes dest: "{{ item.path }}" regexp: '^gpgcheck' line: 'gpgcheck=1' tags: - ensure_gpgcheck_never_disabled - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26876-3 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 Ensure Software Patches Installed If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm. NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. RHEL-07-020260 SV-86623r4_rule 1.8 18 20 4 5.10.4.1 APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02 CCI-000366 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3 SI-2 SI-2(c) MA-1(b) ID.RA-1 PR.IP-12 FMT_MOF_EXT.1 Req-6.2 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. CCE-26895-3 yum -y update - name: "Security patches are up to date" package: name: "*" state: "latest" tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - security_patches_up_to_date - high_severity - patch_strategy - low_complexity - high_disruption - CCE-26895-3 - NIST-800-53-SI-2 - NIST-800-53-SI-2(c) - NIST-800-53-MA-1(b) - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-020260 Ensure Red Hat GPG Key Installed To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo subscription-manager register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring: $ sudo rpm --import /media/cdrom/RPM-GPG-KEY 1.2.3 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) CM-11(a) SI-7 MA-1(b) PR.DS-6 PR.DS-8 PR.IP-1 FAU_GEN.1.1.c Req-6.2 SRG-OS-000366-GPOS-00153 SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. CCE-26957-1 # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key readonly REDHAT_RELEASE_2_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51" readonly REDHAT_AUXILIARY_FINGERPRINT="43A6E49C4A38F4BE9ABF2A5345689C882FA658E0" # Location of the key we would like to import (once it's integrity verified) readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")") # Verify /etc/pki/rpm-gpg directory permissions are safe if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] then # If they are safe, try to obtain fingerprints from the key file # (to ensure there won't be e.g. CRC error). # Backup IFS value IFS_BKP=$IFS IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10)) GPG_RESULT=$? # Reset IFS back to default IFS=$IFS_BKP # No CRC error, safe to proceed if [ "${GPG_RESULT}" -eq "0" ] then echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_2_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it rpm --import "${REDHAT_RELEASE_KEY}" } fi fi - name: "Read permission of GPG key directory" stat: path: /etc/pki/rpm-gpg/ register: gpg_key_directory_permission check_mode: no tags: - ensure_redhat_gpgkey_installed - high_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26957-1 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 # It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well. - name: Read signatures in GPG key # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10 shell: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep "^fpr" | cut -d ":" -f 10 changed_when: False register: gpg_fingerprints check_mode: no tags: - ensure_redhat_gpgkey_installed - high_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26957-1 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - name: Set Fact - Valid fingerprints set_fact: gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0") tags: - ensure_redhat_gpgkey_installed - high_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26957-1 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - name: Import RedHat GPG key rpm_key: state: present key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release when: (gpg_key_directory_permission.stat.mode <= '0755') and (( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) | length == 0) and (gpg_fingerprints.stdout_lines | length > 0) and (ansible_distribution == "RedHat") and True tags: - ensure_redhat_gpgkey_installed - high_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26957-1 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11(a) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 Ensure gpgcheck Enabled In Main yum Configuration The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section: gpgcheck=1 RHEL-07-020050 SV-86601r2_rule 1.2.2 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) CM-11 SI-7 MA-1(b) PR.DS-6 PR.DS-8 PR.IP-1 FAU_GEN.1.1.c Req-6.2 SRG-OS-000366-GPOS-00153 SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). CCE-26989-4 replace_or_append "/etc/yum.conf" '^gpgcheck' '1' 'CCE-26989-4' - name: Check existence of yum on Fedora stat: path: /etc/yum.conf register: yum_config_file check_mode: no when: ansible_distribution == "Fedora" and True tags: - ensure_gpgcheck_globally_activated - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26989-4 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-020050 # Old versions of Fedora use yum - name: Ensure GPG check is globally activated (yum) ini_file: dest: /etc/yum.conf section: main option: gpgcheck value: 1 create: False when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists) and True tags: - ensure_gpgcheck_globally_activated - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26989-4 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-020050 - name: Ensure GPG check is globally activated (dnf) ini_file: dest: /etc/dnf/dnf.conf section: main option: gpgcheck value: 1 create: False when: ansible_distribution == "Fedora" and True tags: - ensure_gpgcheck_globally_activated - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26989-4 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-020050 6.2.a Examine policies and procedures related to security- 6.2.b For a sample of system components and related 6.3 Develop internal and external software 6.3.1 Remove development, test and/or 6.3.2 Review custom code prior to release 6.3.2.a Examine written software-development procedures 6.3.2.b Select a sample of recent custom application 6.3.a Examine written software-development processes to 6.3.b Examine written software-development processes to 6.3.c Examine written software-development processes to 6.3.d Interview software developers to verify that written 6.4 Follow change control processes and 6.4.1 Separate development/test 6.4.1.a Examine network documentation and network 6.4.1.b Examine access controls settings to verify that 6.4.2 Separation of duties between 6.4.3 Production data (live PANs) are not 6.4.3.a Observe testing processes and interview 6.4.3.b Examine a sample of test data to verify production 6.4.4 Removal of test data and accounts 6.4.4.a Observe testing processes and interview 6.4.4.b Examine a sample of data and accounts from 6.4.5 Change control procedures for the 6.4.5.a Examine documented change control procedures 6.4.5.b For a sample of system components, interview 6.5 Address common coding vulnerabilities in 6.5.1 Injection flaws, particularly SQL 6.5.10 Broken authentication and session 6.5.2 Buffer overflows 6.5.3 Insecure cryptographic storage 6.5.4 Insecure communications 6.5.5 Improper error handling 6.5.6 Examine software-development policies and 6.5.7 Cross-site scripting (XSS) 6.5.8 Improper access control (such as 6.5.9 Cross-site request forgery (CSRF) 6.5.a Examine software-development policies and 6.5.b Interview a sample of developers to verify that they are 6.5.c Examine records of training to verify that software 6.6 For public-facing web applications, 6.7 Ensure that security policies and 7. Restrict access to cardholder data by business need to know 7.1 Limit access to system Verify /boot/grub2/grub.cfg User Ownership The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/grub2/grub.cfg, run the command: $ sudo chown root /boot/grub2/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Req-7.1 Only root should be able to modify important boot parameters. CCE-26860-7 chown 0 /boot/grub2/grub.cfg - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg register: file_exists tags: - file_owner_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26860-7 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure owner 0 on /boot/grub2/grub.cfg file: path: /boot/grub2/grub.cfg owner: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_owner_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26860-7 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 Verify /boot/efi/EFI/redhat/grub.cfg Group Ownership The file /boot/efi/EFI/redhat/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command: $ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Req-7.1 The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. chgrp 0 /boot/efi/EFI/redhat/grub.cfg - name: Test for existence /boot/efi/EFI/redhat/grub.cfg stat: path: /boot/efi/EFI/redhat/grub.cfg register: file_exists tags: - file_groupowner_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure group owner 0 on /boot/efi/EFI/redhat/grub.cfg file: path: /boot/efi/EFI/redhat/grub.cfg group: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_groupowner_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 Verify /boot/grub2/grub.cfg Group Ownership The file /boot/grub2/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub2/grub.cfg, run the command: $ sudo chgrp root /boot/grub2/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Req-7.1 The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. CCE-26812-8 chgrp 0 /boot/grub2/grub.cfg - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg register: file_exists tags: - file_groupowner_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26812-8 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure group owner 0 on /boot/grub2/grub.cfg file: path: /boot/grub2/grub.cfg group: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_groupowner_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26812-8 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 Verify /boot/efi/EFI/redhat/grub.cfg User Ownership The file /boot/efi/EFI/redhat/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: $ sudo chown root /boot/efi/EFI/redhat/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Req-7.1 Only root should be able to modify important boot parameters. chown 0 /boot/efi/EFI/redhat/grub.cfg - name: Test for existence /boot/efi/EFI/redhat/grub.cfg stat: path: /boot/efi/EFI/redhat/grub.cfg register: file_exists tags: - file_owner_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure owner 0 on /boot/efi/EFI/redhat/grub.cfg file: path: /boot/efi/EFI/redhat/grub.cfg owner: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_owner_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 - PCI-DSS-Req-7.1 - CJIS-5.5.2.2 7.1.1 Define access needs for 7.1.2 Restrict access to privileged 7.1.2.a Interview personnel responsible for assigning access to 7.1.2.b Select a sample of user IDs with privileged access and 7.1.3 Assign access based on 7.1.4 Require documented 7.2 Establish an access control 7.2.1 Coverage of all system 7.2.2 Assignment of privileges to 7.2.3 7.3 Ensure that security policies and 8. Identify and authenticate access to system components 8.1 Define and implement policies and 8.1.1 Assign all users a unique ID Ensure All Accounts on the System Have Unique Names Change usernames, or delete accounts, so each has a unique name. 5.5.2 CCI-000770 CCI-000804 Req-8.1.1 Unique usernames allow for accountability on the system. CCE-80208-2 8.1.2 Control addition, deletion, and 8.1.3 Immediately revoke access for 8.1.3.a Select a sample of users terminated in the past six 8.1.3.b Verify all physical authentication methods 8.1.4 Remove/disable inactive user Set Account Expiration Following Inactivity To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately: INACTIVE= A value of 35 is recommended; however, this profile expects that the value is set to . If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users. RHEL-07-010310 SV-86565r2_rule 1 12 13 14 15 16 18 3 5 7 8 5.6.2.1.1 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.6 CCI-000795 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(2) AC-2(3) IA-4(e) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 Req-8.1.4 SRG-OS-000118-GPOS-00060 Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. CCE-27355-7 var_account_disable_post_pw_expiration="" replace_or_append '/etc/default/useradd' '^INACTIVE' "$var_account_disable_post_pw_expiration" 'CCE-27355-7' '%s=%s' - name: XCCDF Value var_account_disable_post_pw_expiration # promote to variable set_fact: var_account_disable_post_pw_expiration: !!str tags: - always - name: Set Account Expiration Following Inactivity lineinfile: create: yes dest: /etc/default/useradd regexp: ^INACTIVE line: "INACTIVE={{ var_account_disable_post_pw_expiration }}" tags: - account_disable_post_pw_expiration - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27355-7 - NIST-800-53-AC-2(2) - NIST-800-53-AC-2(3) - NIST-800-53-IA-4(e) - NIST-800-171-3.5.6 - PCI-DSS-Req-8.1.4 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010310 8.1.5 Manage IDs used by vendors to 8.1.5.a Interview personnel and observe processes for 8.1.5.b Interview personnel and observe processes to verify 8.1.6 Limit repeated access attempts Set Deny For Failed Password Attempts To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so RHEL-07-010320 SV-86567r4_rule 5.3.2 1 12 15 16 5.5.3 DSS05.04 DSS05.10 DSS06.10 3.1.8 CCI-002238 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-7(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.6 SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 SRG-OS-000021-VMM-000050 Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. CCE-27350-8 var_accounts_passwords_pam_faillock_deny="" include_set_faillock_option AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pam_file in "${AUTH_FILES[@]}" do set_faillock_option "$pam_file" "deny" "$var_accounts_passwords_pam_faillock_deny" done - name: XCCDF Value var_accounts_passwords_pam_faillock_deny # promote to variable set_fact: var_accounts_passwords_pam_faillock_deny: !!str tags: - always - name: Add auth pam_faillock preauth deny before pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: required new_module_path: pam_faillock.so module_arguments: 'preauth silent deny={{ var_accounts_passwords_pam_faillock_deny }}' state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27350-8 - NIST-800-53-AC-7(a) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.6 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add deny argument to auth pam_faillock preauth pamd: name: "{{ item }}" type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent deny={{ var_accounts_passwords_pam_faillock_deny }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27350-8 - NIST-800-53-AC-7(a) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.6 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add auth pam_faillock authfail deny after pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: '[default=die]' new_module_path: pam_faillock.so module_arguments: 'authfail deny={{ var_accounts_passwords_pam_faillock_deny }}' state: after loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27350-8 - NIST-800-53-AC-7(a) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.6 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add deny argument to auth pam_faillock authfail pamd: name: "{{ item }}" type: auth new_type: auth control: '[default=die]' module_path: pam_faillock.so module_arguments: 'authfail deny={{ var_accounts_passwords_pam_faillock_deny }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27350-8 - NIST-800-53-AC-7(a) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.6 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add account pam_faillock before pam_unix.so pamd: name: "{{ item }}" type: account control: required module_path: pam_unix.so new_type: account new_control: required new_module_path: pam_faillock.so state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27350-8 - NIST-800-53-AC-7(a) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.6 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 8.1.6.a For a sample of system components, inspect system 8.1.6.b 8.1.7 Set the lockout duration to a Set Lockout Time for Failed Password Attempts To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so RHEL-07-010320 SV-86567r4_rule 5.3.2 1 12 15 16 5.5.3 DSS05.04 DSS05.10 DSS06.10 3.1.8 CCI-002238 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-7(b) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.7 SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 SRG-OS-000329-VMM-001180 Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. CCE-26884-7 var_accounts_passwords_pam_faillock_unlock_time="" include_set_faillock_option AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pam_file in "${AUTH_FILES[@]}" do set_faillock_option "$pam_file" "unlock_time" "$var_accounts_passwords_pam_faillock_unlock_time" done - name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time # promote to variable set_fact: var_accounts_passwords_pam_faillock_unlock_time: !!str tags: - always - name: Add auth pam_faillock preauth unlock_time before pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: required new_module_path: pam_faillock.so module_arguments: 'preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}' state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_unlock_time - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26884-7 - NIST-800-53-AC-7(b) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.7 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add unlock_time argument to pam_faillock preauth pamd: name: "{{ item }}" type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_unlock_time - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26884-7 - NIST-800-53-AC-7(b) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.7 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add auth pam_faillock authfail unlock_interval after pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: '[default=die]' new_module_path: pam_faillock.so module_arguments: 'authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}' state: after loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_unlock_time - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26884-7 - NIST-800-53-AC-7(b) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.7 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add unlock_time argument to auth pam_faillock authfail pamd: name: "{{ item }}" type: auth control: '[default=die]' module_path: pam_faillock.so module_arguments: 'authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_unlock_time - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26884-7 - NIST-800-53-AC-7(b) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.7 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 - name: Add account pam_faillock before pam_unix.so pamd: name: "{{ item }}" type: account control: required module_path: pam_unix.so new_type: account new_control: required new_module_path: pam_faillock.so state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_unlock_time - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26884-7 - NIST-800-53-AC-7(b) - NIST-800-171-3.1.8 - PCI-DSS-Req-8.1.7 - CJIS-5.5.3 - DISA-STIG-RHEL-07-010320 8.1.8 If a session has been idle for Set SSH Idle Timeout Interval SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: ClientAliveInterval The timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. RHEL-07-040320 SV-86861r4_rule 5.2.12 1 12 13 14 15 16 18 3 5 7 8 5.5.6 APO13.01 BAI03.01 BAI03.02 BAI03.03 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.11 CCI-001133 CCI-002361 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.14.1.1 A.14.2.1 A.14.2.5 A.18.1.4 A.6.1.2 A.6.1.5 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(5) SA-8(i) AC-12 AC-17(b) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.IP-2 Req-8.1.8 SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109 SRG-OS-000480-VMM-002000 Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. CCE-27433-2 sshd_idle_timeout_value="" replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value 'CCE-27433-2' '%s %s' - name: XCCDF Value sshd_idle_timeout_value # promote to variable set_fact: sshd_idle_timeout_value: !!str tags: - always - name: Set SSH Idle Timeout Interval lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^ClientAliveInterval line: "ClientAliveInterval {{ sshd_idle_timeout_value }}" validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_set_idle_timeout - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27433-2 - NIST-800-53-AC-2(5) - NIST-800-53-SA-8(i) - NIST-800-53-AC-12 - NIST-800-53-AC-17(b) - NIST-800-171-3.1.11 - PCI-DSS-Req-8.1.8 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040320 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Implement Blank Screensaver Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(b) PR.AC-7 Req-8.1.8 Setting the screensaver mode to blank-only conceals the contents of the display from passersby. Enable Screen Lock Activation After Idle Period Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 Req-8.1.8 Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby. Set GNOME3 Screensaver Lock Delay After Activation Period To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] lock-delay=uint32 Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-delay After the settings have been set, run dconf update. RHEL-07-010110 SV-86525r3_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000056 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 OS-SRG-000029-GPOS-00010 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-80370-0 var_screensaver_lock_delay="" include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'lock-delay' "uint32 ${var_screensaver_lock_delay}" 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'lock-delay' 'local.d' '00-security-settings-lock' - name: "Set GNOME3 Screensaver Lock Delay After Activation Period" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: lock-delay value: uint32 5 create: yes tags: - dconf_gnome_screensaver_lock_delay - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80370-0 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - DISA-STIG-RHEL-07-010110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME lock-delay" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/lock-delay' line: '/org/gnome/desktop/screensaver/lock-delay' create: yes tags: - dconf_gnome_screensaver_lock_delay - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80370-0 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - DISA-STIG-RHEL-07-010110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") GNOME Desktop Screensaver Mandatory Use Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 Req-8.1.8 Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. Enable GNOME3 Screensaver Idle Activation To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set idle-activation-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] idle-activation-enabled=true Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/idle-activation-enabled After the settings have been set, run dconf update. RHEL-07-010100 SV-86523r4_rule 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. CCE-80111-8 include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'idle-activation-enabled' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'idle-activation-enabled' 'local.d' '00-security-settings-lock' - name: "Enable GNOME3 Screensaver Idle Activation" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: idle_activation_enabled value: "true" create: yes tags: - dconf_gnome_screensaver_idle_activation_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80111-8 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010100 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME idle_activation_enabled" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/idle-activation-enabled' line: '/org/gnome/desktop/screensaver/idle-activation-enabled' create: yes tags: - dconf_gnome_screensaver_idle_activation_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80111-8 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010100 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Set GNOME3 Screensaver Inactivity Timeout The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification. For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings: [org/gnome/desktop/session] idle-delay=uint32 900 Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/session/idle-delay After the settings have been set, run dconf update. RHEL-07-010070 SV-86517r5_rule 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. CCE-80110-0 inactivity_timeout_value="" include_dconf_settings dconf_settings 'org/gnome/desktop/session' 'idle-delay' "uint32 ${inactivity_timeout_value}" 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/session' 'idle-delay' 'local.d' '00-security-settings-lock' - name: XCCDF Value inactivity_timeout_value # promote to variable set_fact: inactivity_timeout_value: !!str tags: - always - name: "Set GNOME3 Screensaver Inactivity Timeout" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: idle-delay value: "{{ inactivity_timeout_value }}" create: yes tags: - dconf_gnome_screensaver_idle_delay - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80110-0 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010070 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME idle-delay" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/idle-delay' line: '/org/gnome/desktop/screensaver/idle-delay' create: yes tags: - dconf_gnome_screensaver_idle_delay - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80110-0 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010070 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-enabled to /etc/dconf/db/local.d/00-security-settings. For example: /org/gnome/desktop/screensaver/lock-enabled After the settings have been set, run dconf update. RHEL-07-010062 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000056 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(b) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-80563-0 include_dconf_settings dconf_lock 'org/gnome/desktop/screensaver' 'lock-enabled' 'local.d' '00-security-settings-lock' Implement Blank Screensaver To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] picture-uri='' Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/picture-uri After the settings have been set, run dconf update. 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000060 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(b) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 Setting the screensaver mode to blank-only conceals the contents of the display from passersby. CCE-80113-4 include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'picture-uri' "string ''" 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'picture-uri' 'local.d' '00-security-settings-lock' - name: "Implement Blank Screensaver" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: picture-uri value: string '' create: yes tags: - dconf_gnome_screensaver_mode_blank - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80113-4 - NIST-800-53-AC-11(b) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME picture-uri" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/picture-uri' line: '/org/gnome/desktop/screensaver/picture-uri' create: yes tags: - dconf_gnome_screensaver_mode_blank - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80113-4 - NIST-800-53-AC-11(b) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Set GNOME Login Inactivity Timeout Run the following command to set the idle time-out value for inactivity in the GNOME desktop to minutes: $ sudo gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /desktop/gnome/session/idle_delay 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 Req-8.1.8 Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby. Enable GNOME3 Screensaver Lock After Idle Period To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] lock-enabled=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-enabled After the settings have been set, run dconf update. RHEL-07-010060 SV-86515r5_rule 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000056 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(b) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000028-GPOS-00009 OS-SRG-000030-GPOS-00011 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-80112-6 include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'lock-enabled' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'lock-enabled' 'local.d' '00-security-settings-lock' - name: "Enable GNOME3 Screensaver Lock After Idle Period" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: lock-enabled value: "true" create: yes tags: - dconf_gnome_screensaver_lock_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80112-6 - NIST-800-53-AC-11(b) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010060 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME lock-enabled" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/lock-enabled' line: '/org/gnome/desktop/screensaver/lock-enabled' create: yes tags: - dconf_gnome_screensaver_lock_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80112-6 - NIST-800-53-AC-11(b) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010060 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure Users Cannot Change GNOME3 Screensaver Idle Activation If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/idle-activation-enabled to /etc/dconf/db/local.d/00-security-settings. For example: /org/gnome/desktop/screensaver/idle-activation-enabled After the settings have been set, run dconf update. RHEL-07-010101 SV-93703r2_rule 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-80564-8 include_dconf_settings dconf_lock 'org/gnome/desktop/screensaver' 'idle-activation-enabled' 'local.d' '00-security-settings-lock' 8.1.a Review procedures and confirm they define processes for 8.1.b Verify that procedures are implemented for user 8.2 In addition to assigning a unique ID, 8.2.1 Using strong cryptography, Verify All Account Password Hashes are Shadowed If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. 1 12 15 16 5 5.5.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(h) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.1 The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users. CCE-27352-4 Set Password Hashing Algorithm in /etc/login.defs In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512 RHEL-07-010210 SV-86545r2_rule 6.3.1 1 12 15 16 5 5.6.2.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.13.11 CCI-000196 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(c) IA-7 PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.1 SRG-OS-000073-GPOS-00041 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. Using a stronger hashing algorithm makes password cracking attacks more difficult. CCE-27124-7 if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/g' /etc/login.defs else echo "" >> /etc/login.defs echo "ENCRYPT_METHOD SHA512" >> /etc/login.defs fi - name: Set Password Hashing Algorithm in /etc/login.defs lineinfile: dest: /etc/login.defs regexp: ^#?ENCRYPT_METHOD line: ENCRYPT_METHOD SHA512 state: present tags: - set_password_hashing_algorithm_logindefs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27124-7 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-7 - NIST-800-171-3.13.11 - PCI-DSS-Req-8.2.1 - CJIS-5.6.2.2 - DISA-STIG-RHEL-07-010210 Set Password Hashing Algorithm in /etc/libuser.conf In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512 RHEL-07-010220 SV-86547r3_rule 1 12 15 16 5 5.6.2.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.13.11 CCI-000196 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(c) IA-7 PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.1 SRG-OS-000073-GPOS-00041 SRG-OS-000480-VMM-002000 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. CCE-27053-8 LIBUSER_CONF="/etc/libuser.conf" CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*' # Try find crypt_style in [defaults] section. If it is here, then change algorithm to sha512. # If it isn't here, then add it to [defaults] section. if grep -qzosP $CRYPT_STYLE_REGEX $LIBUSER_CONF ; then sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1sha512/g" $LIBUSER_CONF elif grep -qs "\[defaults]" $LIBUSER_CONF ; then sed -i "/[[:space:]]*\[defaults]/a crypt_style = sha512" $LIBUSER_CONF else echo -e "[defaults]\ncrypt_style = sha512" >> $LIBUSER_CONF fi - name: Set Password Hashing Algorithm in /etc/libuser.conf lineinfile: dest: /etc/libuser.conf insertafter: '^\s*\[defaults]' regexp: ^#?crypt_style line: crypt_style = sha512 state: present tags: - set_password_hashing_algorithm_libuserconf - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27053-8 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-7 - NIST-800-171-3.13.11 - PCI-DSS-Req-8.2.1 - CJIS-5.6.2.2 - DISA-STIG-RHEL-07-010220 Set PAM's Password Hashing Algorithm The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below: password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. RHEL-07-010200 SV-86543r3_rule 6.3.1 1 12 15 16 5 5.6.2.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.13.11 CCI-000196 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(c) IA-7 PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.1 SRG-OS-000073-GPOS-00041 SRG-OS-000480-VMM-002000 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. CCE-27104-9 AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in "${AUTH_FILES[@]}" do if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" $pamFile fi done 8.2.1.a Examine vendor documentation and system 8.2.1.b For a sample of system components, examine 8.2.1.c For a sample of system components, examine data 8.2.1.d 8.2.2 Verify user identity before 8.2.3 Passwords/phrases must meet Prevent Login to Accounts With Empty Password If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords. RHEL-07-010290 SV-86561r3_rule 1 12 13 14 15 16 18 3 5 5.5.2 APO01.06 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.10 3.1.1 3.1.5 CCI-000366 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-6 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 FIA_AFL.1 Req-8.2.3 SRG-OS-000480-GPOS-00227 If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. CCE-27286-4 sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/password-auth - name: "Prevent Log In to Accounts With Empty Password - system-auth" replace: dest: /etc/pam.d/system-auth follow: yes regexp: 'nullok' tags: - no_empty_passwords - high_severity - configure_strategy - low_complexity - medium_disruption - CCE-27286-4 - NIST-800-53-AC-6 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(a) - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - PCI-DSS-Req-8.2.3 - CJIS-5.5.2 - DISA-STIG-RHEL-07-010290 - name: "Prevent Log In to Accounts With Empty Password - password-auth" replace: dest: /etc/pam.d/password-auth follow: yes regexp: 'nullok' tags: - no_empty_passwords - high_severity - configure_strategy - low_complexity - medium_disruption - CCE-27286-4 - NIST-800-53-AC-6 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(a) - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - PCI-DSS-Req-8.2.3 - CJIS-5.5.2 - DISA-STIG-RHEL-07-010290 Set Password Minimum Length The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. RHEL-07-010280 SV-86559r2_rule 6.3.2 1 12 15 16 5 5.6.2.1.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000205 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 Req-8.2.3 SRG-OS-000078-GPOS-00046 SRG-OS-000072-VMM-000390 SRG-OS-000078-VMM-000450 The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password. CCE-27293-0 var_password_pam_minlen="" replace_or_append '/etc/security/pwquality.conf' '^minlen' $var_password_pam_minlen 'CCE-27293-0' '%s = %s' - name: XCCDF Value var_password_pam_minlen # promote to variable set_fact: var_password_pam_minlen: !!str tags: - always - name: Ensure PAM variable minlen is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*minlen' line: "minlen = {{ var_password_pam_minlen }}" tags: - accounts_password_pam_minlen - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27293-0 - NIST-800-53-IA-5(1)(a) - PCI-DSS-Req-8.2.3 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010280 Set Password Strength Minimum Digit Characters The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords. RHEL-07-010140 SV-86531r3_rule 6.3.2 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000194 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(1)(a) IA-5(b) IA-5(c) 194 PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 Req-8.2.3 SRG-OS-000071-GPOS-00039 SRG-OS-000071-VMM-000380 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. CCE-27214-6 var_password_pam_dcredit="" replace_or_append '/etc/security/pwquality.conf' '^dcredit' $var_password_pam_dcredit 'CCE-27214-6' '%s = %s' - name: XCCDF Value var_password_pam_dcredit # promote to variable set_fact: var_password_pam_dcredit: !!str tags: - always - name: Ensure PAM variable dcredit is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*dcredit' line: "dcredit = {{ var_password_pam_dcredit }}" tags: - accounts_password_pam_dcredit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27214-6 - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-194 - PCI-DSS-Req-8.2.3 - DISA-STIG-RHEL-07-010140 Set Password Strength Minimum Lowercase Characters The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords. RHEL-07-010130 SV-86529r5_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000193 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 Req-8.2.3 SRG-OS-000070-GPOS-00038 SRG-OS-000070-VMM-000370 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. CCE-27345-8 var_password_pam_lcredit="" replace_or_append '/etc/security/pwquality.conf' '^lcredit' $var_password_pam_lcredit 'CCE-27345-8' '%s = %s' - name: XCCDF Value var_password_pam_lcredit # promote to variable set_fact: var_password_pam_lcredit: !!str tags: - always - name: Ensure PAM variable lcredit is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*lcredit' line: "lcredit = {{ var_password_pam_lcredit }}" tags: - accounts_password_pam_lcredit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27345-8 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(a) - PCI-DSS-Req-8.2.3 - DISA-STIG-RHEL-07-010130 Set Password Strength Minimum Uppercase Characters The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords. RHEL-07-010120 SV-86527r3_rule 6.3.2 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000192 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 Req-8.2.3 SRG-OS-000069-GPOS-00037 SRG-OS-000069-VMM-000360 Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. CCE-27200-5 var_password_pam_ucredit="" replace_or_append '/etc/security/pwquality.conf' '^ucredit' $var_password_pam_ucredit 'CCE-27200-5' '%s = %s' - name: XCCDF Value var_password_pam_ucredit # promote to variable set_fact: var_password_pam_ucredit: !!str tags: - always - name: Ensure PAM variable ucredit is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*ucredit' line: "ucredit = {{ var_password_pam_ucredit }}" tags: - accounts_password_pam_ucredit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27200-5 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(a) - PCI-DSS-Req-8.2.3 - DISA-STIG-RHEL-07-010120 Set Password Strength Minimum Digit Characters The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. Set Password Strength Minimum Uppercase Characters The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.7 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. Set Password Strength Minimum Lowercase Characters The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. Set Password Minimum Length The pam_cracklib module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. 8.2.3.a For a sample of system components, inspect system 8.2.3.b 8.2.4 Change user Set Password Maximum Age To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is . RHEL-07-010250 SV-86553r2_rule 5.4.1.1 1 12 15 16 5 5.6.2.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.6 CCI-000199 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(g) IA-5(1)(d) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.4 SRG-OS-000076-GPOS-00044 Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. CCE-27051-2 var_accounts_maximum_age_login_defs="" grep -q ^PASS_MAX_DAYS /etc/login.defs && \ sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs fi - name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable set_fact: var_accounts_maximum_age_login_defs: !!str tags: - always - name: Set Password Maximum Age lineinfile: create: yes dest: /etc/login.defs regexp: ^#?PASS_MAX_DAYS line: "PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}" tags: - accounts_maximum_age_login_defs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27051-2 - NIST-800-53-IA-5(f) - NIST-800-53-IA-5(g) - NIST-800-53-IA-5(1)(d) - NIST-800-171-3.5.6 - PCI-DSS-Req-8.2.4 - CJIS-5.6.2.1 - DISA-STIG-RHEL-07-010250 8.2.4.a For a sample of system components, inspect system 8.2.4.b 8.2.5 Do not allow an individual to Limit Password Reuse Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords. RHEL-07-010270 SV-86557r3_rule 5.3.3 1 12 15 16 5 5.6.2.1.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.8 CCI-000200 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(1)(e) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.5 SRG-OS-000077-GPOS-00045 SRG-OS-000077-VMM-000440 Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. CCE-26923-3 var_password_pam_unix_remember="" AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in "${AUTH_FILES[@]}" do if grep -q "remember=" $pamFile; then sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" $pamFile else sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" $pamFile fi done - name: XCCDF Value var_password_pam_unix_remember # promote to variable set_fact: var_password_pam_unix_remember: !!str tags: - always - name: "Do not allow users to reuse recent passwords - system-auth (change)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$' replace: '\g<1>{{ var_password_pam_unix_remember }}\g<3>' tags: - accounts_password_pam_unix_remember - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-26923-3 - NIST-800-53-IA-5(f) - NIST-800-53-IA-5(1)(e) - NIST-800-171-3.5.8 - PCI-DSS-Req-8.2.5 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010270 - name: "Do not allow users to reuse recent passwords - system-auth (add)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$' replace: '\g<0> remember={{ var_password_pam_unix_remember }}' tags: - accounts_password_pam_unix_remember - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-26923-3 - NIST-800-53-IA-5(f) - NIST-800-53-IA-5(1)(e) - NIST-800-171-3.5.8 - PCI-DSS-Req-8.2.5 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010270 8.2.5.a For a sample of system components, obtain and 8.2.5.b 8.2.6 Set passwords/phrases for first- 8.3 Incorporate two-factor authentication Configure opensc Smart Card Drivers The OpenSC smart card tool can auto-detect smart card drivers; however, setting the smart card drivers in use by your organization helps to prevent users from using unauthorized smart cards. The default smart card driver for this profile is . To configure the OpenSC driver, edit the /etc/opensc-ARCH.conf (where ARCH is the architecture of your operating system) file. Look for a line similar to: # card_drivers = old, internal; and change it to: card_drivers = ; 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2(2) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.3 SRG-OS-000104-GPOS-00051 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000109-GPOS-00056 SRG-OS-000108-GPOS-00055 SRG-OS-000108-GPOS-00057 SRG-OS-000108-GPOS-00058 SRG-OS-000376-VMM-001520 Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Configuring the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards. CCE-80565-5 var_smartcard_drivers="" grep -qs "card_drivers =" /etc/opensc*.conf && \ sed -i "s/card_drivers =.*/card_drivers = $var_smartcard_drivers;/g" /etc/opensc*.conf if ! [ $? -eq 0 ]; then sed -i "s/.*card_drivers =.*/ card_drivers = $var_smartcard_drivers;/g" /etc/opensc*.conf fi - name: XCCDF Value var_smartcard_drivers # promote to variable set_fact: var_smartcard_drivers: !!str tags: - always - name: Check existence of opensc conf stat: path: /etc/opensc-{{ ansible_architecture }}.conf register: opensc_conf_cd tags: - configure_opensc_card_drivers - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80565-5 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Configure opensc Smart Card Drivers" lineinfile: path: /etc/opensc-{{ ansible_architecture }}.conf line: ' card_drivers = {{ var_smartcard_drivers }}' regexp: '(^\s+#|^)\s+card_drivers\s+=\s+.*' state: present when: opensc_conf_cd.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - configure_opensc_card_drivers - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80565-5 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 Configure NSS DB To Use opensc The opensc module should be configured for use over the Coolkey PKCS#11 module in the NSS database. To configure the NSS database ot use the opensc module, run the following command: $ sudo pkcs11-switch opensc 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2(2) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.3 SRG-OS-000104-GPOS-00051 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000109-GPOS-00056 SRG-OS-000108-GPOS-00055 SRG-OS-000108-GPOS-00057 SRG-OS-000108-GPOS-00058 SRG-OS-000376-VMM-001520 SRG-OS-000403-VMM-001640 Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. CCE-80567-1 PKCSSW=$(/usr/bin/pkcs11-switch) if ! [[ ${PKCSSW} -eq "opensc" ]] ; then ${PKCSSW} opensc fi - name: Check existence of pkcs11-switch stat: path: /usr/bin/pkcs11-switch register: pkcs11switch tags: - configure_opensc_nss_db - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80567-1 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Get NSS database smart card configuration command: /usr/bin/pkcs11-switch changed_when: True register: pkcsw_output when: pkcs11switch.stat.exists tags: - configure_opensc_nss_db - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80567-1 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Configure NSS DB To Use opensc" command: /usr/bin/pkcs11-switch opensc when: pkcs11switch.stat.exists and pkcsw_output.stdout != "opensc" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - configure_opensc_nss_db - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80567-1 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 Force opensc To Use Defined Smart Card Driver The OpenSC smart card tool can auto-detect smart card drivers; however by forcing the smart card driver in use by your organization, opensc will no longer autodetect or use other drivers unless specified. This helps to prevent users from using unauthorized smart cards. The default smart card driver for this profile is . To force the OpenSC driver, edit the /etc/opensc-ARCH.conf (where ARCH is the architecture of your operating system) file. Look for a line similar to: # force_card_driver = customcos; and change it to: force_card_driver = ; 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2(2) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.3 SRG-OS-000104-GPOS-00051 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000109-GPOS-00056 SRG-OS-000108-GPOS-00055 SRG-OS-000108-GPOS-00057 SRG-OS-000108-GPOS-00058 SRG-OS-000376-VMM-001520 Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Forcing the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards. CCE-81002-8 var_smartcard_drivers="" grep -qs "force_card_driver =" /etc/opensc*.conf && \ sed -i "s/force_card_driver =.*/force_card_driver = $var_smartcard_drivers;/g" /etc/opensc*.conf if ! [ $? -eq 0 ]; then sed -i "s/.*force_card_driver =.*/ force_card_driver = $var_smartcard_drivers;/g" /etc/opensc*.conf fi - name: XCCDF Value var_smartcard_drivers # promote to variable set_fact: var_smartcard_drivers: !!str tags: - always - name: Check existence of opensc conf stat: path: /etc/opensc-{{ ansible_architecture }}.conf register: opensc_conf_fcd tags: - force_opensc_card_drivers - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-81002-8 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Force opensc To Use Defined Smart Card Driver" lineinfile: path: /etc/opensc-{{ ansible_architecture }}.conf line: ' force_card_driver = {{ var_smartcard_drivers }}' regexp: '(^\s+#|^)\s+force_card_driver\s+=\s+.*' state: present when: opensc_conf_fcd.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - force_opensc_card_drivers - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-81002-8 - NIST-800-53-IA-2(2) - PCI-DSS-Req-8.3 Enable Smart Card Login To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273 RHEL-07-010500 SV-86589r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2(1) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.3 SRG-OS-000104-GPOS-00051 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000109-GPOS-00056 SRG-OS-000108-GPOS-00055 SRG-OS-000108-GPOS-00057 SRG-OS-000108-GPOS-00058 Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. CCE-80207-4 # Install required packages package_install esc package_install pam_pkcs11 # Enable pcscd.socket systemd activation socket service_command enable pcscd.socket # Configure the expected /etc/pam.d/system-auth{,-ac} settings directly # # The code below will configure system authentication in the way smart card # logins will be enabled, but also user login(s) via other method to be allowed # # NOTE: It is not possible to use the 'authconfig' command to perform the # remediation for us, because call of 'authconfig' would discard changes # for other remediations (see RH BZ#1357019 for details) # # Therefore we need to configure the necessary settings directly. # # Define system-auth config location SYSTEM_AUTH_CONF="/etc/pam.d/system-auth" # Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF PAM_ENV_SO="auth.*required.*pam_env.so" # Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF SYSTEM_AUTH_PAM_SUCCEED="\ auth [success=1 default=ignore] pam_succeed_if.so service notin \ login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid" # Define 'pam_pkcs11.so' row to be appended past $SYSTEM_AUTH_PAM_SUCCEED # row into SYSTEM_AUTH_CONF file SYSTEM_AUTH_PAM_PKCS11="\ auth [success=done authinfo_unavail=ignore ignore=ignore default=die] \ pam_pkcs11.so nodebug" # Define smartcard-auth config location SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth" # Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF SMARTCARD_AUTH_SECTION="\ auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card" # Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF PAM_PERMIT_SO="account.*required.*pam_permit.so" # Define 'pam_pkcs11.so' password section SMARTCARD_PASSWORD_SECTION="\ password required pam_pkcs11.so" # First Correct the SYSTEM_AUTH_CONF configuration if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF" then # Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file # and append (expected) pam_pkcs11.so row right after the pam_succeed_if.so we just added # in SYSTEM_AUTH_CONF file # This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED" echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF" fi # Then also correct the SMARTCARD_AUTH_CONF if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF" then # Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF" # Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF" fi # Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below # Define selected constants for later reuse SP="[:space:]" PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf" # Ensure OCSP is turned on in $PAM_PKCS11_CONF # 1) First replace any occurrence of 'none' value of 'cert_policy' key setting with the correct configuration sed -i "s/^[$SP]*cert_policy[$SP]\+=[$SP]\+none;/\t\tcert_policy = ca, ocsp_on, signature;/g" "$PAM_PKCS11_CONF" # 2) Then append 'ocsp_on' value setting to each 'cert_policy' key in $PAM_PKCS11_CONF configuration line, # which does not contain it yet sed -i "/ocsp_on/! s/^[$SP]*cert_policy[$SP]\+=[$SP]\+\(.*\);/\t\tcert_policy = \1, ocsp_on;/" "$PAM_PKCS11_CONF" package --add=pam_pkcs11 --add=esc Enable the GNOME3 Login Smartcard Authentication In the default graphical environment, smart card authentication can be enabled on the login screen by setting enable-smartcard-authentication to true. To enable, add or edit enable-smartcard-authentication to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] enable-smartcard-authentication=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/enable-smartcard-authentication After the settings have been set, run dconf update. CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 CCI-001954 Req-8.3 SRG-OS-000375-GPOS-00160 RHEL-07-010061 SV-92515r2_rule Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. CCE-80108-4 include_dconf_settings dconf_settings 'org/gnome/login-screen' 'enable-smartcard-authentication' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'enable-smartcard-authentication' 'gdm.d' '00-security-settings-lock' - name: "Enable the GNOME3 Login Smartcard Authentication" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: enable-smartcard-authentication value: "true" create: yes tags: - dconf_gnome_enable_smartcard_auth - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80108-4 - PCI-DSS-Req-8.3 - DISA-STIG-RHEL-07-010061 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 disablement of Smartcard Authentication" lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/enable-smartcard-authentication' line: '/org/gnome/login-screen/enable-smartcard-authentication' create: yes tags: - dconf_gnome_enable_smartcard_auth - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80108-4 - PCI-DSS-Req-8.3 - DISA-STIG-RHEL-07-010061 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") 8.3.a Examine system configurations for remote access servers 8.3.b Observe a sample of personnel (for example, users and 8.4 Document and communicate 8.4.a Examine 8.4.b Review authentication policies and procedures that are 8.4.c Interview a sample of users to verify that they are familiar 8.5 Do not use group, shared, or generic 8.5.1 8.5.a For a sample of system components, examine user ID lists All GIDs referenced in /etc/passwd must be defined in /etc/group Add a group to the system for each GID referenced without a corresponding group. RHEL-07-020300 SV-86627r2_rule 1 12 15 16 5 5.5.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000764 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2 PR.AC-1 PR.AC-6 PR.AC-7 Req-8.5.a SRG-OS-000104-GPOS-00051 If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. CCE-27503-2 8.5.b Examine authentication policies and procedures to verify 8.5.c Interview system administrators to verify that group and 8.6 Where other authentication 8.6.a Examine authentication policies and procedures to verify 8.6.b Interview security personnel to verify authentication 8.6.c Examine system configuration settings and/or physical 8.7 All access to any database 8.7.a Review database and application configuration settings 8.7.b Examine database and application configuration settings to 8.7.c Examine database access control settings and database Verify Permissions on shadow File To properly set the permissions of /etc/shadow, run the command: $ sudo chmod 0640 /etc/shadow 6.1.3 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. CCE-27100-7 chmod 0000 /etc/shadow - name: Test for existence /etc/shadow stat: path: /etc/shadow register: file_exists tags: - file_permissions_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27100-7 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure permission 0000 on /etc/shadow file: path: /etc/shadow mode: 0000 when: file_exists.stat.exists and True tags: - file_permissions_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27100-7 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 Verify User Who Owns shadow File To properly set the owner of /etc/shadow, run the command: $ sudo chown root /etc/shadow 6.1.3 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. CCE-26795-5 chown 0 /etc/shadow - name: Test for existence /etc/shadow stat: path: /etc/shadow register: file_exists tags: - file_owner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26795-5 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure owner 0 on /etc/shadow file: path: /etc/shadow owner: 0 when: file_exists.stat.exists and True tags: - file_owner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26795-5 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 Verify Permissions on group File To properly set the permissions of /etc/passwd, run the command: $ sudo chmod 0644 /etc/passwd 6.1.4 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-26949-8 chmod 0644 /etc/group - name: Test for existence /etc/group stat: path: /etc/group register: file_exists tags: - file_permissions_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26949-8 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure permission 0644 on /etc/group file: path: /etc/group mode: 0644 when: file_exists.stat.exists and True tags: - file_permissions_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26949-8 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 Verify User Who Owns passwd File To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd 6.1.2 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-27138-7 chown 0 /etc/passwd - name: Test for existence /etc/passwd stat: path: /etc/passwd register: file_exists tags: - file_owner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27138-7 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure owner 0 on /etc/passwd file: path: /etc/passwd owner: 0 when: file_exists.stat.exists and True tags: - file_owner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27138-7 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 Verify Group Who Owns shadow File To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp root /etc/shadow 6.1.3 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/shadow file stores password hashes. Protection of this file is critical for system security. CCE-27125-4 chgrp 0 /etc/shadow - name: Test for existence /etc/shadow stat: path: /etc/shadow register: file_exists tags: - file_groupowner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27125-4 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure group owner 0 on /etc/shadow file: path: /etc/shadow group: 0 when: file_exists.stat.exists and True tags: - file_groupowner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27125-4 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 Verify User Who Owns group File To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group 6.1.4 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-26933-2 chown 0 /etc/group - name: Test for existence /etc/group stat: path: /etc/group register: file_exists tags: - file_owner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26933-2 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure owner 0 on /etc/group file: path: /etc/group owner: 0 when: file_exists.stat.exists and True tags: - file_owner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26933-2 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 Verify Group Who Owns group File To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group 6.1.4 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-27037-1 chgrp 0 /etc/group - name: Test for existence /etc/group stat: path: /etc/group register: file_exists tags: - file_groupowner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27037-1 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure group owner 0 on /etc/group file: path: /etc/group group: 0 when: file_exists.stat.exists and True tags: - file_groupowner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27037-1 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 Verify Group Who Owns passwd File To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd 6.1.2 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-26639-5 chgrp 0 /etc/passwd - name: Test for existence /etc/passwd stat: path: /etc/passwd register: file_exists tags: - file_groupowner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26639-5 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure group owner 0 on /etc/passwd file: path: /etc/passwd group: 0 when: file_exists.stat.exists and True tags: - file_groupowner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26639-5 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 Verify Permissions on passwd File To properly set the permissions of /etc/passwd, run the command: $ sudo chmod 0644 /etc/passwd 6.1.2 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security. CCE-26887-0 chmod 0644 /etc/passwd - name: Test for existence /etc/passwd stat: path: /etc/passwd register: file_exists tags: - file_permissions_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26887-0 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure permission 0644 on /etc/passwd file: path: /etc/passwd mode: 0644 when: file_exists.stat.exists and True tags: - file_permissions_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26887-0 - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 8.7.d Examine database access control settings, database 8.8 Ensure that security policies and 10. Track and monitor all access to network resources and cardholder data 10.1 Implement audit trails to link all Enable auditd Service The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command: $ sudo systemctl enable auditd.service RHEL-07-030000 SV-86703r3_rule 4.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.3.1 3.3.2 3.3.6 CCI-000126 CCI-000131 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C) 164.310(a)(2)(iv) 164.310(d)(2)(iii) 164.312(b) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-2(g) AU-3 AC-17(1) AU-1(b) AU-10 AU-12(a) AU-12(c) AU-14(1) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.1 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000042-GPOS-00021 SRG-OS-000254-GPOS-00095 SRG-OS-000255-GPOS-00096 SRG-OS-000037-VMM-000150 SRG-OS-000063-VMM-000310 Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded. Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. CCE-27407-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'auditd.service' "$SYSTEMCTL_EXEC" enable 'auditd.service' - name: Enable service auditd service: name: auditd enabled: "yes" state: "started" tags: - service_auditd_enabled - high_severity - enable_strategy - low_complexity - low_disruption - CCE-27407-6 - NIST-800-53-AC-2(g) - NIST-800-53-AU-3 - NIST-800-53-AC-17(1) - NIST-800-53-AU-1(b) - NIST-800-53-AU-10 - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-AU-14(1) - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - NIST-800-171-3.3.2 - NIST-800-171-3.3.6 - PCI-DSS-Req-10.1 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030000 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") 10.2 Implement automated audit trails for 10.2.1 All individual user accesses to Record Unsuccessul Delete Attempts to Files - renameat The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S renameat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S renameat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit renameat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_renameat tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_renameat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_renameat.files | map(attribute='path') | list | first }}" when: find_renameat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the renameat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the renameat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the renameat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the renameat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 Record Unauthorized Creation Attempts to Files - open_by_handle_at O_CREAT The audit system should collect unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Unauthorized Modification Attempts to Files - open O_TRUNC The audit system should collect detailed unauthorized file accesses for all users and root. The open syscall can be used to modify files if called for write operation of with O_TRUNC flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Unauthorized Creation Attempts to Files - openat O_CREAT The audit system should collect unauthorized file accesses for all users and root. The openat syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Unauthorized Access Attempts to Files (unsuccessful) - truncate At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030540 SV-86755r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80389-0 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S truncate -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S truncate -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit truncate tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_truncate tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_truncate.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_truncate.files | map(attribute='path') | list | first }}" when: find_truncate.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 - name: Inserts/replaces the truncate rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the truncate rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the truncate rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the truncate rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 Record Unauthorized Access Attempts to Files (unsuccessful) - creat At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030500 SV-86747r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80385-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S creat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S creat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit creat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_creat tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_creat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_creat.files | map(attribute='path') | list | first }}" when: find_creat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 - name: Inserts/replaces the creat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the creat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the creat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the creat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 Record Unauthorized Creation Attempts to Files - open O_CREAT The audit system should collect unauthorized file accesses for all users and root. The open syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Unsuccessul Delete Attempts to Files - unlink The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlink -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlink -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit unlink tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_unlink tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_unlink.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unlink.files | map(attribute='path') | list | first }}" when: find_unlink.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the unlink rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlink rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the unlink rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlink rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via openat syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. Record Unauthorized Access Attempts to Files (unsuccessful) - open At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030510 SV-86749r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80386-6 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit open tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_open tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_open.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_open.files | map(attribute='path') | list | first }}" when: find_open.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 - name: Inserts/replaces the open rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030530 SV-86753r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80388-2 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_open_by_handle_at tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_open_by_handle_at.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_open_by_handle_at.files | map(attribute='path') | list | first }}" when: find_open_by_handle_at.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 - name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030550 SV-86757r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80390-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit ftruncate tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_ftruncate tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_ftruncate.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_ftruncate.files | map(attribute='path') | list | first }}" when: find_ftruncate.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 - name: Inserts/replaces the ftruncate rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the ftruncate rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the ftruncate rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the ftruncate rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. Record Unsuccessul Delete Attempts to Files - unlinkat The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit unlinkat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_unlinkat tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_unlinkat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unlinkat.files | map(attribute='path') | list | first }}" when: find_unlinkat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the unlinkat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlinkat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the unlinkat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlinkat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 Record Unauthorized Modification Attempts to Files - openat O_TRUNC The audit system should collect detailed unauthorized file accesses for all users and root. The openat syscall can be used to modify files if called for write operation of with O_TRUNC flag. The following auidt rules will asure that unsuccessful attempts to modify a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access This rule checks for multiple syscalls related to unsuccessful file modification; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_unsuccessful_file_modification_openaudit_rules_unsuccessful_file_modification_ftruncateaudit_rules_unsuccessful_file_modification_creat 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.4 Req-10.2.1 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-27347-4 # Perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do # First fix the -EACCES requirement PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>=1000 -F auid!=unset -k *" # Use escaped BRE regex to specify rule group GROUP="\(creat\|open\|truncate\)" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Then fix the -EPERM requirement PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>=1000 -F auid!=unset -k *" # No need to change content of $GROUP variable - it's the same as for -EACCES case above FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done Record Unauthorized Modification Attempts to Files - open_by_handle_at O_TRUNC The audit system should collect detailed unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to modify files if called for write operation of with O_TRUNC flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Unauthorized Access Attempts to Files (unsuccessful) - openat At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030520 SV-86751r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80387-4 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S openat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S openat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit openat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_openat tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_openat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_openat.files | map(attribute='path') | list | first }}" when: find_openat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 - name: Inserts/replaces the openat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the openat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the openat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 Record Unsuccessul Delete Attempts to Files - rename The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S rename -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S rename -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit rename tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_rename tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_rename.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_rename.files | map(attribute='path') | list | first }}" when: find_rename.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the rename rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rename rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the rename rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rename rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 10.2.2 All actions taken by any Ensure auditd Collects Information on the Use of Privileged Commands At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged This rule checks for multiple syscalls related to privileged commands; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_privileged_commands_suaudit_rules_privileged_commands_umountaudit_rules_privileged_commands_passwd RHEL-07-030360 SV-86719r6_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO08.04 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-002234 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.5 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.3 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-2(4) AU-6(9) AU-12(a) AU-12(c) IR-5 DE.AE-2 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 DE.DP-4 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 RS.CO-2 Req-10.2.2 SRG-OS-000327-GPOS-00127 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-27437-3 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' perform_audit_rules_privileged_commands_remediation "auditctl" "1000" perform_audit_rules_privileged_commands_remediation "augenrules" "1000" - name: Search for privileged commands shell: "find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat" check_mode: no register: find_result tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path={{ item }} .*$" patterns: "*.rules" with_items: - "{{ find_result.stdout_lines }}" register: files_result tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Overwrites the rule in rules.d lineinfile: path: "{{ item.1.path }}" line: '-a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: no regexp: "^.*path={{ item.0.item }} .*$" with_subelements: - "{{ files_result.results }}" - files tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Adds the rule in rules.d lineinfile: path: /etc/audit/rules.d/privileged.rules line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes with_items: - "{{ files_result.results }}" when: item.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 # Adds/overwrites the rule in /etc/audit/audit.rules - name: Inserts/replaces the rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes regexp: "^.*path={{ item.item }} .*$" with_items: - "{{ files_result.results }}" tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects System Administrator Actions At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions RHEL-07-030700 SV-86787r5_rule 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000130 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(7)(b) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) iAU-3(1) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.2 Req-10.2.5.b SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. CCE-27461-3 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions" fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions" fix_audit_watch_rule "auditctl" "/etc/sudoers.d" "wa" "actions" fix_audit_watch_rule "augenrules" "/etc/sudoers.d" "wa" "actions" 10.2.3 Access to all audit trails Record Attempts to Alter Logon and Logout Events The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins This rule checks for multiple syscalls related to login events; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_login_events_tallylogaudit_rules_login_events_faillockaudit_rules_login_events_lastlog 5.2.8 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.3 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-27204-7 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins" fix_audit_watch_rule "auditctl" "/var/run/faillock/" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/run/faillock/" "wa" "logins" fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins" Record Attempts to Alter Logon and Logout Events - lastlog The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/lastlog -p wa -k logins RHEL-07-030620 SV-86771r3_rule 5.2.8 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 CCI-000126 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.3 SRG-OS-000392-GPOS-00172 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80384-1 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins" # # What architecture are we on? # - name: Set architecture for audit lastlog tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k logins$" patterns: "*.rules" register: find_lastlog tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/logins.rules when: find_lastlog.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lastlog.files | map(attribute='path') | list | first }}" when: find_lastlog.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 - name: Inserts/replaces the lastlog rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /var/log/lastlog -p wa -k logins" create: yes tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lastlog rule in /etc/audit/audit.rules lineinfile: line: "-w /var/log/lastlog -p wa -k logins" state: present dest: /etc/audit/audit.rules tags: - audit_rules_login_events_lastlog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80384-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030620 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Attempts to Alter Logon and Logout Events - faillock The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/run/faillock -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/run/faillock -p wa -k logins RHEL-07-030610 SV-86769r4_rule 5.2.8 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 CCI-000126 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.3 SRG-OS-000392-GPOS-00172 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80383-3 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/var/run/faillock" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/run/faillock" "wa" "logins" # # What architecture are we on? # - name: Set architecture for audit faillock tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k logins$" patterns: "*.rules" register: find_faillock tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/logins.rules when: find_faillock.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_faillock.files | map(attribute='path') | list | first }}" when: find_faillock.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 - name: Inserts/replaces the faillock rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /var/run/faillock -p wa -k logins" create: yes tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the faillock rule in /etc/audit/audit.rules lineinfile: line: "-w /var/run/faillock -p wa -k logins" state: present dest: /etc/audit/audit.rules tags: - audit_rules_login_events_faillock - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80383-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030610 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Attempts to Alter Logon and Logout Events - tallylog The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins RHEL-07-030600 5.2.8 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 CCI-000126 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.3 SRG-OS-000392-GPOS-00172 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80994-7 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins" # # What architecture are we on? # - name: Set architecture for audit tallylog tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k logins$" patterns: "*.rules" register: find_tallylog tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/logins.rules when: find_tallylog.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_tallylog.files | map(attribute='path') | list | first }}" when: find_tallylog.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 - name: Inserts/replaces the tallylog rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /var/log/tallylog -p wa -k logins" create: yes tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the tallylog rule in /etc/audit/audit.rules lineinfile: line: "-w /var/log/tallylog -p wa -k logins" state: present dest: /etc/audit/audit.rules tags: - audit_rules_login_events_tallylog - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80994-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.3 - DISA-STIG-RHEL-07-030600 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Attempts to Alter Process and Session Initiation Information The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session 5.2.9 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.3 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-27301-1 # Perform the remediation # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/var/run/utmp" "wa" "session" fix_audit_watch_rule "augenrules" "/var/run/utmp" "wa" "session" fix_audit_watch_rule "auditctl" "/var/log/btmp" "wa" "session" fix_audit_watch_rule "augenrules" "/var/log/btmp" "wa" "session" fix_audit_watch_rule "auditctl" "/var/log/wtmp" "wa" "session" fix_audit_watch_rule "augenrules" "/var/log/wtmp" "wa" "session" 10.2.4 Invalid logical access attempts Record Unsuccessul Delete Attempts to Files - renameat The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S renameat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S renameat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit renameat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_renameat tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_renameat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_renameat.files | map(attribute='path') | list | first }}" when: find_renameat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the renameat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the renameat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the renameat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the renameat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 Record Unauthorized Creation Attempts to Files - open_by_handle_at O_CREAT The audit system should collect unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Unauthorized Modification Attempts to Files - open O_TRUNC The audit system should collect detailed unauthorized file accesses for all users and root. The open syscall can be used to modify files if called for write operation of with O_TRUNC flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Unauthorized Creation Attempts to Files - openat O_CREAT The audit system should collect unauthorized file accesses for all users and root. The openat syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Unauthorized Access Attempts to Files (unsuccessful) - truncate At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030540 SV-86755r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80389-0 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S truncate -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S truncate -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit truncate tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_truncate tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_truncate.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_truncate.files | map(attribute='path') | list | first }}" when: find_truncate.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 - name: Inserts/replaces the truncate rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the truncate rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the truncate rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the truncate rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_truncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80389-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030540 Record Unauthorized Access Attempts to Files (unsuccessful) - creat At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030500 SV-86747r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80385-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S creat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S creat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit creat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_creat tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_creat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_creat.files | map(attribute='path') | list | first }}" when: find_creat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 - name: Inserts/replaces the creat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the creat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the creat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the creat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_creat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80385-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030500 Record Unauthorized Creation Attempts to Files - open O_CREAT The audit system should collect unauthorized file accesses for all users and root. The open syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Unsuccessul Delete Attempts to Files - unlink The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlink -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlink -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit unlink tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_unlink tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_unlink.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unlink.files | map(attribute='path') | list | first }}" when: find_unlink.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the unlink rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlink rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the unlink rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlink rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via openat syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. Record Unauthorized Access Attempts to Files (unsuccessful) - open At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030510 SV-86749r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80386-6 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit open tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_open tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_open.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_open.files | map(attribute='path') | list | first }}" when: find_open.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 - name: Inserts/replaces the open rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80386-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030510 Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030530 SV-86753r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80388-2 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_open_by_handle_at tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_open_by_handle_at.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_open_by_handle_at.files | map(attribute='path') | list | first }}" when: find_open_by_handle_at.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 - name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_open_by_handle_at - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80388-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030530 Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030550 SV-86757r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80390-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit ftruncate tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_ftruncate tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_ftruncate.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_ftruncate.files | map(attribute='path') | list | first }}" when: find_ftruncate.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 - name: Inserts/replaces the ftruncate rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the ftruncate rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the ftruncate rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the ftruncate rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_ftruncate - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80390-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030550 Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. Record Unsuccessul Delete Attempts to Files - unlinkat The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit unlinkat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_unlinkat tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_unlinkat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unlinkat.files | map(attribute='path') | list | first }}" when: find_unlinkat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the unlinkat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlinkat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the unlinkat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlinkat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 Record Unauthorized Modification Attempts to Files - openat O_TRUNC The audit system should collect detailed unauthorized file accesses for all users and root. The openat syscall can be used to modify files if called for write operation of with O_TRUNC flag. The following auidt rules will asure that unsuccessful attempts to modify a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access This rule checks for multiple syscalls related to unsuccessful file modification; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_unsuccessful_file_modification_openaudit_rules_unsuccessful_file_modification_ftruncateaudit_rules_unsuccessful_file_modification_creat 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.4 Req-10.2.1 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-27347-4 # Perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do # First fix the -EACCES requirement PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>=1000 -F auid!=unset -k *" # Use escaped BRE regex to specify rule group GROUP="\(creat\|open\|truncate\)" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Then fix the -EPERM requirement PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>=1000 -F auid!=unset -k *" # No need to change content of $GROUP variable - it's the same as for -EACCES case above FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done Record Unauthorized Modification Attempts to Files - open_by_handle_at O_TRUNC The audit system should collect detailed unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to modify files if called for write operation of with O_TRUNC flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Unauthorized Access Attempts to Files (unsuccessful) - openat At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030520 SV-86751r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80387-4 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S openat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S openat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit openat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_openat tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_openat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_openat.files | map(attribute='path') | list | first }}" when: find_openat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 - name: Inserts/replaces the openat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the openat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the openat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_openat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80387-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - DISA-STIG-RHEL-07-030520 Record Unsuccessul Delete Attempts to Files - rename The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S rename -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S rename -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit rename tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_rename tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_rename.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_rename.files | map(attribute='path') | list | first }}" when: find_rename.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 - name: Inserts/replaces the rename rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rename rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the rename rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rename rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.4 - PCI-DSS-Req-10.2.1 Set Last Logon/Access Notification To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/postlogin to read as follows: session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed RHEL-07-040530 SV-86899r3_rule 1 12 15 16 5.5.2 DSS05.04 DSS05.10 DSS06.10 CCI-000366 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-9 PR.AC-7 Req-10.2.4 SRG-OS-000480-GPOS-00227 Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. CCE-27275-7 if $(grep -q "^session.*pam_lastlog.so" /etc/pam.d/postlogin) ; then sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin fi echo "session [default=1] pam_lastlog.so nowtmp showfailed" >> /etc/pam.d/postlogin echo "session optional pam_lastlog.so silent noupdate showfailed" >> /etc/pam.d/postlogin 10.2.5 Use of and changes to Record Events that Modify User/Group Information If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification This rule checks for multiple syscalls related to account changes; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_usergroup_modification_groupaudit_rules_usergroup_modification_gshadowaudit_rules_usergroup_modification_passwd RHEL-07-030710 SV-86789r4_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.5 SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000241-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000476-GPOS-00221 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-27192-4 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" Record Events that Modify User/Group Information - /etc/shadow If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/shadow -p wa -k audit_rules_usergroup_modification RHEL-07-030873 SV-87823r4_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80431-0 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/shadow" "wa" "audit_rules_usergroup_modification" # # What architecture are we on? # - name: Set architecture for audit shadow tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k audit_rules_usergroup_modification$" patterns: "*.rules" register: find_shadow tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_shadow.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_shadow.files | map(attribute='path') | list | first }}" when: find_shadow.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 - name: Inserts/replaces the shadow rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" create: yes tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the shadow rule in /etc/audit/audit.rules lineinfile: line: "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" state: present dest: /etc/audit/audit.rules tags: - audit_rules_usergroup_modification_shadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80431-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030873 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Events that Modify User/Group Information - /etc/security/opasswd If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification RHEL-07-030874 SV-87825r5_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80430-2 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" # # What architecture are we on? # - name: Set architecture for audit opasswd tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k audit_rules_usergroup_modification$" patterns: "*.rules" register: find_opasswd tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_opasswd.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_opasswd.files | map(attribute='path') | list | first }}" when: find_opasswd.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 - name: Inserts/replaces the opasswd rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" create: yes tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the opasswd rule in /etc/audit/audit.rules lineinfile: line: "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" state: present dest: /etc/audit/audit.rules tags: - audit_rules_usergroup_modification_opasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80430-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030874 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Events that Modify User/Group Information - /etc/gshadow If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification RHEL-07-030872 SV-87819r4_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80432-8 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" # # What architecture are we on? # - name: Set architecture for audit gshadow tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k audit_rules_usergroup_modification$" patterns: "*.rules" register: find_gshadow tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_gshadow.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_gshadow.files | map(attribute='path') | list | first }}" when: find_gshadow.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 - name: Inserts/replaces the gshadow rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" create: yes tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the gshadow rule in /etc/audit/audit.rules lineinfile: line: "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" state: present dest: /etc/audit/audit.rules tags: - audit_rules_usergroup_modification_gshadow - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80432-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030872 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Events that Modify User/Group Information - /etc/passwd If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/passwd -p wa -k audit_rules_usergroup_modification RHEL-07-030870 SV-86821r5_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000476-GPOS-00221 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80435-1 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/passwd" "wa" "audit_rules_usergroup_modification" # # What architecture are we on? # - name: Set architecture for audit passwd tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k audit_rules_usergroup_modification$" patterns: "*.rules" register: find_passwd tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_passwd.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_passwd.files | map(attribute='path') | list | first }}" when: find_passwd.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 - name: Inserts/replaces the passwd rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" create: yes tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the passwd rule in /etc/audit/audit.rules lineinfile: line: "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" state: present dest: /etc/audit/audit.rules tags: - audit_rules_usergroup_modification_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80435-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030870 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Events that Modify User/Group Information - /etc/group If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification RHEL-07-030871 SV-87817r3_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80433-6 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/group" "wa" "audit_rules_usergroup_modification" # # What architecture are we on? # - name: Set architecture for audit group tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-k audit_rules_usergroup_modification$" patterns: "*.rules" register: find_group tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_group.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_group.files | map(attribute='path') | list | first }}" when: find_group.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 - name: Inserts/replaces the group rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-w /etc/group -p wa -k audit_rules_usergroup_modification" create: yes tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the group rule in /etc/audit/audit.rules lineinfile: line: "-w /etc/group -p wa -k audit_rules_usergroup_modification" state: present dest: /etc/audit/audit.rules tags: - audit_rules_usergroup_modification_group - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80433-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030871 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") 10.2.5.a Verify use of identification and authentication 10.2.5.b Verify all elevation of privileges is logged. Ensure auditd Collects System Administrator Actions At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions RHEL-07-030700 SV-86787r5_rule 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000130 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(7)(b) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) iAU-3(1) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.2 Req-10.2.5.b SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. CCE-27461-3 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions" fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions" fix_audit_watch_rule "auditctl" "/etc/sudoers.d" "wa" "actions" fix_audit_watch_rule "augenrules" "/etc/sudoers.d" "wa" "actions" 10.2.5.c Verify all changes, additions, or deletions to any account 10.2.6 Initialization, stopping, or 10.2.7 Creation and deletion of system- Ensure auditd Collects Information on Kernel Module Unloading - rmmod To capture invocation of rmmod, utility used to remove modules from kernel, add the following line: -w /usr/sbin/rmmod -p x -k modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030850 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80416-1 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/usr/sbin/rmmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/rmmod" "x" "modules" Ensure auditd Collects Information on Kernel Module Loading and Unloading To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module,finit_module,create_module,delete_module -F key=modules The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules. This rule checks for multiple syscalls related to kernel module loading and unloading; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_kernel_module_loading_insmodaudit_rules_kernel_module_loading_rmmodaudit_rules_kernel_module_loading_modprobe 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.7 The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-27129-6 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do GROUP="modules" PATTERN="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module -S create_module \(-F key=\|-k \).*" FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module -S create_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # Then perform the remediations for the watch rules # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/usr/sbin/insmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/insmod" "x" "modules" fix_audit_watch_rule "auditctl" "/usr/sbin/rmmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/rmmod" "x" "modules" fix_audit_watch_rule "auditctl" "/usr/sbin/modprobe" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/modprobe" "x" "modules" Ensure auditd Collects Information on Kernel Module Unloading - delete_module To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S delete_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030830 SV-86813r4_rule 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80415-3 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S delete_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S delete_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # What architecture are we on? - name: Set architecture for audit delete_module tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false contains: ^.*delete_module.*$ patterns: '*.rules' register: find_delete_module tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_delete_module.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 - name: Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_delete_module.files | map(attribute=''path'') | list | first }}' when: find_delete_module.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 - name: Inserts/replaces the delete_module rule in rules.d lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b32 -S delete_module -k module-change' state: present create: true tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the delete_module rule in rules.d on x86_64 lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b64 -S delete_module -k module-change' state: present create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 # Inserts/replaces the delete_modules rule in /etc/audit/audit.rules - name: Inserts/replaces the delete_module rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b32 -S delete_module -k module-change' create: true tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the delete_module rule in audit.rules when on x86_64 lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b64 -S delete_module -k module-change' create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_delete - medium_severity - low_complexity - CCE-80415-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030830 Ensure auditd Collects Information on Kernel Module Loading - insmod To capture invocation of insmod, utility used to insert modules into kernel, use the following line: -w /usr/sbin/insmod -p x -k modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030840 SV-86815r5_rule 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80446-8 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/usr/sbin/insmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/insmod" "x" "modules" Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S finit_module -F key=modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S finit_module -F key=modules RHEL-07-030821 SV-93707r2_rule 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80547-3 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S finit_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S finit_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # What architecture are we on? - name: Set architecture for audit finit_module tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false contains: ^.*finit_module.*$ patterns: '*.rules' register: find_finit_module tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_finit_module.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 - name: Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_finit_module.files | map(attribute=''path'') | list | first }}' when: find_finit_module.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 - name: Inserts/replaces the finit_module rule in rules.d lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b32 -S finit_module -k module-change' state: present create: true tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the finit_module rule in rules.d on x86_64 lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b64 -S finit_module -k module-change' state: present create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 # Inserts/replaces the finit_modules rule in /etc/audit/audit.rules - name: Inserts/replaces the finit_module rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b32 -S finit_module -k module-change' create: true tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the finit_module rule in audit.rules when on x86_64 lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b64 -S finit_module -k module-change' create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_finit - medium_severity - low_complexity - CCE-80547-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030821 Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe To capture invocation of modprobe, utility used to insert / remove modules from kernel, add the following line: -w /usr/sbin/modprobe -p x -k modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030860 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80417-9 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/usr/sbin/modprobe" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/modprobe" "x" "modules" Ensure auditd Collects Information on Kernel Module Loading - init_module To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030820 SV-86811r4_rule 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80414-6 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S init_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # What architecture are we on? - name: Set architecture for audit init_module tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false contains: ^.*init_module.*$ patterns: '*.rules' register: find_init_module tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_init_module.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 - name: Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_init_module.files | map(attribute=''path'') | list | first }}' when: find_init_module.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 - name: Inserts/replaces the init_module rule in rules.d lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b32 -S init_module -k module-change' state: present create: true tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the init_module rule in rules.d on x86_64 lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b64 -S init_module -k module-change' state: present create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 # Inserts/replaces the init_modules rule in /etc/audit/audit.rules - name: Inserts/replaces the init_module rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b32 -S init_module -k module-change' create: true tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the init_module rule in audit.rules when on x86_64 lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b64 -S init_module -k module-change' create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_init - medium_severity - low_complexity - CCE-80414-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030820 Ensure auditd Collects File Deletion Events by User - rmdir At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete RHEL-07-030900 SV-86827r4_rule 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 MA-4(1)(a) DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000392-GPOS-00172 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-80412-0 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S rmdir.*" GROUP="delete" FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit rmdir tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=delete$" patterns: "*.rules" register: find_rmdir tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/delete.rules when: find_rmdir.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_rmdir.files | map(attribute='path') | list | first }}" when: find_rmdir.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 - name: Inserts/replaces the rmdir rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete" create: yes tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rmdir rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the rmdir rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rmdir rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rmdir - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80412-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030900 Ensure auditd Collects File Deletion Events by User - unlinkat At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete RHEL-07-030920 SV-86831r4_rule 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 MA-4(1)(a) DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000392-GPOS-00172 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-80662-0 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlinkat.*" GROUP="delete" FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit unlinkat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=delete$" patterns: "*.rules" register: find_unlinkat tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/delete.rules when: find_unlinkat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unlinkat.files | map(attribute='path') | list | first }}" when: find_unlinkat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 - name: Inserts/replaces the unlinkat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete" create: yes tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlinkat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the unlinkat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlinkat rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlinkat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80662-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030920 Ensure auditd Collects File Deletion Events by User At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=unset -F key=delete This rule checks for multiple syscalls related to file deletion; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_file_deletion_events_rmdiraudit_rules_file_deletion_events_unlinkaudit_rules_file_deletion_events_unlinkat 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-27206-2 # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=unset -k *" # Use escaped BRE regex to specify rule group GROUP="\(rmdir\|unlink\|rename\)" FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=unset -k delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done Ensure auditd Collects File Deletion Events by User - rename At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete RHEL-07-030880 SV-86823r4_rule 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 MA-4(1)(a) DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000392-GPOS-00172 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-80995-4 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S rename.*" GROUP="delete" FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit rename tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=delete$" patterns: "*.rules" register: find_rename tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/delete.rules when: find_rename.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_rename.files | map(attribute='path') | list | first }}" when: find_rename.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 - name: Inserts/replaces the rename rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete" create: yes tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rename rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the rename rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the rename rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_rename - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80995-4 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030880 Ensure auditd Collects File Deletion Events by User - renameat At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete RHEL-07-030890 SV-86825r4_rule 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 MA-4(1)(a) DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000392-GPOS-00172 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-80413-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S renameat.*" GROUP="delete" FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit renameat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=delete$" patterns: "*.rules" register: find_renameat tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/delete.rules when: find_renameat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_renameat.files | map(attribute='path') | list | first }}" when: find_renameat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 - name: Inserts/replaces the renameat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete" create: yes tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the renameat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the renameat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the renameat rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_renameat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80413-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030890 Ensure auditd Collects File Deletion Events by User - unlink At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete RHEL-07-030910 SV-86829r4_rule 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 MA-4(1)(a) DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00210 SRG-OS-000468-GPOS-00212 SRG-OS-000392-GPOS-00172 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. CCE-80996-2 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S unlink.*" GROUP="delete" FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit unlink tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=delete$" patterns: "*.rules" register: find_unlink tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/delete.rules when: find_unlink.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unlink.files | map(attribute='path') | list | first }}" when: find_unlink.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 - name: Inserts/replaces the unlink rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete" create: yes tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlink rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the unlink rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the unlink rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_file_deletion_events_unlink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80996-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-53-MA-4(1)(a) - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.7 - DISA-STIG-RHEL-07-030910 Ensure auditd Collects Information on Exporting to Media (successful) At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export RHEL-07-030740 SV-86795r6_rule 5.2.13 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-3(1) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.7 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. CCE-27447-2 # Perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=unset -k *" GROUP="mount" FULL_RULE="-a always,exit -F arch=$ARCH -S mount -F auid>=1000 -F auid!=unset -k export" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done 10.3 Record at least the following audit Enable Auditing for Processes Which Start Prior to the Audit Daemon To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1" The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg 4.1.3 1 11 12 13 14 15 16 19 3 4 5 6 7 8 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.02 DSS05.03 DSS05.04 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.3.1 CCI-001464 CCI-000130 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C) 164.310(a)(2)(iv) 164.310(d)(2)(iii) 164.312(b) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(1) AU-14(1) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-10 AU-12 IR-5 DE.AE-3 DE.AE-5 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.3 Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. CCE-27212-0 # Correct the form of default kernel command line in GRUB if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an audit= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/' '/etc/default/grub' else # no audit=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=1"/' '/etc/default/grub' fi # Correct the form of kernel command line for each installed kernel in the bootloader grubby --update-kernel=ALL --args="audit=1" 10.3.1 User identification 10.3.2 Type of event 10.3.3 Date and time 10.3.4 Success or failure indication 10.3.5 Origination of event 10.3.6 Identity or name of affected 10.4 Using time-synchronization Enable systemd_timesyncd Service The systemd_timesyncd service can be enabled with the following command: $ sudo systemctl enable systemd_timesyncd.service NT012(R03) 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 Enabling the systemd_timesyncd service ensures that this host uses the ntp protocol to fetch time data from a ntp server. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. Additional information on Ubuntu network time protocol is available at https://help.ubuntu.com/lts/serverguide/NTP.html.en. Enable the NTP Daemon Run the following command to determine the current status of the chronyd service: $ systemctl is-active chronyd If the service is running, it should return the following: active Note: The chronyd daemon is enabled by default. Run the following command to determine the current status of the ntpd service: $ systemctl is-active ntpd If the service is running, it should return the following: active Note: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for guidance which NTP daemon to choose depending on the environment used. 2.2.1.1 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 3.3.7 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 SRG-OS-000356-VMM-001340 Enabling some of chronyd or ntpd services ensures that the NTP daemon will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate CCE-27444-9 if ! `rpm -q --quiet chrony` && ! `rpm -q --quiet ntp-`; then package_install chrony service_command enable chronyd elif `rpm -q --quiet chrony`; then if ! [ `/usr/sbin/pidof ntpd` ] ; then service_command enable chronyd fi else service_command enable ntpd fi Install the ntp service The ntpd service should be installed. NT012(R03) 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906. package_install ntp - name: Ensure ntp is installed package: name: ntp state: present tags: - package_ntp_installed - high_severity - enable_strategy - low_complexity - low_disruption - NIST-800-53-AU-8(1) - PCI-DSS-Req-10.4 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_ntp class install_ntp { package { 'ntp': ensure => 'installed', } } package --add=ntp Enable the NTP Daemon The ntpd service can be enabled with the following command: $ sudo systemctl enable ntpd.service 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The NTP daemon offers all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate. SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'ntpd.service' "$SYSTEMCTL_EXEC" enable 'ntpd.service' - name: Enable service ntpd service: name: ntpd enabled: "yes" state: "started" tags: - service_ntpd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - NIST-800-53-AU-8(1) - PCI-DSS-Req-10.4 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the NTP Daemon The ntpd service can be enabled with the following command: $ sudo systemctl enable ntpd.service NT012(R03) 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The NTP daemon offers all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate. 10.4.1 Critical systems have the Specify a Remote NTP Server Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons. To specify a remote NTP server for time synchronization, perform the following: if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: server ntpserver This instructs the NTP software to contact that remote server to obtain time data. 3.6 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 3.3.7 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.1 Req-10.4.3 Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. CCE-27278-1 var_multiple_time_servers="" # Invoke the function without args, so its body is substituded right here. ensure_there_are_servers_in_ntp_compatible_config_file config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" grep -q ^server "$config_file" || ensure_there_are_servers_in_ntp_compatible_config_file "$config_file" "$var_multiple_time_servers" Specify a Remote NTP Server To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: server ntpserver This instructs the NTP software to contact that remote server to obtain time data. 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.1 Req-10.4.3 Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. 10.4.1.a Examine the process for acquiring, distributing and 10.4.1.b Observe the time-related system-parameter settings for 10.4.2 Time data is protected. 10.4.2.a Examine system configurations and time- 10.4.2.b Examine system configurations, time synchronization Record Attempts to Alter Time Through stime If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems: -a always,exit -F arch=b32 -S stime -F key=audit_time_rules Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems: -a always,exit -F arch=b32 -S stime -F key=audit_time_rules Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-27299-7 perform_audit_adjtimex_settimeofday_stime_remediation Record attempts to alter time through settimeofday If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-27216-1 perform_audit_adjtimex_settimeofday_stime_remediation Record Attempts to Alter the localtime File If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(b) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-27310-2 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" fix_audit_watch_rule "augenrules" "/etc/localtime" "wa" "audit_time_rules" Record Attempts to Alter Time Through clock_settime If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-27219-5 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*" GROUP="clock_settime" FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done Record attempts to alter time through adjtimex If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-27290-6 perform_audit_adjtimex_settimeofday_stime_remediation 10.4.3 Time settings are received from Specify Additional Remote NTP Servers Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons. Additional NTP servers can be specified for time synchronization. To do so, perform the following: if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below. Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: server ntpserver 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.3 Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems. CCE-27012-4 var_multiple_time_servers="" # Invoke the function without args, so its body is substituded right here. ensure_there_are_servers_in_ntp_compatible_config_file config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" [ "$(grep -c '^server' "$config_file")" -gt 1 ] || ensure_there_are_servers_in_ntp_compatible_config_file "$config_file" "$var_multiple_time_servers" Specify Additional Remote NTP Servers Additional NTP servers can be specified for time synchronization in the file /etc/ntp.conf. To do so, add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: server ntpserver 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.3 Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems. Specify a Remote NTP Server Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons. To specify a remote NTP server for time synchronization, perform the following: if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: server ntpserver This instructs the NTP software to contact that remote server to obtain time data. 3.6 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 3.3.7 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.1 Req-10.4.3 Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. CCE-27278-1 var_multiple_time_servers="" # Invoke the function without args, so its body is substituded right here. ensure_there_are_servers_in_ntp_compatible_config_file config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" grep -q ^server "$config_file" || ensure_there_are_servers_in_ntp_compatible_config_file "$config_file" "$var_multiple_time_servers" Specify a Remote NTP Server To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: server ntpserver This instructs the NTP software to contact that remote server to obtain time data. 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.1 Req-10.4.3 Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. 10.5 Secure audit trails so they cannot System Audit Logs Must Have Mode 0640 or Less Permissive If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command: $ sudo chmod 0640 audit_file Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0600 audit_file 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8 5.4.1.1 APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01 3.3.1 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-1(b) AU-9 IR-5 DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.5 If users can write to audit logs, audit trails can be modified or destroyed. CCE-27205-4 if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') if ! [ "${GROUP}" == 'root' ] ; then chmod 0640 /var/log/audit/audit.log chmod 0440 /var/log/audit/audit.log.* else chmod 0600 /var/log/audit/audit.log chmod 0400 /var/log/audit/audit.log.* fi chmod 0640 /etc/audit/audit* chmod 0640 /etc/audit/rules.d/* else chmod 0600 /var/log/audit/audit.log chmod 0400 /var/log/audit/audit.log.* chmod 0640 /etc/audit/audit* chmod 0640 /etc/audit/rules.d/* fi 10.5.1 Limit viewing of audit trails to System Audit Logs Must Be Owned By Root All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit, run the command: $ sudo chown root /var/log/audit To properly set the owner of /var/log/audit/*, run the command: $ sudo chown root /var/log/audit/* 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8 5.4.1.1 APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01 3.3.1 CCI-000163 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-1(b) AU-9 IR-5 DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.5.1 SRG-OS-000058-GPOS-00028 Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. CCE-80125-8 if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') if ! [ "${GROUP}" == 'root' ] ; then chown root.${GROUP} /var/log/audit chown root.${GROUP} /var/log/audit/audit.log* else chown root.root /var/log/audit chown root.root /var/log/audit/audit.log* fi else chown root.root /var/log/audit chown root.root /var/log/audit/audit.log* fi Ensure Log Files Are Owned By Appropriate User The owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: $ ls -l LOGFILE If the owner is not , run the following command to correct this: $ sudo chown LOGFILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-001314 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 SI-11 PR.AC-4 PR.DS-5 Req-10.5.1 Req-10.5.2 The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. CCE-80189-4 Ensure Log Files Are Owned By Appropriate Group The group-owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: $ ls -l LOGFILE If the owner is not , run the following command to correct this: $ sudo chgrp LOGFILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-001314 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 SI-11 PR.AC-4 PR.DS-5 Req-10.5.1 Req-10.5.2 The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. CCE-80190-2 Ensure System Log Files Have Correct Permissions The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions: $ ls -l LOGFILE If the permissions are not 600 or more restrictive, run the following command to correct this: $ sudo chmod 0600 LOGFILE" 4.2.1.3 CCI-001314 SI-11 Req-10.5.1 Req-10.5.2 Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. CCE-80191-0 # List of log file paths to be inspected for correct permissions # * Primarily inspect log file paths listed in /etc/rsyslog.conf RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" # * And also the log file paths listed after rsyslog's $IncludeConfig directive # (store the result into array for the case there's shell glob used as value of IncludeConfig) RSYSLOG_INCLUDE_CONFIG=($(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS # Browse each file selected above as containing paths of log files # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" do # From each of these files extract just particular log file path(s), thus: # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, # * Ignore empty lines, # * From the remaining valid rows select only fields constituting a log file path # Text file column is understood to represent a log file path if and only if all of the following are met: # * it contains at least one slash '/' character, # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters # Search log file for path(s) only in case it exists! if [[ -f "${LOG_FILE}" ]] then MATCHED_ITEMS=$(sed -e "/^[[:space:]|#|$]/d ; s/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g ; /^$/d" "${LOG_FILE}") # Since above sed command might return more than one item (delimited by newline), split the particular # matches entries into new array specific for this log file readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with # items from newly created array for this log file LOG_FILE_PATHS=("${LOG_FILE_PATHS[@]}" "${ARRAY_FOR_LOG_FILE[@]}") # Delete the temporary array unset ARRAY_FOR_LOG_FILE fi done for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" do # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing if [ -z "$LOG_FILE_PATH" ] then continue fi # Also for each log file check if its permissions differ from 600. If so, correct them if [ "$(/usr/bin/stat -c %a "$LOG_FILE_PATH")" -ne 600 ] then /bin/chmod 600 "$LOG_FILE_PATH" fi done 10.5.2 Protect audit trail files from Make the auditd Configuration Immutable If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable: -e 2 If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable: -e 2 With this setting, a reboot will be required to change any audit rules. 4.1.18 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8 5.4.1.1 APO01.06 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.3.1 3.4.3 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.310(a)(2)(iv) 164.312(d) 164.310(d)(2)(iii) 164.312(b) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-1(b) AU-2(a) AU-2(c) AU-2(d) IR-5 DE.AE-3 DE.AE-5 ID.SC-4 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.5.2 Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation CCE-27097-5 # Traverse all of: # # /etc/audit/audit.rules, (for auditctl case) # /etc/audit/rules.d/*.rules (for augenrules case) # # files to check if '-e .*' setting is present in that '*.rules' file already. # If found, delete such occurrence since auditctl(8) manual page instructs the # '-e 2' rule should be placed as the last rule in the configuration find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' # Append '-e 2' requirement at the end of both: # * /etc/audit/audit.rules file (for auditctl case) # * /etc/audit/rules.d/immutable.rules (for augenrules case) for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" do echo '' >> $AUDIT_FILE echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE echo '-e 2' >> $AUDIT_FILE done Ensure Log Files Are Owned By Appropriate User The owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: $ ls -l LOGFILE If the owner is not , run the following command to correct this: $ sudo chown LOGFILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-001314 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 SI-11 PR.AC-4 PR.DS-5 Req-10.5.1 Req-10.5.2 The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. CCE-80189-4 Ensure Log Files Are Owned By Appropriate Group The group-owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: $ ls -l LOGFILE If the owner is not , run the following command to correct this: $ sudo chgrp LOGFILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-001314 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 SI-11 PR.AC-4 PR.DS-5 Req-10.5.1 Req-10.5.2 The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. CCE-80190-2 Ensure System Log Files Have Correct Permissions The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions: $ ls -l LOGFILE If the permissions are not 600 or more restrictive, run the following command to correct this: $ sudo chmod 0600 LOGFILE" 4.2.1.3 CCI-001314 SI-11 Req-10.5.1 Req-10.5.2 Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. CCE-80191-0 # List of log file paths to be inspected for correct permissions # * Primarily inspect log file paths listed in /etc/rsyslog.conf RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" # * And also the log file paths listed after rsyslog's $IncludeConfig directive # (store the result into array for the case there's shell glob used as value of IncludeConfig) RSYSLOG_INCLUDE_CONFIG=($(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS # Browse each file selected above as containing paths of log files # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" do # From each of these files extract just particular log file path(s), thus: # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, # * Ignore empty lines, # * From the remaining valid rows select only fields constituting a log file path # Text file column is understood to represent a log file path if and only if all of the following are met: # * it contains at least one slash '/' character, # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters # Search log file for path(s) only in case it exists! if [[ -f "${LOG_FILE}" ]] then MATCHED_ITEMS=$(sed -e "/^[[:space:]|#|$]/d ; s/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g ; /^$/d" "${LOG_FILE}") # Since above sed command might return more than one item (delimited by newline), split the particular # matches entries into new array specific for this log file readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with # items from newly created array for this log file LOG_FILE_PATHS=("${LOG_FILE_PATHS[@]}" "${ARRAY_FOR_LOG_FILE[@]}") # Delete the temporary array unset ARRAY_FOR_LOG_FILE fi done for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" do # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing if [ -z "$LOG_FILE_PATH" ] then continue fi # Also for each log file check if its permissions differ from 600. If so, correct them if [ "$(/usr/bin/stat -c %a "$LOG_FILE_PATH")" -ne 600 ] then /bin/chmod 600 "$LOG_FILE_PATH" fi done 10.5.3 Promptly back up audit trail files Configure auditd to use audispd's syslog plugin To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart 1 11 12 13 14 15 16 19 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-000136 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(B) 164.308(a)(5)(ii)(C) 164.308(a)(6)(ii) 164.308(a)(8) 164.310(d)(2)(iii) 164.312(b) 164.314(a)(2)(i)(C) 164.314(a)(2)(iii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 AU-1(b) AU-3(2) IR-5 DE.AE-3 DE.AE-5 PR.PT-1 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.3 SRG-OS-000051-VMM-000230 SRG-OS-000058-VMM-000270 SRG-OS-000059-VMM-000280 SRG-OS-000479-VMM-001990 SRG-OS-000479-VMM-001990 The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server CCE-27341-7 var_syslog_active="yes" AUDISP_SYSLOGCONFIG=/etc/audisp/plugins.d/syslog.conf replace_or_append $AUDISP_SYSLOGCONFIG '^active' "$var_syslog_active" "CCE-27341-7" 10.5.4 Write logs for external-facing 10.5.5 Use file-integrity monitoring or Record Events that Modify the System's Discretionary Access Controls - fchown At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030380 SV-86723r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27356-5 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchown.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fchown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchown tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fchown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchown.files | map(attribute='path') | list | first }}" when: find_fchown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 - name: Inserts/replaces the fchown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchown rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030380 Record Events that Modify the System's Discretionary Access Controls - setxattr At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030440 SV-86735r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27213-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S setxattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit setxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_setxattr tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_setxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_setxattr.files | map(attribute='path') | list | first }}" when: find_setxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 - name: Inserts/replaces the setxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the setxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030440 Record Events that Modify the System's Discretionary Access Controls - chown At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030370 SV-86721r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27364-9 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chown.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit chown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_chown tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_chown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chown.files | map(attribute='path') | list | first }}" when: find_chown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 - name: Inserts/replaces the chown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chown rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030370 Record Events that Modify the System's Discretionary Access Controls - fchownat At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030400 SV-86727r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27387-0 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchownat.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fchownat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchownat tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fchownat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchownat.files | map(attribute='path') | list | first }}" when: find_fchownat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 - name: Inserts/replaces the fchownat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchownat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030400 Record Events that Modify the System's Discretionary Access Controls - lchown At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030390 SV-86725r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27083-5 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lchown.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit lchown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lchown tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_lchown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lchown.files | map(attribute='path') | list | first }}" when: find_lchown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 - name: Inserts/replaces the lchown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lchown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lchown rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030390 Record Events that Modify the System's Discretionary Access Controls - chmod At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030410 SV-86729r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27339-1 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chmod.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit chmod tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_chmod tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_chmod.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chmod.files | map(attribute='path') | list | first }}" when: find_chmod.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 - name: Inserts/replaces the chmod rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chmod rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chmod rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 Record Events that Modify the System's Discretionary Access Controls - removexattr At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030470 SV-86741r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27367-2 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S removexattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit removexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_removexattr tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_removexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_removexattr.files | map(attribute='path') | list | first }}" when: find_removexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 - name: Inserts/replaces the removexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the removexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030470 Record Events that Modify the System's Discretionary Access Controls - fchmod At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030420 SV-86731r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27393-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmod.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fchmod tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchmod tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fchmod.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchmod.files | map(attribute='path') | list | first }}" when: find_fchmod.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 - name: Inserts/replaces the fchmod rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmod rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030420 Record Events that Modify the System's Discretionary Access Controls - lsetxattr At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030460 SV-86739r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27280-7 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit lsetxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lsetxattr tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_lsetxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lsetxattr.files | map(attribute='path') | list | first }}" when: find_lsetxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 - name: Inserts/replaces the lsetxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030460 Record Events that Modify the System's Discretionary Access Controls - fremovexattr At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030480 SV-86743r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27353-2 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fremovexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fremovexattr tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fremovexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fremovexattr.files | map(attribute='path') | list | first }}" when: find_fremovexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 - name: Inserts/replaces the fremovexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27353-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 Record Events that Modify the System's Discretionary Access Controls - lremovexattr At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030490 SV-86745r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27410-0 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit lremovexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lremovexattr tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_lremovexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lremovexattr.files | map(attribute='path') | list | first }}" when: find_lremovexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 - name: Inserts/replaces the lremovexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030490 Record Events that Modify the System's Discretionary Access Controls - fsetxattr At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030450 SV-86737r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27389-6 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fsetxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fsetxattr tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fsetxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fsetxattr.files | map(attribute='path') | list | first }}" when: find_fsetxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 - name: Inserts/replaces the fsetxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030450 Record Events that Modify the System's Discretionary Access Controls - fchmodat At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. RHEL-07-030430 SV-86733r4_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-27388-8 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmodat.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fchmodat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchmodat tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_fchmodat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchmodat.files | map(attribute='path') | list | first }}" when: find_fchmodat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 - name: Inserts/replaces the fchmodat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 lineinfile: line: "-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" state: present dest: /etc/audit/audit.rules create: yes when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 Record Events that Modify the System's Network Environment If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification 5.2.6 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.5.5 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. CCE-27076-9 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -k *" # Use escaped BRE regex to specify rule group GROUP="set\(host\|domain\)name" FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # Then perform the remediations for the watch rules # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/issue" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/issue" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/hosts" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/hosts" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification" Record Events that Modify the System's Mandatory Access Controls If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/selinux/ -p wa -k MAC-policy If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy 5.2.7 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.8 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. CCE-27168-4 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/selinux/" "wa" "MAC-policy" fix_audit_watch_rule "augenrules" "/etc/selinux/" "wa" "MAC-policy" 10.6 Review logs and security events for 10.6.1 Review the following at least 10.6.1.a Examine security policies and procedures to verify that 10.6.1.b Observe processes and interview personnel to verify 10.6.2 Review logs of all other system 10.6.2.a Examine security policies and procedures to verify that 10.6.2.b 10.6.3 Follow up exceptions and 10.6.3.a Examine security policies and procedures to verify that 10.6.3.b Observe processes and interview personnel to verify 10.7 Retain audit trail history for at least Configure auditd Max Log File Size Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of for STOREMB: max_log_file = STOREMB Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data. 5.2.1.1 1 11 12 13 14 15 16 19 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 AU-1(b) AU-11 IR-5 DE.AE-3 DE.AE-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. CCE-27319-3 var_auditd_max_log_file="" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^max_log_file' "$var_auditd_max_log_file" "CCE-27319-3" - name: XCCDF Value var_auditd_max_log_file # promote to variable set_fact: var_auditd_max_log_file: !!str tags: - always - name: Configure auditd Max Log File Size lineinfile: dest: /etc/audit/auditd.conf regexp: '^\s*max_log_file\s*=\s*.*$' line: "max_log_file = {{ var_auditd_max_log_file }}" state: present #notify: reload auditd tags: - auditd_data_retention_max_log_file - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27319-3 - NIST-800-53-AU-1(b) - NIST-800-53-AU-11 - NIST-800-53-IR-5 - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure auditd space_left on Low Disk Space The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately: space_left = SIZE_in_MB Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue. 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 CCI-001855 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 SRG-OS-000343-GPOS-00134 RHEL-07-030330 SV-86713r3_rule Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. CCE-80537-4 var_auditd_space_left="" grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf - name: XCCDF Value var_auditd_space_left # promote to variable set_fact: var_auditd_space_left: !!str tags: - always - name: Configure auditd space_left on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf line: "space_left = {{ var_auditd_space_left }}" regexp: '^\s*space_left\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_retention_space_left - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80537-4 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 - PCI-DSS-Req-10.7 - DISA-STIG-RHEL-07-030330 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure auditd admin_space_left Action on Low Disk Space The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: admin_space_left_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. RHEL-07-030340 SV-86715r2_rule 5.2.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-000140 CCI-001343 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. CCE-27370-6 var_auditd_admin_space_left_action="" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^admin_space_left_action' "$var_auditd_admin_space_left_action" "CCE-27370-6" - name: XCCDF Value var_auditd_admin_space_left_action # promote to variable set_fact: var_auditd_admin_space_left_action: !!str tags: - always - name: Configure auditd admin_space_left Action on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf line: "admin_space_left_action = {{ var_auditd_admin_space_left_action }}" regexp: '^\s*admin_space_left_action\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_retention_admin_space_left_action - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27370-6 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030340 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure auditd max_log_file_action Upon Reaching Maximum Log Size The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf: max_log_file_action = ACTION Possible values for ACTION are described in the auditd.conf man page. These include: syslogsuspendrotatekeep_logs Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive. 5.2.1.3 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-11 IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed. CCE-27231-0 var_auditd_max_log_file_action="" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^max_log_file_action' "$var_auditd_max_log_file_action" "CCE-27231-0" - name: XCCDF Value var_auditd_max_log_file_action # promote to variable set_fact: var_auditd_max_log_file_action: !!str tags: - always - name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size lineinfile: dest: /etc/audit/auditd.conf line: "max_log_file_action = {{ var_auditd_max_log_file_action }}" regexp: '^\s*max_log_file_action\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_retention_max_log_file_action - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27231-0 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-11 - NIST-800-53-IR-5 - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure auditd space_left Action on Low Disk Space The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately: space_left_action = ACTION Possible values for ACTION are described in the auditd.conf man page. These include: syslogemailexecsuspendsinglehalt Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt. RHEL-07-030340 SV-86715r2_rule 5.2.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-001855 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(1) AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 SRG-OS-000343-GPOS-00134 Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. CCE-27375-5 var_auditd_space_left_action="" # # If space_left_action present in /etc/audit/auditd.conf, change value # to var_auditd_space_left_action, else # add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf # AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^space_left_action' "$var_auditd_space_left_action" "CCE-27375-5" - name: XCCDF Value var_auditd_space_left_action # promote to variable set_fact: var_auditd_space_left_action: !!str tags: - always - name: Configure auditd space_left Action on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf line: "space_left_action = {{ var_auditd_space_left_action }}" regexp: '^\s*space_left_action\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_retention_space_left_action - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27375-5 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(1) - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030340 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure auditd Number of Logs Retained Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of : num_logs = NUMLOGS Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. 1 11 12 13 14 15 16 19 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 AU-1(b) AU-11 IR-5 DE.AE-3 DE.AE-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. CCE-27348-2 var_auditd_num_logs="" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^num_logs' "$var_auditd_num_logs" "CCE-27348-2" - name: XCCDF Value var_auditd_num_logs # promote to variable set_fact: var_auditd_num_logs: !!str tags: - always - name: Configure auditd Number of Logs Retained lineinfile: dest: /etc/audit/auditd.conf line: "num_logs = {{ var_auditd_num_logs }}" regexp: '^\s*num_logs\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_retention_num_logs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27348-2 - NIST-800-53-AU-1(b) - NIST-800-53-AU-11 - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure Logrotate Runs Periodically The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf: # rotate log files frequency daily 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000366 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9 PR.PT-1 Req-10.7 Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. CCE-80195-1 LOGROTATE_CONF_FILE="/etc/logrotate.conf" CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" # daily rotation is configured grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE # remove any line configuring weekly, monthly or yearly rotation sed -i -r "/^(weekly|monthly|yearly)$/d" $LOGROTATE_CONF_FILE # configure cron.daily if not already if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE fi 10.7.a Examine security policies and procedures to verify that they Configure auditd mail_acct Action on Low Disk Space The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations: action_mail_acct = RHEL-07-030350 SV-86717r3_rule 5.2.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-001855 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(1) AU-5(a) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7.a SRG-OS-000343-GPOS-00134 Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. CCE-27394-6 var_auditd_action_mail_acct="" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^action_mail_acct' "$var_auditd_action_mail_acct" "CCE-27394-6" - name: XCCDF Value var_auditd_action_mail_acct # promote to variable set_fact: var_auditd_action_mail_acct: !!str tags: - always - name: Configure auditd mail_acct Action on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf line: "action_mail_acct = {{ var_auditd_action_mail_acct }}" state: present #notify: reload auditd tags: - auditd_data_retention_action_mail_acct - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27394-6 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(1) - NIST-800-53-AU-5(a) - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - PCI-DSS-Req-10.7.a - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030350 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") 10.7.b Interview personnel and examine audit logs to verify that 10.7.c Interview personnel and observe processes to verify that at 10.8 Ensure that security policies and 11. Regularly test security systems and processes 11.1 Implement processes to test for the 11.1.1 Maintain an inventory of 11.1.2 Implement incident response 11.1.2.a 11.1.2.b Interview responsible personnel and/or inspect 11.1.a Examine policies and procedures to verify processes 11.1.b Verify that the methodology is adequate to detect and 11.1.c If wireless scanning is utilized, examine output from 11.1.d If automated monitoring is utilized (for example, 11.2 Run internal and external network 11.2.1 Perform quarterly internal 11.2.1.a Review the scan reports and verify that four 11.2.1.b Review the scan reports and verify that the scan 11.2.2 Perform quarterly external 11.2.2.c Review the scan reports to verify that the scans 11.2.3 Perform internal and external 11.2.3.a Inspect and correlate change control 11.2.3.b Review scan reports and verify that the scan 11.2.3.c Validate that the scan was performed by a qualified 11.3 Implement a methodology for 11.3.1 Perform 11.3.1.a Examine the scope of work and results from the 11.3.1.b Verify that the test was performed by a qualified 11.3.2 Perform 11.3.2.a Examine the scope of work and results from the 11.3.2.b Verify that the test was performed by a qualified 11.3.3 Exploitable vulnerabilities found 11.3.4 If segmentation is used to isolate 11.3.4.a Examine segmentation controls and review 11.3.4.b Examine the results from the most recent 11.4 Use intrusion-detection and/or Install the Policy Auditor (PA) Module Install the Policy Auditor (PA) Module. Due to McAfee being 3rd party software, automated remediation is not available for this configuration check. 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 APO01.06 APO07.06 APO08.04 APO10.05 APO11.06 APO12.01 APO12.02 APO12.03 APO12.04 APO12.06 APO13.01 APO13.02 BAI08.02 BAI08.04 DSS01.03 DSS01.05 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.04 DSS03.05 DSS04.05 DSS05.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.01 DSS06.02 MEA03.03 MEA03.04 CCI-000366 CCI-001263 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 4.3.3.4 4.3.4.5.2 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.3.2 4.4.3.3 4.4.3.4 SR 2.10 SR 2.11 SR 2.12 SR 2.4 SR 2.8 SR 2.9 SR 3.1 SR 3.3 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.3 A.12.5.1 A.12.6.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.7 A.14.2.8 A.15.2.1 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.7 A.18.1.4 A.18.2.2 A.18.2.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 Clause 16.1.2 Clause 7.4 SC-7 SI-4(1).1 DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.CM-1 DE.CM-5 DE.CM-6 DE.CM-7 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 ID.RA-1 PR.AC-5 PR.DS-5 PR.IP-8 PR.PT-4 RS.AN-1 RS.CO-3 Req-11.4 STG-OS-000480-GPOS-00227 Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. CCE-80369-2 Install the Asset Configuration Compliance Module (ACCM) Install the Asset Configuration Compliance Module (ACCM). Due to HBSS ACCM being 3rd party software, automated remediation is not available for this configuration check. 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 APO01.06 APO07.06 APO08.04 APO10.05 APO11.06 APO12.01 APO12.02 APO12.03 APO12.04 APO12.06 APO13.01 APO13.02 BAI08.02 BAI08.04 DSS01.03 DSS01.05 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.04 DSS03.05 DSS04.05 DSS05.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.01 DSS06.02 MEA03.03 MEA03.04 CCI-000366 CCI-001263 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 4.3.3.4 4.3.4.5.2 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.3.2 4.4.3.3 4.4.3.4 SR 2.10 SR 2.11 SR 2.12 SR 2.4 SR 2.8 SR 2.9 SR 3.1 SR 3.3 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.3 A.12.5.1 A.12.6.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.7 A.14.2.8 A.15.2.1 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.7 A.18.1.4 A.18.2.2 A.18.2.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 Clause 16.1.2 Clause 7.4 SC-7 SI-4(1).1 DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.CM-1 DE.CM-5 DE.CM-6 DE.CM-7 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 ID.RA-1 PR.AC-5 PR.DS-5 PR.IP-8 PR.PT-4 RS.AN-1 RS.CO-3 Req-11.4 STG-OS-000480-GPOS-00227 Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. CCE-80126-6 Install the Host Intrusion Prevention System (HIPS) Module Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module. Installing and enabling this module conflicts with SELinux. Per DoD/DISA guidance, SELinux takes precedence over this module. Due to McAfee HIPS being 3rd party software, automated remediation is not available for this configuration check. 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 APO01.06 APO07.06 APO08.04 APO10.05 APO11.06 APO12.01 APO12.02 APO12.03 APO12.04 APO12.06 APO13.01 APO13.02 BAI08.02 BAI08.04 DSS01.03 DSS01.05 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.04 DSS03.05 DSS04.05 DSS05.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.01 DSS06.02 MEA03.03 MEA03.04 CCI-000366 CCI-001263 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 4.3.3.4 4.3.4.5.2 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.3.2 4.4.3.3 4.4.3.4 SR 2.10 SR 2.11 SR 2.12 SR 2.4 SR 2.8 SR 2.9 SR 3.1 SR 3.3 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.3 A.12.5.1 A.12.6.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.7 A.14.2.8 A.15.2.1 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.7 A.18.1.4 A.18.2.2 A.18.2.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 Clause 16.1.2 Clause 7.4 SC-7 SI-4(1).1 DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.CM-1 DE.CM-5 DE.CM-6 DE.CM-7 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 ID.RA-1 PR.AC-5 PR.DS-5 PR.IP-8 PR.PT-4 RS.AN-1 RS.CO-3 Req-11.4 STG-OS-000480-GPOS-00227 Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. CCE-80368-4 Install Intrusion Detection Software The base Red Hat Enterprise Linux 7 platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised. Note in DoD environments, supplemental intrusion detection tools, such as the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with proper functioning of SELinux, SELinux takes precedence. 1 12 13 14 15 16 18 7 8 9 APO01.06 APO13.01 DSS01.03 DSS01.05 DSS03.05 DSS05.02 DSS05.04 DSS05.07 DSS06.02 CCI-001263 4.3.3.4 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-7 DE.CM-1 PR.AC-5 PR.DS-5 PR.PT-4 Req-11.4 Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network. CCE-26818-5 11.4.a Examine system configurations and network diagrams 11.4.b Examine system configurations and interview 11.4.c Examine IDS/IPS configurations and vendor 11.5 Deploy a change-detection Verify and Correct File Permissions with RPM The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command: $ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME Note: Due to a bug in the gdm package, the RPM verify command may continue to fail even after file permissions have been correctly set on /var/log/gdm. This is being tracked in Red Hat Bugzilla #1277603. RHEL-07-010010 SV-86473r3_rule 1.2.6 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.2.3 1 11 12 13 14 15 16 18 3 5 6 9 5.10.4.1 APO01.06 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.04 DSS05.07 DSS06.02 MEA02.01 3.3.8 3.4.1 CCI-001494 CCI-001496 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-9(1) AU-9(3) CM-6(d) CM-6(3) PR.AC-4 PR.DS-5 PR.IP-1 PR.PT-1 Req-11.5 SRG-OS-000257-GPOS-00098 SRG-OS-000278-GPOS-00108 Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. CCE-27209-6 # Declare array to hold list of RPM packages we need to correct permissions for declare -a SETPERMS_RPM_LIST # Create a list of files on the system having permissions different from what # is expected by the RPM database FILES_WITH_INCORRECT_PERMS=($(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')) # For each file path from that list: # * Determine the RPM package the file path is shipped by, # * Include it into SETPERMS_RPM_LIST array for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" do RPM_PACKAGE=$(rpm -qf "$FILE_PATH") SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}" "$RPM_PACKAGE") done # Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any) SETPERMS_RPM_LIST=( $(echo "${SETPERMS_RPM_LIST[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' ') ) # For each of the RPM packages left in the list -- reset its permissions to the # correct values for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}" do rpm --setperms "${RPM_PACKAGE}" done - name: "Read list of files with incorrect permissions" shell: "rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)==\"M\") print $NF }'" args: warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module register: files_with_incorrect_permissions failed_when: False changed_when: False check_mode: no tags: - rpm_verify_permissions - high_severity - restrict_strategy - high_complexity - medium_disruption - CCE-27209-6 - NIST-800-53-AC-6 - NIST-800-53-AU-9(1) - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010010 - name: "Correct file permissions with RPM" shell: "rpm --setperms $(rpm -qf '{{ item }}')" args: warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module with_items: "{{ files_with_incorrect_permissions.stdout_lines }}" when: (files_with_incorrect_permissions.stdout_lines | length > 0) and True tags: - rpm_verify_permissions - high_severity - restrict_strategy - high_complexity - medium_disruption - CCE-27209-6 - NIST-800-53-AC-6 - NIST-800-53-AU-9(1) - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010010 Verify and Correct Ownership with RPM The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }' run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setugids PACKAGENAME Note: Due to a bug in the gdm package, the RPM verify command may continue to fail even after file permissions have been correctly set on /var/log/gdm. This is being tracked in Red Hat Bugzilla #1277603. 1.2.6 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.2.3 1 11 12 13 14 15 16 18 3 5 6 9 5.10.4.1 APO01.06 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.04 DSS05.07 DSS06.02 MEA02.01 3.3.8 3.4.1 CCI-001494 CCI-001496 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-9(1) AU-9(3) CM-6(d) CM-6(3) PR.AC-4 PR.DS-5 PR.IP-1 PR.PT-1 Req-11.5 SRG-OS-000257-GPOS-00098 SRG-OS-000278-GPOS-00108 Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated. CCE-80545-7 # Declare array to hold list of RPM packages we need to correct permissions for SETPERMS_RPM_LIST=() # Create a list of files on the system having permissions different from what # is expected by the RPM database FILES_WITH_INCORRECT_PERMS=($(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')) # For each file path from that list: # * Determine the RPM package the file path is shipped by, # * Include it into SETPERMS_RPM_LIST array for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" do RPM_PACKAGE=$(rpm -qf "$FILE_PATH") SETPERMS_RPM_LIST+=("$RPM_PACKAGE") done # Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any) SETPERMS_RPM_LIST=( $(printf "%s\n" "${SETPERMS_RPM_LIST[@]}" | sort -u) ) # For each of the RPM packages left in the list -- reset its permissions to the # correct values for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}" do rpm --setugids "${RPM_PACKAGE}" done - name: "Read list of files with incorrect ownership" shell: "rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)==\"U\" || substr($0,7,1)==\"G\") print $NF }'" args: warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module register: files_with_incorrect_ownership failed_when: False changed_when: False check_mode: no tags: - rpm_verify_ownership - high_severity - restrict_strategy - high_complexity - medium_disruption - CCE-80545-7 - NIST-800-53-AC-6 - NIST-800-53-AU-9(1) - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - name: Create list of uniq packages shell: "rpm -qf {{ files_with_incorrect_ownership.stdout_lines }}|sort |uniq" args: warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module register: uniq_list_of_packages when: (files_with_incorrect_ownership.stdout_lines | length > 0) and True tags: - rpm_verify_ownership - high_severity - restrict_strategy - high_complexity - medium_disruption - CCE-80545-7 - NIST-800-53-AC-6 - NIST-800-53-AU-9(1) - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - name: "Correct file ownership with RPM" shell: "rpm --quiet --setugids '{{ item }}'" args: warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module with_items: "{{ uniq_list_of_packages.stdout_lines }}" when: (files_with_incorrect_ownership.stdout_lines | length > 0) and True tags: - rpm_verify_ownership - high_severity - restrict_strategy - high_complexity - medium_disruption - CCE-80545-7 - NIST-800-53-AC-6 - NIST-800-53-AU-9(1) - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 Verify File Hashes with RPM Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: $ rpm -Va | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: $ rpm -qf FILENAME The package can be reinstalled from a yum repository using the command: $ sudo yum reinstall PACKAGENAME Alternatively, the package can be reinstalled from trusted media using the command: $ sudo rpm -Uvh PACKAGENAME RHEL-07-010020 SV-86479r3_rule 1.2.6 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.3.8 3.4.1 CCI-000663 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(d) CM-6(3) SI-7(1) PR.DS-6 PR.DS-8 PR.IP-1 Req-11.5 SRG-OS-000480-GPOS-00227 The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. CCE-27157-7 # Find which files have incorrect hash (not in /etc, because there are all system related config. files) and then get files names files_with_incorrect_hash="$(rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}' )" # From files names get package names and change newline to space, because rpm writes each package to new line packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')" yum reinstall -y $packages_to_reinstall - name: "Set fact: Package manager reinstall command (dnf)" set_fact: package_manager_reinstall_cmd: dnf reinstall -y when: ansible_distribution == "Fedora" and True tags: - rpm_verify_hashes - high_severity - unknown_strategy - high_complexity - medium_disruption - CCE-27157-7 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SI-7(1) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010020 - name: "Set fact: Package manager reinstall command (yum)" set_fact: package_manager_reinstall_cmd: yum reinstall -y when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") and True tags: - rpm_verify_hashes - high_severity - unknown_strategy - high_complexity - medium_disruption - CCE-27157-7 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SI-7(1) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010020 - name: "Read files with incorrect hash" shell: "rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}'" args: warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module register: files_with_incorrect_hash changed_when: False when: (package_manager_reinstall_cmd is defined) and True check_mode: no tags: - rpm_verify_hashes - high_severity - unknown_strategy - high_complexity - medium_disruption - CCE-27157-7 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SI-7(1) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010020 - name: "Reinstall packages of files with incorrect hash" shell: "{{ package_manager_reinstall_cmd }} $(rpm -qf '{{ item }}')" args: warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager with_items: "{{ files_with_incorrect_hash.stdout_lines }}" when: (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) and True tags: - rpm_verify_hashes - high_severity - unknown_strategy - high_complexity - medium_disruption - CCE-27157-7 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SI-7(1) - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - PCI-DSS-Req-11.5 - CJIS-5.10.4.1 - DISA-STIG-RHEL-07-010020 Install AIDE The aide package can be installed with the following command: $ sudo yum install aide 1.3.1 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 CM-3(d) CM-3(e) CM-6(d) CM-6(3) SC-28 SI-7 DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 The AIDE package must be installed if it is to be available for integrity checking. CCE-27096-7 package_install aide - name: Ensure aide is installed package: name: aide state: present tags: - package_aide_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-27096-7 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_aide class install_aide { package { 'aide': ensure => 'installed', } } package --add=aide Configure Periodic Execution of AIDE At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable. RHEL-07-020030 SV-86597r2_rule 1.3.2 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 CCI-001744 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 CM-3(d) CM-3(e) CM-3(5) CM-6(d) CM-6(3) SC-28 SI-7 DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 SRG-OS-000363-GPOS-00150 By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. CCE-26952-2 package_install aide if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab fi - name: "Ensure AIDE is installed" package: name: "{{ item }}" state: present with_items: - aide tags: - aide_periodic_cron_checking - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26952-2 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-3(5) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 - DISA-STIG-RHEL-07-020030 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Configure Periodic Execution of AIDE" cron: name: "run AIDE check" minute: 05 hour: 04 weekday: 0 user: root job: "/usr/sbin/aide --check" tags: - aide_periodic_cron_checking - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26952-2 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-3(5) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 - DISA-STIG-RHEL-07-020030 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Build and Test AIDE Database Run the following command to generate a new database: $ sudo /usr/sbin/aide --init By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: $ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: $ sudo /usr/sbin/aide --check If this check produces any unexpected output, investigate. 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 CM-3(d) CM-3(e) CM-6(d) CM-6(3) SC-28 SI-7 DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. CCE-27220-3 package_install aide /usr/sbin/aide --init /bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz - name: "Ensure AIDE is installed" package: name: "{{ item }}" state: present with_items: - aide tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27220-3 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Build and Test AIDE Database" command: /usr/sbin/aide --init changed_when: True tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27220-3 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # mainly to allow ansible's check mode to work - name: "Check whether the stock AIDE Database exists" stat: path: /var/lib/aide/aide.db.new.gz register: aide_database_stat tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27220-3 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Stage AIDE Database" copy: src: /var/lib/aide/aide.db.new.gz dest: /var/lib/aide/aide.db.gz backup: yes remote_src: yes when: (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27220-3 - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 Disable Prelinking The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file /etc/sysconfig/prelink: PRELINKING=no Next, run the following command to return binaries to a normal, non-prelinked state: $ sudo /usr/sbin/prelink -ua 1.5.4 11 13 14 2 3 9 5.10.1.3 APO01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS04.07 DSS05.03 DSS06.02 DSS06.06 3.13.11 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.3 CM-6(d) CM-6(3) SC-28 SI-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 Req-11.5 Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc. CCE-27078-5 disable_prelink - name: Does prelink file exist stat: path: /etc/sysconfig/prelink register: prelink_exists tags: - disable_prelink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27078-5 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - NIST-800-171-3.13.11 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 - name: disable prelinking lineinfile: path: /etc/sysconfig/prelink regexp: '^PRELINKING=' line: 'PRELINKING=no' when: prelink_exists.stat.exists and True tags: - disable_prelink - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27078-5 - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - NIST-800-171-3.13.11 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 11.5.1 Implement a process to respond to 11.5.a Verify the use of a change-detection mechanism within 11.5.b Verify the mechanism is configured to alert personnel 11.6 Ensure that security policies and Values Group of values used in PCI-DSS profile Maximum KeepAlive Requests for HTTPD The setting for MaxKeepAliveRequests in httpd.conf 100000 10000 100 100 1000 500 HTTPD Log Level The setting for LogLevel in /etc/httpd/conf/httpd.conf warn crit emerg error warn alert Web Login Banner Verbiage Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. [\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times. --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$ I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t. SSSD memcache_timeout option Value of the memcache_timeout option in the [nss] section of SSSD config /etc/sssd/sssd.conf. 300 1800 300 86400 180 900 600 SSSD ssh_known_hosts_timeout option Value of the ssh_known_hosts_timeout option in the [ssh] section of SSSD configuration file /etc/sssd/sssd.conf. 300 1800 180 86400 180 900 600 SSSD LDAP Backend Client CA Certificate Location Path of a directory that contains Certificate Authority certificates. /etc/openldap/cacerts Maximum NTP or Chrony Poll The maximum NTP or Chrony poll interval number in seconds specified as a power of two. 10 10 17 Vendor Approved Time Servers The list of vendor-approved time servers 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org 0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org SSH Server Listening Port Specify port the SSH server is listening. 22 SSH Approved MACs by FIPS Specify the FIPS approved MACs (message authentication code) algorithms that are used for data integrity protection by the SSH server. hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com SSH enabled firewalld zone Specify firewalld zone to enable SSH service. This value is used only for remediation purposes. block drop public work internal external home dmz public trusted SSH session Idle time Specify duration of allowed idle time. 7200 300 1800 300 3600 900 600 SSH Max authentication attempts Specify the maximum number of authentication attempts per connection. 4 10 3 4 5 SSH Max Keep Alive Count Specify the maximum number of idle message counts before session is terminated. 0 0 10 3 5 SSH is required to be installed Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured. A value of 0 means that the policy doesn't care if OpenSSH server is installed or not. If it is installed, scanner will check for it's configuration, if it's not installed, the check will pass. A value of 1 indicates that OpenSSH server package is not required by the policy; A value of 2 indicates that OpenSSH server package is required by the policy. 0 2 1 Postfix Root Mail Alias Specify an email address (string) for a root mail alias. system.administrator@mail.mil Account for auditd to send email when actions occurs The setting for action_mail_acct in /etc/audit/auditd.conf admin root root Action for auditd to take when disk errors The setting for disk_error_action in /etc/audit/auditd.conf syslog single halt exec single email Action for auditd to take when log files reach their maximum size The setting for max_log_file_action in /etc/audit/auditd.conf rotate syslog keep_logs rotate suspend Size remaining in disk space before prompting space_left_action The setting for space_left (MB) in /etc/audit/auditd.conf 750 1000 100 100 500 250 Action for audispd to take when disk is full The setting for disk_full_action in /etc/audisp/audisp-remote.conf syslog single suspend halt exec single email Maximum audit log file size for auditd The setting for max_log_size in /etc/audit/auditd.conf 1 20 5 6 6 10 Remote server for audispd to send audit records The setting for remote_server in /etc/audisp/audisp-remote.conf myhost.mydomain.com Action for auditd to take when disk is full The setting for disk_full_action in /etc/audit/auditd.conf syslog single halt exec single email Action for auditd to take when disk space is low The setting for admin_space_left_action in /etc/audit/auditd.conf suspend halt exec single syslog single rotate email Action for auditd to take when disk space just starts to run low The setting for space_left_action in /etc/audit/auditd.conf suspend halt exec email syslog single rotate email Number of log files for auditd to retain The setting for num_logs in /etc/audit/auditd.conf 1 2 3 4 5 0 5 Auditd priority for flushing data to disk The setting for flush in /etc/audit/auditd.conf none incremental incremental_async data data sync Action for audispd to take when network fails The setting for network_failure_action in /etc/audisp/audisp-remote.conf syslog single suspend halt exec single email Remote Log Server Specify an URI or IP address of a remote host where the log messages will be sent and stored. logcollector group who owns log files Specify group owner of all logfiles specified in /etc/rsyslog.conf. root adm root User who owns log files Specify user owner of all logfiles specified in /etc/rsyslog.conf. root adm root net.ipv6.conf.all.accept_redirects Toggle ICMP Redirect Acceptance 0 0 1 net.ipv6.conf.all.accept_source_route Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. 0 0 1 net.ipv6.conf.default.accept_ra Accept default router advertisements by default? 0 0 1 net.ipv6.conf.default.accept_source_route Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. 0 0 1 net.ipv6.conf.default.accept_redirects Toggle ICMP Redirect Acceptance By Default 0 0 1 net.ipv6.conf.all.accept_ra Accept all router advertisements? 0 0 1 IPV6_AUTOCONF Toggle global IPv6 auto-configuration (only, if global forwarding is disabled) no no yes net.ipv6.conf.all.forwarding Toggle IPv6 Forwarding 0 0 1 net.ipv4.conf.default.accept_source_route Disable IP source routing? 0 0 1 net.ipv4.conf.default.log_martians Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets 1 0 1 net.ipv4.conf.default.secure_redirects Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packages by default. 0 0 1 net.ipv4.icmp_ignore_bogus_error_responses Enable to prevent unnecessary logging 1 0 1 net.ipv4.conf.default.accept_redirects Disable ICMP Redirect Acceptance? 0 0 1 net.ipv4.conf.all.log_martians Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets 1 0 1 net.ipv4.conf.all.secure_redirects Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces. 0 0 1 net.ipv4.conf.default.rp_filter Enables source route verification 1 0 1 net.ipv4.tcp_syncookies Enable to turn on TCP SYN Cookie Protection 1 0 1 net.ipv4.icmp_echo_ignore_broadcasts Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast 1 0 1 net.ipv4.conf.all.accept_source_route Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. 0 0 1 net.ipv4.conf.all.accept_redirects Disable ICMP Redirect Acceptance 0 0 1 net.ipv4.conf.all.rp_filter Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived. 1 0 1 SELinux state enforcing - SELinux security policy is enforced. permissive - SELinux prints warnings instead of enforcing. disabled - SELinux is fully disabled. enforcing disabled enforcing permissive SELinux policy Type of policy in use. Possible values are: targeted - Only targeted network daemons are protected. strict - Full SELinux protection. mls - Multiple levels of security targeted mls targeted virt_rw_qemu_ga_data SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mysql_connect_any SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false pcp_bind_all_unreserved_ports SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false cluster_can_network_connect SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false git_cgi_enable_homedirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false cobbler_can_network_connect SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false ftpd_use_fusefs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false antivirus_use_jit SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mcelog_exec_scripts SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false httpd_can_connect_ldap SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false selinuxuser_udp_server SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false tftp_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_setrlimit SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false sge_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false polipo_session_users SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xguest_connect_network SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false ssh_chroot_rw_homedirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false glance_use_fusefs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false gluster_export_all_ro SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false git_cgi_use_cifs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false dbadm_exec_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false named_tcp_bind_http_port SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false ftpd_connect_all_unreserved SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false virt_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false nagios_run_pnp4nagios SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false postgresql_selinux_unconfined_dbadm SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false samba_enable_home_dirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false fips_mode SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false zabbix_can_network SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false unconfined_login SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false abrt_upload_watch_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false virt_transition_userdomain SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_use_cifs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false ftpd_connect_db SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false gluster_export_all_rw SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false virt_sandbox_use_netlink SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false cron_can_relabel SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_use_gpg SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false gluster_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false selinuxuser_execstack SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false sanlock_use_fusefs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false logadm_exec_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false xguest_mount_media SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false virt_use_usb SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false gssd_read_tmp SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false fcron_crond SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false openvpn_enable_homedirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false pppd_for_user SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false selinuxuser_ping SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false zoneminder_run_sudo SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false dbadm_manage_user_files SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false virt_sandbox_use_audit SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false logging_syslogd_can_sendmail SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false unconfined_chrome_sandbox_transition SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false httpd_tmp_exec SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false polipo_use_cifs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false use_lpd_server SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false nfsd_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false tmpreaper_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false telepathy_tcp_connect_generic_network_ports SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false mozilla_plugin_can_network_connect SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xdm_bind_vnc_tcp_port SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false icecast_use_any_tcp_ports SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false selinuxuser_share_music SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false postfix_local_write_mail_spool SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false virt_sandbox_use_all_caps SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false cobbler_use_cifs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false antivirus_can_scan_system SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mock_enable_homedirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false logging_syslogd_run_nagios_plugins SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false cron_system_cronjob_use_shares SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_can_network_connect SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_can_connect_mythtv SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false samba_export_all_ro SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xen_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_can_network_connect_db SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false rsync_export_all_ro SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_can_check_spam SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false cvs_read_shadow SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false cups_execmem SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false secure_mode_policyload SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_ssi_exec SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false pppd_can_insmod SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false samba_domain_controller SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false dhcpc_exec_iptables SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false openvpn_run_unconfined SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false cobbler_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_can_sendmail SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false domain_fd_use SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false virt_sandbox_use_mknod SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_run_preupgrade SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false exim_can_connect_db SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_use_sasl SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false secure_mode SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false puppetagent_manage_all_files SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false rsync_full_access SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_verify_dns SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_enable_homedirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false nagios_run_sudo SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false glance_use_execmem SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_unified SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false nis_enabled SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_graceful_shutdown SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false staff_exec_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false mailman_use_fusefs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false git_system_use_cifs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_can_connect_ftp SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_dbus_avahi SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false named_write_master_zones SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false exim_read_user_files SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false nfs_export_all_ro SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false squid_use_tproxy SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xend_run_blktap SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false daemons_use_tcp_wrapper SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_enable_cgi SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false httpd_run_ipa SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false daemons_dump_core SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false glance_api_can_network SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false deny_ptrace SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false logwatch_can_network_connect_mail SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false authlogin_nsswitch_use_ldap SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false fenced_can_ssh SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false cdrecord_read_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false nfs_export_all_rw SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false entropyd_use_audio SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false use_fusefs_home_dirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false user_exec_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false polipo_connect_all_unreserved SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false telepathy_connect_all_ports SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_can_network_connect_cobbler SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mozilla_plugin_use_spice SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false selinuxuser_execheap SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mpd_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_mod_auth_ntlm_winbind SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false virt_use_comm SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false varnishd_connect_any SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false selinuxuser_execmod SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false httpd_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false webadm_manage_user_files SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false virt_read_qemu_ga_data SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false openvpn_can_network_connect SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false sanlock_use_samba SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false exim_manage_user_files SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xdm_write_home SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false selinuxuser_mysql_connect_enabled SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mount_anyfile SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false git_system_enable_homedirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false abrt_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false ftpd_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false virt_sandbox_use_sys_admin SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false prosody_bind_http_port SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false ssh_keysign SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_serve_cobbler_files SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false samba_export_all_rw SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false postgresql_can_rsync SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false wine_mmap_zero_ignore SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false kdumpgui_run_bootloader SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false staff_use_svirt SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false use_nfs_home_dirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_can_connect_zabbix SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false conman_can_network SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false samba_share_fusefs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false irssi_use_full_network SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false ftpd_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_builtin_scripting SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false authlogin_yubikey SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false virt_use_xserver SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false unprivuser_use_svirt SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xserver_object_manager SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false cobbler_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false tftp_home_dir SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false auditadm_exec_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false zebra_write_config SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false tor_can_network_relay SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false dbadm_read_user_files SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false rsync_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false tor_bind_all_unreserved_ports SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false haproxy_connect_any SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false lsmd_plugin_connect_any SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false squid_connect_any SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false xend_run_qemu SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false webadm_read_user_files SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false spamassassin_can_network SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false kerberos_enabled SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false virt_use_execmem SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false sge_domain_can_network_connect SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false pcp_read_generic_logs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false use_ecryptfs_home_dirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_mod_auth_pam SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false selinuxuser_tcp_server SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false sanlock_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mplayer_execstack SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false selinuxuser_rw_noexattrfile SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false racoon_read_shadow SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_use_openstack SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xserver_execmem SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false logrotate_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false dhcpd_use_ldap SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false piranha_lvs_can_network_connect SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false puppetmaster_use_db SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false saslauthd_read_shadow SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false zarafa_setrlimit SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false ksmtuned_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false ksmtuned_use_cifs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xserver_clients_write_xshm SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false polipo_session_bind_all_unreserved_ports SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false samba_run_unconfined SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_use_fusefs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false authlogin_radius SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xguest_use_bluetooth SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false rsync_client SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false collectd_tcp_network_connect SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xdm_sysadm_login SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false daemons_use_tty SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xguest_exec_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false gpg_web_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false daemons_enable_cluster_mode SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false deny_execmem SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false virt_use_sanlock SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false use_samba_home_dirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mozilla_plugin_use_gps SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false login_console_enabled SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false condor_tcp_network_connect SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false gitosis_can_sendmail SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false logging_syslogd_use_tty SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false httpd_execmem SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false polyinstantiation_enabled SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mozilla_plugin_bind_unreserved_ports SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false postgresql_selinux_transmit_client_label SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false samba_share_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false xdm_exec_bootloader SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false ftpd_use_cifs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_enable_ftp_server SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_dbus_sssd SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false git_session_users SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_can_network_memcache SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mpd_use_cifs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false awstats_purge_apache_log_files SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false samba_create_home_dirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false git_cgi_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false git_system_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mcelog_server SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false boinc_execmem SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false ssh_sysadm_login SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_sys_script_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false smartmon_3ware SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false virt_use_samba SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false postgresql_selinux_users_ddl SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false irc_use_any_tcp_ports SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false zoneminder_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false tmpreaper_use_samba SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false openshift_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false swift_can_network SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false minidlna_read_generic_user_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false global_ssp SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_dontaudit_search_dirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false git_session_bind_all_unreserved_ports SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false domain_kernel_load_modules SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false virt_use_rawip SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false polipo_use_nfs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_read_user_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false nscd_use_shm SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false cluster_use_execmem SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mcelog_client SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false samba_load_libgfapi SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mozilla_plugin_use_bluejeans SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false ftpd_use_passive_mode SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_manage_ipa SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false secure_mode_insmod SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_run_stickshift SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false selinuxuser_use_ssh_chroot SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false container_connect_any SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false virt_use_fusefs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false secadm_exec_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false httpd_tty_comm SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false abrt_handle_event SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false samba_portmapper SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false neutron_can_network SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false cluster_manage_all_files SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false smbd_anon_write SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false httpd_can_network_relay SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false cron_userdomain_transition SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false selinuxuser_postgresql_connect_enabled SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mmap_low_allowed SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false guest_exec_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false mozilla_read_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false sysadm_exec_content SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false ftpd_full_access SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false privoxy_connect_any SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false selinuxuser_direct_dri_enabled SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false mcelog_foreground SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false mpd_enable_homedirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false spamd_enable_home_dirs SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false unconfined_mozilla_plugin_transition SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true true false fenced_can_network_connect SELinux Boolean default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false true false maximum password age Maximum age of password in days This will only apply to newly created accounts 120 180 90 60 60 minimum password age Minimum age of password in days This will only apply to newly created accounts 1 2 5 7 7 0 minimum password length Minimum number of characters in password This will only check new passwords 15 6 8 10 12 14 15 warning days before password expires The number of days' warning given before a password expires. This will only apply to newly created accounts 7 0 14 7 number of days after a password expires until the account is permanently disabled The number of days to wait after a password expires, until the account will be permanently disabled. 35 0 35 40 180 90 60 30 OpenSC Smart Card Drivers Choose the Smart Card Driver in use by your organization. For DoD, choose the cac driver. If your driver is not listed and you don't want to use the default driver, use the other option and manually specify your driver. flex cardos epass2003 PIV-II oberthur iasecc starcos gpk rutoken_ecp incrypto34 dnie rutoken jpki None belpic asepcos myeid MaskTech tcos itacns cyberflex entersafe acos5 npa isoApplet gemsafeV1 atrust-acos openpgp sc-hsm authentic coolkey akis gids default setcos westcos cac mcrd muscle Account Inactivity Timeout (minutes) In an interactive shell, the value is interpreted as the number of seconds to wait for input after issueing the primary prompt. Bash terminates after waiting for that number of seconds if input does not arrive. 600 300 600 900 1800 Maximum concurrent login sessions Maximum number of concurrent sessions by a user 1 3 20 5 1 10 15 Maximum login attempts delay Maximum time in seconds between fail login attempts before re-prompting. 1 2 3 4 5 4 Sensible umask Enter default user umask 027 077 027 007 022 Login Banner Verbiage Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. [\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times. --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreement. remember The last n passwords for each user are saved in /etc/security/opasswd in order to force password change history and keep the user from alternating between the same password too frequently. 0 4 5 24 5 10 lcredit Minimum number of lower case in password -1 0 -2 -1 minclass Minimum number of categories of characters that must exist in a password 3 1 2 3 4 maxrepeat Maximum Number of Consecutive Repeating Characters in a Password 3 1 2 3 fail_interval Interval for counting failed login attempts before account lockout 100000000 86400 900 900 3600 1800 ucredit Minimum number of upper case in password -1 0 -2 -1 fail_deny Number of failed login attempts before account lockout 3 10 3 5 6 difok Minimum number of characters not present in old password 2 3 4 5 6 7 8 15 8 fail_unlock_time Seconds before automatic unlocking or permanently locking after excessive failed logins 604800 86400 900 1800 never 3600 never 600 maxclassrepeat Maximum Number of Consecutive Repeating Characters in a Password From the Same Character Class 4 1 2 3 4 ocredit Minimum number of other (special characters) in password -1 0 -2 -1 dcredit Minimum number of digits in password -1 0 -2 -1 retry Number of retry attempts before erroring out 1 2 3 4 5 3 minlen Minimum number of characters in password 6 7 8 10 12 14 15 15 Accounts Authorized Local Users on the Operating System List the user accounts that are authorized locally on the operating system. This list includes both users requried by the operating system and by the installed applications. Depending on the Operating System distribution, version, software groups and applications, the user list is different and can be customized with scap-workbench. OVAL regular expression is used for the user list. The list starts with '^' and ends with '$' so that it matches exactly the username, not any string that includes the username. Users are separated with '|'. For example, three users: bin, oracle and sapadm are allowd, then the list is ^(bin|oracle|sapadm)$. The user root is the only user that is hard coded in OVAL that is always allowed on the operating system. ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$ ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$ The system-provided crypto policies Specify the crypto policy for the system. DEFAULT FIPS FUTURE LEGACY NEXT The age of McAfee defintion file before requiring updating Specify the amount of time (in seconds) before McAfee definition files need to be updated. 2592000 2592000 604800 86400 Screensaver Inactivity timeout Choose allowed duration (in seconds) of inactive graphical sessions 900 300 1800 900 600 Screensaver Lock Delay Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication prompt 0 5 0 10 Removable Partition This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions, and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable partitions that are required on the local system. /dev/cdrom daemon umask Enter umask for daemons 022 027 022 Non PCI-DSS Rules that are not part of PCI-DSS Uninstall rsh Package The rsh package contains the client commands for the rsh services 2.3.2 3.1.13 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) A.8.2.3 A.13.1.1 A.13.2.1 A.13.2.3 A.14.1.2 A.14.1.3 These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh,rcp, and rlogin. CCE-27274-0 package_remove rsh - name: Ensure rsh is removed package: name: rsh state: absent tags: - package_rsh_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-27274-0 - NIST-800-171-3.1.13 include remove_rsh class remove_rsh { package { 'rsh': ensure => 'purged', } } package --remove=rsh Disable rlogin Service The rlogin service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rlogin. The rlogin socket can be disabled with the following command: $ sudo systemctl disable rlogin.socket 2.2.17 1 11 12 14 15 16 3 5 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 3.1.13 3.4.7 CCI-001436 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-17(8) CM-7 IA-5(1)(c) PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 PR.IP-1 PR.PT-3 PR.PT-4 The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. CCE-27336-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rlogin.service' "$SYSTEMCTL_EXEC" disable 'rlogin.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rlogin.socket\>' && "$SYSTEMCTL_EXEC" disable 'rlogin.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rlogin.service' - name: Disable service rlogin service: name: rlogin enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rlogin_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27336-7 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rlogin if applicable service: name: rlogin.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rlogin_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27336-7 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable rexec Service The rexec service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rexec. The rexec socket can be disabled with the following command: $ sudo systemctl disable rexec.socket 2.2.17 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 3.1.13 3.4.7 CCI-000068 CCI-001436 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. CCE-27408-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rexec.service' "$SYSTEMCTL_EXEC" disable 'rexec.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rexec.socket\>' && "$SYSTEMCTL_EXEC" disable 'rexec.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rexec.service' - name: Disable service rexec service: name: rexec enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rexec_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27408-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rexec if applicable service: name: rexec.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rexec_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27408-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Remove Host-Based Authentication Files The shosts.equiv file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo rm /[path]/[to]/[file]/shosts.equiv CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-040550 SV-86903r2_rule The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. CCE-80513-5 # Identify local mounts MOUNT_LIST=$(df | grep "^/dev" | awk '{ print $6 }') # Find file on each listed mount point for cur_mount in ${MOUNT_LIST} do find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \; done Disable rsh Service The rsh service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rsh. The rsh socket can be disabled with the following command: $ sudo systemctl disable rsh.socket 2.2.17 1 11 12 14 15 16 3 5 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 3.1.13 3.4.7 CCI-000068 CCI-001436 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-17(8) CM-7 IA-5(1)(c) PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 PR.IP-1 PR.PT-3 PR.PT-4 The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. CCE-27337-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rsh.service' "$SYSTEMCTL_EXEC" disable 'rsh.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rsh.socket\>' && "$SYSTEMCTL_EXEC" disable 'rsh.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rsh.service' - name: Disable service rsh service: name: rsh enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rsh_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27337-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rsh if applicable service: name: rsh.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rsh_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27337-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Remove User Host-Based Authentication Files The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo rm ~/.shosts CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-040540 SV-86901r2_rule The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false CCE-80514-3 # Identify local mounts MOUNT_LIST=$(df | grep "^/dev" | awk '{ print $6 }') # Find file on each listed mount point for cur_mount in ${MOUNT_LIST} do find ${cur_mount} -xdev -type f -name ".shosts" -exec rm -f {} \; done Uninstall rsh-server Package The rsh-server package can be removed with the following command: $ sudo yum erase rsh-server RHEL-07-020000 SV-86591r2_rule 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000381 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7(a) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000095-GPOS-00049 The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. CCE-27342-5 package_remove rsh-server - name: Ensure rsh-server is removed package: name: rsh-server state: absent tags: - package_rsh-server_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27342-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7(a) - DISA-STIG-RHEL-07-020000 include remove_rsh-server class remove_rsh-server { package { 'rsh-server': ensure => 'purged', } } package --remove=rsh-server Remove Rsh Trust Files The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: $ sudo rm /etc/hosts.equiv $ rm ~/.rhosts 6.2.14 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-001436 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. CCE-27406-8 find /home -maxdepth 2 -type f -name .rhosts -exec rm -f '{}' \; if [ -f /etc/hosts.equiv ]; then /bin/rm -f /etc/hosts.equiv fi - block: - name: "Detect shosts.equiv Files on the System" find: paths: / recurse: yes patterns: shosts.equiv check_mode: no register: shosts_equiv_locations - name: "Remove Rsh Trust Files" file: path: "{{ item.path }}" state: absent with_items: "{{ shosts_equiv_locations.files }}" when: shosts_equiv_locations and True tags: - no_rsh_trust_files - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-27406-8 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 Remove telnet Clients The telnet client allows users to start connections to other systems via the telnet protocol. 2.3.4 3.1.13 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) A.8.2.3 A.13.1.1 A.13.2.1 A.13.2.3 A.14.1.2 A.14.1.3 The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux 7. CCE-27305-2 package_remove telnet - name: Ensure telnet is removed package: name: telnet state: absent tags: - package_telnet_removed - low_severity - disable_strategy - low_complexity - low_disruption - CCE-27305-2 - NIST-800-171-3.1.13 include remove_telnet class remove_telnet { package { 'telnet': ensure => 'purged', } } package --remove=telnet Disable telnet Service The telnet service configuration file /etc/xinetd.d/telnet is not created automatically. If it was created manually, check the /etc/xinetd.d/telnet file and ensure that disable = no is changed to read disable = yes as follows below: # description: The telnet server serves telnet sessions; it uses \\ # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = yes } If the /etc/xinetd.d/telnet file does not exist, make sure that the activation of the telnet service on system boot is disabled via the following command: The rexec socket can be disabled with the following command: $ sudo systemctl disable rexec.socket 2.2.18 1 11 12 14 15 16 3 5 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 3.1.13 3.4.7 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-17(8) CM-7 IA-5(1)(c) PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 PR.IP-1 PR.PT-3 PR.PT-4 The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. CCE-27401-9 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'telnet.service' "$SYSTEMCTL_EXEC" disable 'telnet.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^telnet.socket\>' && "$SYSTEMCTL_EXEC" disable 'telnet.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'telnet.service' - name: Disable service telnet service: name: telnet enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_telnet_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27401-9 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service telnet if applicable service: name: telnet.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_telnet_disabled - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27401-9 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Uninstall telnet-server Package The telnet-server package can be removed with the following command: $ sudo yum erase telnet-server RHEL-07-021710 SV-86701r2_rule 2.1.1 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000381 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7(a) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000095-GPOS-00049 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors. The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation. CCE-27165-0 package_remove telnet-server - name: Ensure telnet-server is removed package: name: telnet-server state: absent tags: - package_telnet-server_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27165-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7(a) - DISA-STIG-RHEL-07-021710 include remove_telnet-server class remove_telnet-server { package { 'telnet-server': ensure => 'purged', } } package --remove=telnet-server Remove NIS Client The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a system to an NIS server and receive the distributed configuration files. 2.3.1 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed. CCE-27396-1 package_remove ypbind - name: Ensure ypbind is removed package: name: ypbind state: absent tags: - package_ypbind_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-27396-1 include remove_ypbind class remove_ypbind { package { 'ypbind': ensure => 'purged', } } package --remove=ypbind Disable ypbind Service The ypbind service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The ypbind service can be disabled with the following command: $ sudo systemctl disable ypbind.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000305 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Disabling the ypbind service ensures the system is not acting as a client in a NIS or NIS+ domain. This service should be disabled unless in use. CCE-27385-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'ypbind.service' "$SYSTEMCTL_EXEC" disable 'ypbind.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^ypbind.socket\>' && "$SYSTEMCTL_EXEC" disable 'ypbind.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'ypbind.service' - name: Disable service ypbind service: name: ypbind enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_ypbind_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27385-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service ypbind if applicable service: name: ypbind.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_ypbind_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27385-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Uninstall ypserv Package The ypserv package can be removed with the following command: $ sudo yum erase ypserv RHEL-07-020010 SV-86593r2_rule 2.2.16 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000381 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7(a) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000095-GPOS-00049 The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. CCE-27399-5 package_remove ypserv - name: Ensure ypserv is removed package: name: ypserv state: absent tags: - package_ypserv_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27399-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7(a) - DISA-STIG-RHEL-07-020010 include remove_ypserv class remove_ypserv { package { 'ypserv': ensure => 'purged', } } package --remove=ypserv Disable tftp Service The tftp service should be disabled. The tftp service can be disabled with the following command: $ sudo systemctl disable tftp.service 2.1.6 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-001436 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication. CCE-80212-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'tftp.service' "$SYSTEMCTL_EXEC" disable 'tftp.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^tftp.socket\>' && "$SYSTEMCTL_EXEC" disable 'tftp.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'tftp.service' - name: Disable service tftp service: name: tftp enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_tftp_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80212-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service tftp if applicable service: name: tftp.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_tftp_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80212-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Remove tftp Daemon Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server. It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services. CCE-80443-5 package_remove tftp - name: Ensure tftp is removed package: name: tftp state: absent tags: - package_tftp_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-80443-5 include remove_tftp class remove_tftp { package { 'tftp': ensure => 'purged', } } package --remove=tftp Uninstall tftp-server Package The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server RHEL-07-040700 SV-86925r2_rule 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000318 CCI-000368 CCI-001812 CCI-001813 CCI-001814 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-6(c) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services. If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established. CCE-80213-2 package_remove tftp-server - name: Ensure tftp-server is removed package: name: tftp-server state: absent tags: - package_tftp-server_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-80213-2 - NIST-800-53-AC-17(8) - NIST-800-53-CM-6(c) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040700 include remove_tftp-server class remove_tftp-server { package { 'tftp-server': ensure => 'purged', } } package --remove=tftp-server Ensure tftp Daemon Uses Secure Mode If running the tftp service is necessary, it should be configured to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot RHEL-07-040720 SV-86929r3_rule 11 12 13 14 15 16 18 3 5 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-17(8) CM-7 PR.AC-3 PR.AC-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. CCE-80214-0 Install tcp_wrappers Package When network services are using the xinetd service, the tcp_wrappers package should be installed. The tcp_wrappers package can be installed with the following command: $ sudo yum install tcp_wrappers 3.4.1 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00227 Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. CCE-27361-5 package_install tcp_wrappers - name: Ensure tcp_wrappers is installed package: name: tcp_wrappers state: present tags: - package_tcp_wrappers_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-27361-5 - NIST-800-53-CM-6(b) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_tcp_wrappers class install_tcp_wrappers { package { 'tcp_wrappers': ensure => 'installed', } } package --add=tcp_wrappers Disable xinetd Service The xinetd service can be disabled with the following command: $ sudo systemctl disable xinetd.service 2.1.7 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 3.4.7 CCI-000305 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. CCE-27443-1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'xinetd.service' "$SYSTEMCTL_EXEC" disable 'xinetd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^xinetd.socket\>' && "$SYSTEMCTL_EXEC" disable 'xinetd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'xinetd.service' - name: Disable service xinetd service: name: xinetd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_xinetd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27443-1 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service xinetd if applicable service: name: xinetd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_xinetd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27443-1 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-171-3.4.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Uninstall xinetd Package The xinetd package can be removed with the following command: $ sudo yum erase xinetd 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000305 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. CCE-27354-0 package_remove xinetd - name: Ensure xinetd is removed package: name: xinetd state: absent tags: - package_xinetd_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27354-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include remove_xinetd class remove_xinetd { package { 'xinetd': ensure => 'purged', } } package --remove=xinetd Uninstall talk Package The talk package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The talk package can be removed with the following command: $ sudo yum erase talk 2.3.3 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program. CCE-27432-4 package_remove talk - name: Ensure talk is removed package: name: talk state: absent tags: - package_talk_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27432-4 include remove_talk class remove_talk { package { 'talk': ensure => 'purged', } } package --remove=talk Uninstall talk-server Package The talk-server package can be removed with the following command: $ sudo yum erase talk-server 2.2.21 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk-server package decreases the risk of the accidental (or intentional) activation of talk services. CCE-27210-4 package_remove talk-server - name: Ensure talk-server is removed package: name: talk-server state: absent tags: - package_talk-server_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27210-4 include remove_talk-server class remove_talk-server { package { 'talk-server': ensure => 'purged', } } package --remove=talk-server Disable unauthenticated repositories in APT configuration Unauthenticated repositories should not be used for updates. NT28(R15) Repositories hosts all packages that will be intsalled on the system during update. If a repository is not authenticated, the associated packages can't be trusted, and then should not be installed localy. Ensure that official distribution repositories are used Check that official Debian repositories, including security repository, are configured in apt. NT28(R15) The Debian distribution deliver DSA (Debian Security Announce), through the official Debian security repository, to correct various vulnerabilities impacting the Debian packages. Using the official repositories is the best way to ensure that the Debian updates are integrated soon enough. Restrict Access to Anonymous Users if Possible Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option: local_enable=NO If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure these logins as much as possible. 11 12 14 15 16 18 3 5 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 CM-7 AC-3 PR.AC-4 PR.AC-6 PR.IP-1 PR.PT-3 The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access. CCE-80249-6 Limit Users Allowed FTP Access if Necessary If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options: userlist_enable=YES userlist_file=/etc/vsftp.ftpusers userlist_deny=NO Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name: USERNAME If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers as well. anonymous ftp Historically, the file /etc/ftpusers contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option userlist deny=NO is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified. Configure Firewalls to Protect the FTP Server By default, firewalld blocks access to the ports used by the web server. To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=ftp These settings configure the firewall to allow connections to an FTP server. The first line allows initial connections to the FTP server port. FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client and server negotiate an arbitrary port to be used for data transfer. The ip_conntrack_ftp module is used by iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an FTP server to operate on a system which is running a firewall. Create Warning Banners for All FTP Users Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf by default. Add or correct the following configuration options: banner_file=/etc/issue CCI-000048 This setting will cause the system greeting banner to be used for FTP connections as well. CCE-80248-8 Disable FTP Uploads if Possible Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following configuration options: write_enable=NO If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions as much as possible. Anonymous FTP can be a convenient way to make files available for universal download. However, it is less common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it is necessary to ensure that files cannot be uploaded and downloaded from the same directory. CCE-80250-4 Place the FTP Home Directory on its Own Partition By default, the anonymous FTP root is the home directory of the FTP user account. The df command can be used to verify that this directory is on its own partition. If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent these users from filling a disk used by other services. CCE-80251-2 Enable Logging of All FTP Transactions Add or correct the following configuration options within the vsftpd configuration file, located at /etc/vsftpd/vsftpd.conf: xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES If verbose logging to vsftpd.log is done, sparse logging of downloads to /var/log/xferlog will not also occur. However, the information about what files were downloaded is included in the information logged to vsftpd.log. To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the FTP server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log. CCE-80247-0 Install vsftpd Package If this system must operate as an FTP server, install the vsftpd package via the standard channels. The vsftpd package can be installed with the following command: $ sudo yum install vsftpd 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with Red Hat Enterprise Linux to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended. CCE-80246-2 package_install vsftpd - name: Ensure vsftpd is installed package: name: vsftpd state: present tags: - package_vsftpd_installed - unknown_severity - enable_strategy - low_complexity - low_disruption - CCE-80246-2 - NIST-800-53-CM-7 include install_vsftpd class install_vsftpd { package { 'vsftpd': ensure => 'installed', } } package --add=vsftpd Disable vsftpd Service The vsftpd service can be disabled with the following command: $ sudo systemctl disable vsftpd.service 2.2.9 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-001436 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information. CCE-80244-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'vsftpd.service' "$SYSTEMCTL_EXEC" disable 'vsftpd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^vsftpd.socket\>' && "$SYSTEMCTL_EXEC" disable 'vsftpd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'vsftpd.service' - name: Disable service vsftpd service: name: vsftpd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_vsftpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80244-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service vsftpd if applicable service: name: vsftpd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_vsftpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80244-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Uninstall vsftpd Package The vsftpd package can be removed with the following command: $ sudo yum erase vsftpd RHEL-07-040690 SV-86923r3_rule 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-6(b) CM-7 PR.IP-1 PR.PT-3 SRG-OS-000480-GPOS-00227 Removing the vsftpd package decreases the risk of its accidental activation. CCE-80245-4 package_remove vsftpd - name: Ensure vsftpd is removed package: name: vsftpd state: absent tags: - package_vsftpd_removed - high_severity - disable_strategy - low_complexity - low_disruption - CCE-80245-4 - NIST-800-53-CM-6(b) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040690 include remove_vsftpd class remove_vsftpd { package { 'vsftpd': ensure => 'purged', } } package --remove=vsftpd Configure SNMP Service to Use Only SNMPv3 or Newer Edit /etc/snmp/snmpd.conf, removing any references to rocommunity, rwcommunity, or com2sec. Upon doing that, restart the SNMP service: $ sudo service snmpd restart Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. CCE-80276-9 Ensure Default SNMP Password Is Not Used Edit /etc/snmp/snmpd.conf, remove or change the default community strings of public and private. Once the default community strings have been changed, restart the SNMP service: $ sudo service snmpd restart RHEL-07-040800 SV-86937r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5.1(ii) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000480-GPOS-00227 Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s). CCE-27386-2 if grep -s "public\|private" /etc/snmp/snmpd.conf | grep -qv "^#"; then sed -i "/^\s*#/b;/public\|private/ s/^/#/" /etc/snmp/snmpd.conf fi Uninstall net-snmp Package The net-snmp package provides the snmpd service. The net-snmp package can be removed with the following command: $ sudo yum erase net-snmp If there is no need to run SNMP server software, removing the package provides a safeguard against its activation. CCE-80275-1 package_remove net-snmp - name: Ensure net-snmp is removed package: name: net-snmp state: absent tags: - package_net-snmp_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80275-1 include remove_net-snmp class remove_net-snmp { package { 'net-snmp': ensure => 'purged', } } package --remove=net-snmp Disable snmpd Service The snmpd service can be disabled with the following command: $ sudo systemctl disable snmpd.service 2.2.14 SRG-OS-000480-VMM-002000 Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed. CCE-80274-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'snmpd.service' "$SYSTEMCTL_EXEC" disable 'snmpd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^snmpd.socket\>' && "$SYSTEMCTL_EXEC" disable 'snmpd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'snmpd.service' - name: Disable service snmpd service: name: snmpd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_snmpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80274-4 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service snmpd if applicable service: name: snmpd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_snmpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80274-4 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Verify Group Who Owns /etc/cron.allow file If /etc/cron.allow exists, it must be group-owned by root. To properly set the group owner of /etc/cron.allow, run the command: $ sudo chgrp root /etc/cron.allow RHEL-07-021120 SV-86679r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-80379-1 chgrp 0 /etc/cron.allow - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow register: file_exists tags: - file_groupowner_cron_allow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80379-1 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021120 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure group owner 0 on /etc/cron.allow file: path: /etc/cron.allow group: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_groupowner_cron_allow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80379-1 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021120 Verify User Who Owns /etc/cron.allow file If /etc/cron.allow exists, it must be owned by root. To properly set the owner of /etc/cron.allow, run the command: $ sudo chown root /etc/cron.allow RHEL-07-021110 SV-86677r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-80378-3 chown 0 /etc/cron.allow - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow register: file_exists tags: - file_owner_cron_allow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80378-3 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure owner 0 on /etc/cron.allow file: path: /etc/cron.allow owner: 0 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_owner_cron_allow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80378-3 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021110 Disable anacron Service The cronie-anacron package, which provides anacron functionality, is installed by default. The cronie-anacron package can be removed with the following command: $ sudo yum erase cronie-anacron 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The anacron service provides cron functionality for systems such as laptops and workstations that may be shut down during the normal times that cron jobs are scheduled to run. On systems which do not require this additional functionality, anacron could needlessly increase the possible attack surface for an intruder. CCE-80344-5 Enable cron Service The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command: $ sudo systemctl enable crond.service 5.1.1 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. CCE-27323-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'crond.service' "$SYSTEMCTL_EXEC" enable 'crond.service' - name: Enable service crond service: name: crond enabled: "yes" state: "started" tags: - service_crond_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-27323-5 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable At Service (atd) The at and batch commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon atd keeps track of tasks scheduled via at and batch, and executes them at the specified time. The atd service can be disabled with the following command: $ sudo systemctl disable atd.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000381 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common. CCE-80345-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'atd.service' "$SYSTEMCTL_EXEC" disable 'atd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^atd.socket\>' && "$SYSTEMCTL_EXEC" disable 'atd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'atd.service' - name: Disable service atd service: name: atd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_atd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80345-2 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service atd if applicable service: name: atd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_atd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80345-2 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Install the cron service The Cron service should be installed. NT28(R50) 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only. Enable cron Service The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The cron service can be enabled with the following command: $ sudo systemctl enable cron.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. Disable X Windows Startup By Setting Default Target Systems that do not require a graphical user interface should only boot by default into multi-user.target mode. This prevents accidental booting of the system into a graphical.target mode. Setting the system's default target to multi-user.target will prevent automatic startup of the X server. To do so, run: $ systemctl set-default multi-user.target You should see the following output: rm '/etc/systemd/system/default.target' ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target' 12 15 8 APO13.01 DSS01.04 DSS05.02 DSS05.03 CCI-000366 4.3.3.6.6 SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.6.2.1 A.6.2.2 AC-17(8).1(ii) PR.AC-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Services that are not required for system and application processes must not be active to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be used unless approved and documented. CCE-27285-6 Remove the X Windows Package Group By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command: $ sudo yum groupremove "X Window System" $ sudo yum remove xorg-x11-server-common RHEL-07-040730 SV-86931r4_rule 2.2.2 12 15 8 APO13.01 DSS01.04 DSS05.02 DSS05.03 CCI-000366 4.3.3.6.6 SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.6.2.1 A.6.2.2 AC-17(8).1(ii) PR.AC-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. CCE-27218-7 package_remove xorg-x11-server-common - name: Ensure xorg-x11-server-common is removed package: name: xorg-x11-server-common state: absent tags: - package_xorg-x11-server-common_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27218-7 - NIST-800-53-AC-17(8).1(ii) - DISA-STIG-RHEL-07-040730 include remove_xorg-x11-server-common class remove_xorg-x11-server-common { package { 'xorg-x11-server-common': ensure => 'purged', } } package --remove=xorg-x11-server-common Uninstall quagga Package The quagga package can be removed with the following command: $ sudo yum erase quagga 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32 PR.PT-4 SRG-OS-000480-GPOS-00227 Routing software is typically used on routers to exchange network topology information with other routers. If routing software is used when not required, system network information may be unnecessarily transmitted across the network. If there is no need to make the router software available, removing it provides a safeguard against its activation. CCE-27594-1 package_remove quagga - name: Ensure quagga is removed package: name: quagga state: absent tags: - package_quagga_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27594-1 - NIST-800-53-SC-32 include remove_quagga class remove_quagga { package { 'quagga': ensure => 'purged', } } package --remove=quagga Disable Quagga Service The zebra service can be disabled with the following command: $ sudo systemctl disable zebra.service 12 15 8 APO13.01 DSS05.02 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32 PR.PT-4 SRG-OS-000480-GPOS-00227 Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If routing daemons are used when not required, system network information may be unnecessarily transmitted across the network. CCE-27191-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'zebra.service' "$SYSTEMCTL_EXEC" disable 'zebra.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^zebra.socket\>' && "$SYSTEMCTL_EXEC" disable 'zebra.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'zebra.service' - name: Disable service zebra service: name: zebra enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_zebra_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27191-6 - NIST-800-53-SC-32 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service zebra if applicable service: name: zebra.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_zebra_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27191-6 - NIST-800-53-SC-32 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Zone Transfers from the Nameserver Is it necessary for a secondary nameserver to receive zone data via zone transfer from the primary server? If not, follow the instructions in this section. If so, see the next section for instructions on protecting zone transfers. Add or correct the following directive within /etc/named.conf: options { allow-transfer { none; }; ... } If both the primary and secondary nameserver are under your control, or if you have only one nameserver, it may be possible to use an external configuration management mechanism to distribute zone updates. In that case, it is not necessary to allow zone transfers within BIND itself, so they should be disabled to avoid the potential for abuse. CCE-80327-0 Disable Dynamic Updates Is there a mission-critical reason to enable the risky dynamic update functionality? If not, edit /etc/named.conf. For each zone specification, correct the following directive if necessary: zone "example.com " IN { allow-update { none; }; ... }; Dynamic updates allow remote servers to add, delete, or modify any entries in your zone file. Therefore, they should be considered highly risky, and disabled unless there is a very good reason for their use. If dynamic updates must be allowed, IP-based ACLs are insufficient protection, since they are easily spoofed. Instead, use TSIG keys (see the previous section for an example), and consider using the update-policy directive to restrict changes to only the precise type of change needed. CCE-80329-6 Authenticate Zone Transfers If it is necessary for a secondary nameserver to receive zone data via zone transfer from the primary server, follow the instructions here. Use dnssec-keygen to create a symmetric key file in the current directory: $ cd /tmp $ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com Kdns.example.com .+aaa +iiiii This output is the name of a file containing the new key. Read the file to find the base64-encoded key string: $ sudo cat Kdns.example.com .+NNN +MMMMM .key dns.example.com IN KEY 512 3 157 base64-key-string Add the directives to /etc/named.conf on the primary server: key zone-transfer-key { algorithm hmac-md5; secret "base64-key-string "; }; zone "example.com " IN { type master; allow-transfer { key zone-transfer-key; }; ... }; Add the directives below to /etc/named.conf on the secondary nameserver: key zone-transfer-key { algorithm hmac-md5; secret "base64-key-string "; }; server IP-OF-MASTER { keys { zone-transfer-key; }; }; zone "example.com " IN { type slave; masters { IP-OF-MASTER ; }; ... }; The purpose of the dnssec-keygen command is to create the shared secret string base64-key-string. Once this secret has been obtained and inserted into named.conf on the primary and secondary servers, the key files Kdns.example.com .+NNN +MMMMM .key and Kdns.example.com .+NNN +MMMMM .private are no longer needed, and may safely be deleted. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The BIND transaction signature (TSIG) functionality allows primary and secondary nameservers to use a shared secret to verify authorization to perform zone transfers. This method is more secure than using IP-based limiting to restrict nameserver access, since IP addresses can be easily spoofed. However, if you cannot configure TSIG between your servers because, for instance, the secondary nameserver is not under your control and its administrators are unwilling to configure TSIG, you can configure an allow-transfer directive with numerical IP addresses or ACLs as a last resort. CCE-80328-8 Disable named Service The named service can be disabled with the following command: $ sudo systemctl disable named.service 2.2.8 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 All network services involve some risk of compromise due to implementation flaws and should be disabled if possible. CCE-80325-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'named.service' "$SYSTEMCTL_EXEC" disable 'named.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^named.socket\>' && "$SYSTEMCTL_EXEC" disable 'named.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'named.service' - name: Disable service named service: name: named enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_named_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80325-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service named if applicable service: name: named.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_named_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80325-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Uninstall bind Package The named service is provided by the bind package. The bind package can be removed with the following command: $ sudo yum erase bind 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 If there is no need to make DNS server software available, removing it provides a safeguard against its activation. CCE-80326-2 package_remove bind - name: Ensure bind is removed package: name: bind state: absent tags: - package_bind_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80326-2 - NIST-800-53-CM-7 include remove_bind class remove_bind { package { 'bind': ensure => 'purged', } } package --remove=bind Uninstall openldap-servers Package The openldap-servers package should be removed if not in use. Is this system the OpenLDAP server? If not, remove the package. The openldap-servers package can be removed with the following command: $ sudo yum erase openldap-servers The openldap-servers RPM is not installed by default on a Red Hat Enterprise Linux 7 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems. CCE-80293-4 package_remove openldap-servers - name: Ensure openldap-servers is removed package: name: openldap-servers state: absent tags: - package_openldap-servers_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80293-4 - NIST-800-53-CM-7 include remove_openldap-servers class remove_openldap-servers { package { 'openldap-servers': ensure => 'purged', } } package --remove=openldap-servers Enable the LDAP Client For Use in Authconfig To determine if LDAP is being used for authentication, use the following command: $ sudo grep -i useldapauth /etc/sysconfig/authconfig If USELDAPAUTH=yes, then LDAP is being used. If not, set USELDAPAUTH to yes. 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-001453 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(2) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000250-GPOS-00093 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. CCE-80448-4 Configure Certificate Directives for LDAP Use of TLS Ensure a copy of a trusted CA certificate has been placed in the file /etc/pki/tls/CA/cacert.pem. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, edit the file /etc/nslcd.conf, and add or correct either of the following lines: tls_cacertdir /etc/pki/tls/CA or tls_cacertfile /etc/pki/tls/CA/cacert.pem Then review the LDAP server and ensure TLS has been configured. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000776 CCI-000778 CCI-001453 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA. CCE-80292-6 Configure LDAP Client to Use TLS For All Transactions This check verifies that Red Hat Enterprise Linux 7 implements cryptography to protect the integrity of remote LDAP authentication sessions. To determine if LDAP is being used for authentication, use the following command: $ sudo grep -i useldapauth /etc/sysconfig/authconfig If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command: $ sudo grep -i ssl /etc/pam_ldap.conf 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-001453 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(2) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000250-GPOS-00093 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. CCE-80291-8 # Use LDAP for authentication replace_or_append '/etc/sysconfig/authconfig' 'USELDAPAUTH' 'yes' 'CCE-80291-8' '%s=%s' # Configure client to use TLS for all authentications replace_or_append '/etc/nslcd.conf' 'ssl' 'start_tls' 'CCE-80291-8' '%s %s' Disable DHCP Client in ifcfg For each interface on the system (e.g. eth0), edit /etc/sysconfig/network-scripts/ifcfg-interface and make the following changes: Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=255.255.255.0 IPADDR=192.168.1.2 GATEWAY=192.168.1.1 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances. CCE-80337-9 Configure Logging Ensure that the following line exists in /etc/rsyslog.conf: daemon.* /var/log/daemon.log Configure logwatch or other log monitoring tools to summarize error conditions reported by the dhcpd process. 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-12 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 By default, dhcpd logs notices to the daemon facility. Sending all daemon messages to a dedicated log file is part of the syslog configuration outlined in the Logging and Auditing section CCE-80336-1 Deny BOOTP Queries Unless your network needs to support older BOOTP clients, disable support for the bootp protocol by adding or correcting the global option: deny bootp; 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The bootp option tells dhcpd to respond to BOOTP queries. If support for this simpler protocol is not needed, it should be disabled to remove attack vectors against the DHCP server. CCE-80334-6 Do Not Use Dynamic DNS To prevent the DHCP server from receiving DNS information from clients, edit /etc/dhcp/dhcpd.conf, and add or correct the following global option: ddns-update-style none; The ddns-update-style option controls only whether the DHCP server will attempt to act as a Dynamic DNS client. As long as the DNS server itself is correctly configured to reject DDNS attempts, an incorrect ddns-update-style setting on the client is harmless (but should be fixed as a best practice). 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The Dynamic DNS protocol is used to remotely update the data served by a DNS server. DHCP servers can use Dynamic DNS to publish information about their clients. This setup carries security risks, and its use is not recommended. If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS transactions be protected using TSIG or some other cryptographic authentication mechanism. See dhcpd.conf(5) for more information about protecting the DHCP server from passing along malicious DNS data from its clients. CCE-80332-0 Minimize Served Information Edit /etc/dhcp/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information via DHCP: option domain-name option domain-name-servers option nis-domain option nis-servers option ntp-servers option routers option time-offset By default, the Red Hat Enterprise Linux client installation uses DHCP to request much of the above information from the DHCP server. In particular, domain-name, domain-name-servers, and routers are configured via DHCP. These settings are typically necessary for proper network functionality, but are also usually static across systems at a given site. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Because the configuration information provided by the DHCP server could be maliciously provided to clients by a rogue DHCP server, the amount of information provided via DHCP should be minimized. Remove these definitions from the DHCP server configuration to ensure that legitimate clients do not unnecessarily rely on DHCP for this information. Deny Decline Messages Edit /etc/dhcp/dhcpd.conf and add or correct the following global option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible: deny declines; 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The DHCPDECLINE message can be sent by a DHCP client to indicate that it does not consider the lease offered by the server to be valid. By issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP addresses, causing the DHCP server to forget old address allocations. CCE-80333-8 Uninstall DHCP Server Package If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The dhcp package can be removed with the following command: $ sudo yum erase dhcp 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. CCE-80331-2 package_remove dhcp - name: Ensure dhcp is removed package: name: dhcp state: absent tags: - package_dhcp_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80331-2 - NIST-800-53-CM-7 include remove_dhcp class remove_dhcp { package { 'dhcp': ensure => 'purged', } } package --remove=dhcp Disable DHCP Service The dhcpd service should be disabled on any system that does not need to act as a DHCP server. The dhcpd service can be disabled with the following command: $ sudo systemctl disable dhcpd.service 2.2.5 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one. CCE-80330-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'dhcpd.service' "$SYSTEMCTL_EXEC" disable 'dhcpd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^dhcpd.socket\>' && "$SYSTEMCTL_EXEC" disable 'dhcpd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'dhcpd.service' - name: Disable service dhcpd service: name: dhcpd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_dhcpd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80330-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service dhcpd if applicable service: name: dhcpd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_dhcpd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80330-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Minimize the DHCP-Configured Options Create the file /etc/dhcp/dhclient.conf, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, do one of the following: If the setting should not be configured remotely by the DHCP server, select an appropriate static value, and add the line: supersede setting value; If the setting should be configured remotely by the DHCP server, add the lines: request setting; require setting; For example, suppose the DHCP server should provide only the IP address itself and the subnet mask. Then the entire file should look like: supersede domain-name "example.com"; supersede domain-name-servers 192.168.1.2; supersede nis-domain ""; supersede nis-servers ""; supersede ntp-servers "ntp.example.com "; supersede routers 192.168.1.1; supersede time-offset -18000; request subnet-mask; require subnet-mask; In this example, the options nis-servers and nis-domain are set to empty strings, on the assumption that the deprecated NIS protocol is not in use. It is necessary to supersede settings for unused services so that they cannot be set by a hostile DHCP server. If an option is set to an empty string, dhclient will typically not attempt to configure the service. By default, the DHCP client program, dhclient, requests and applies ten configuration options (in addition to the IP address) from the DHCP server. subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many of the options requested and applied by dhclient may be the same for every system on a network. It is recommended that almost all configuration options be assigned statically, and only options which must vary on a host-by-host basis be assigned via DHCP. This limits the damage which can be done by a rogue DHCP server. If appropriate for your site, it is also possible to supersede the host-name directive in /etc/dhcp/dhclient.conf, establishing a static hostname for the system. However, dhclient does not use the host name option provided by the DHCP server (instead using the value provided by a reverse DNS lookup). Disable Samba The smb service can be disabled with the following command: $ sudo systemctl disable smb.service 2.2.12 CCI-001436 Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed. CCE-80277-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'smb.service' "$SYSTEMCTL_EXEC" disable 'smb.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^smb.socket\>' && "$SYSTEMCTL_EXEC" disable 'smb.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'smb.service' - name: Disable service smb service: name: smb enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_smb_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80277-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service smb if applicable service: name: smb.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_smb_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80277-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Uninstall Samba Package The samba package can be removed with the following command: $ sudo yum erase samba If there is no need to make the Samba software available, removing it provides a safeguard against its activation. CCE-80278-5 package_remove samba - name: Ensure samba is removed package: name: samba state: absent tags: - package_samba_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80278-5 include remove_samba class remove_samba { package { 'samba': ensure => 'purged', } } package --remove=samba Install the Samba Common Package The samba-common package should be installed. The samba-common package can be installed with the following command: $ sudo yum install samba-common If the samba-common package is not installed, samba cannot be configured. CCE-80360-1 package_install samba-common - name: Ensure samba-common is installed package: name: samba-common state: present tags: - package_samba-common_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80360-1 include install_samba-common class install_samba-common { package { 'samba-common': ensure => 'installed', } } package --add=samba-common Disable Root Access to SMB Shares Administrators should not use administrator accounts to access Samba file and printer shares. Disable the root user and the wheel administrator group: [share] invalid users = root @wheel If administrator accounts cannot be disabled, ensure that local system passwords and Samba service passwords do not match. Typically, administrator access is required when Samba must create user and system accounts and shares. Domain member servers and standalone servers may not need administrator access at all. If that is the case, add the invalid users parameter to [global] instead. CCE-80279-3 Require Client SMB Packet Signing, if using smbclient To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf: client signing = mandatory Requiring samba clients such as smbclient to use packet signing ensures they can only communicate with servers that support packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. CCE-80280-1 ###################################################################### #By Luke "Brisk-OH" Brisk #luke.brisk@boeing.com or luke.brisk@gmail.com ###################################################################### CLIENTSIGNING=$( grep -ic 'client signing' /etc/samba/smb.conf ) if [ "$CLIENTSIGNING" -eq 0 ]; then # Add to global section sed -i 's/\[global\]/\[global\]\n\n\tclient signing = mandatory/g' /etc/samba/smb.conf else sed -i 's/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/ client signing = mandatory/g' /etc/samba/smb.conf fi - name: Check if /etc/samba/smb.conf exists stat: path: /etc/samba/smb.conf register: st_smb tags: - require_smb_client_signing - unknown_severity - configure_strategy - low_complexity - medium_disruption - CCE-80280-1 - name: Require Client SMB Packet Signing, if using smbclient lineinfile: dest: /etc/samba/smb.conf line: client signing = mandatory state: present insertafter: [global] when: st_smb.stat.exists and True tags: - require_smb_client_signing - unknown_severity - configure_strategy - low_complexity - medium_disruption - CCE-80280-1 Require Client SMB Packet Signing, if using mount.cifs Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure signing options (either sec=krb5i or sec=ntlmv2i) are used. See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers who can support SMB packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. CCE-80281-9 Disable httpd Service The httpd service can be disabled with the following command: $ sudo systemctl disable httpd.service 2.2.10 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Running web server software provides a network-based avenue of attack, and should be disabled if not needed. CCE-80300-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'httpd.service' "$SYSTEMCTL_EXEC" disable 'httpd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^httpd.socket\>' && "$SYSTEMCTL_EXEC" disable 'httpd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'httpd.service' - name: Disable service httpd service: name: httpd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_httpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80300-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service httpd if applicable service: name: httpd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_httpd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80300-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Uninstall httpd Package The httpd package can be removed with the following command: $ sudo yum erase httpd 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 If there is no need to make the web server software available, removing it provides a safeguard against its activation. CCE-80301-5 package_remove httpd - name: Ensure httpd is removed package: name: httpd state: absent tags: - package_httpd_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80301-5 - NIST-800-53-CM-7 include remove_httpd class remove_httpd { package { 'httpd': ensure => 'purged', } } package --remove=httpd Set httpd ServerTokens Directive to Prod ServerTokens Prod restricts information in page headers, returning only the word "Apache." Add or correct the following directive in /etc/httpd/conf/httpd.conf: ServerTokens Prod 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. CCE-80302-3 Set httpd ServerSignature Directive to Off ServerSignature Off restricts httpd from displaying server version number on error pages. Add or correct the following directive in /etc/httpd/conf/httpd.conf: ServerSignature Off 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. CCE-80303-1 HTTPD Log Files Must Be Owned By Root All httpd logs must be owned by root user and group. By default, the path for httpd logs is /var/log/httpd/ To properly set the owner of /var/log/httpd, run the command: $ sudo chown root /var/log/httpd To properly set the owner of /var/log/httpd/*, run the command: $ sudo chown root /var/log/httpd/* RHEL-07-WG255 A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web administrator with valuable information. Because of the information that is captured in the logs, it is critical that only authorized individuals have access to the logs. CCE-80562-2 Set Permissions on the /var/log/httpd/ Directory Ensure that the permissions on the web server log directory is set to 700: $ sudo chmod 700 /var/log/httpd/ This is its default setting. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. To ensure the integrity of the log files and protect the SA and the web manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files. CCE-80322-1 Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/ To properly set the permissions of /etc/http/conf.modules.d/*, run the command: $ sudo chmod 0640 /etc/http/conf.modules.d/* 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. CCE-80382-5 Set Permissions on the /etc/httpd/conf/ Directory To properly set the permissions of /etc/http/conf, run the command: $ sudo chmod 0750 /etc/http/conf Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or alter the server's configuration files. CCE-80323-9 Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/ To properly set the permissions of /etc/http/conf.d/*, run the command: $ sudo chmod 0640 /etc/http/conf.d/* 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. CCE-80381-7 find /etc/httpd/conf.d -regex '^/etc/httpd/conf.d/.*$' -exec chmod 0640 {} \; - name: Find /etc/httpd/conf.d file(s) find: paths: "/etc/httpd/conf.d" patterns: "^.*$" use_regex: yes register: files_found tags: - file_permissions_httpd_server_conf_d_files - unknown_severity - configure_strategy - low_complexity - low_disruption - CCE-80381-7 - NIST-800-53-CM-7 - name: Set permissions for /etc/httpd/conf.d file(s) file: path: "{{ item.path }}" mode: 0640 with_items: - "{{ files_found.files }}" tags: - file_permissions_httpd_server_conf_d_files - unknown_severity - configure_strategy - low_complexity - low_disruption - CCE-80381-7 - NIST-800-53-CM-7 Set Permissions on All Configuration Files Inside /etc/httpd/conf/ To properly set the permissions of /etc/http/conf/*, run the command: $ sudo chmod 0640 /etc/http/conf/* 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. CCE-80324-7 find /etc/httpd/conf -regex '^/etc/httpd/conf/.*$' -exec chmod 0640 {} \; - name: Find /etc/httpd/conf file(s) find: paths: "/etc/httpd/conf" patterns: "^.*$" use_regex: yes register: files_found tags: - file_permissions_httpd_server_conf_files - unknown_severity - configure_strategy - low_complexity - low_disruption - CCE-80324-7 - NIST-800-53-CM-7 - name: Set permissions for /etc/httpd/conf file(s) file: path: "{{ item.path }}" mode: 0640 with_items: - "{{ files_found.files }}" tags: - file_permissions_httpd_server_conf_files - unknown_severity - configure_strategy - low_complexity - low_disruption - CCE-80324-7 - NIST-800-53-CM-7 Ensure Remote Administrative Access Is Encrypted Ensure that the SSH server service is enabled. The sshd service can be enabled with the following command: $ sudo systemctl enable sshd.service RHEL-07-WG230 Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used. An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server. Scan All Uploaded Content for Malicious Software Install anti-virus software on the system and set it to automatically scan new files that are introduced to the web server. RHEL-07-WG237 Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mobile code. A remote web user, whose agency has a Memorandum of Agreement (MOA) with the hosting agency and has submitted a DoD form 2875 (System Authorization Access Request (SAAR)) or an equivalent document, will be allowed to post files to a temporary location on the server. All posted files to this temporary location will be scanned for viruses and content checked for malicious or mobile code. Only files free of viruses and malicious or mobile code will be posted to the appropriate DocumentRoot directory. CCE-80561-4 Configure firewall to Allow Access to the Web Server By default, firewalld blocks access to the ports used by the web server. To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=http To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=https RHEL-07-WG610 Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS. Install mod_security Install the security module: The mod_security package can be installed with the following command: $ sudo yum install mod_security mod_security provides an additional level of protection for the web server by enabling the administrator to implement content access policies and filters at the application layer. CCE-80321-3 Enable Transport Layer Security (TLS) Encryption Disable old SSL and TLS version and enable the latest TLS encryption by setting the following in /etc/httpd/conf.modules.d/ssl.conf: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 Make sure to also set SSLEngine to on in /etc/httpd/conf.modules.d/ssl.conf like the following: SSLEngine on RHEL-07-WG340 Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled. CCE-80557-2 Require Client Certificates SSLVerifyClient should be set and configured to require by setting the following in /etc/httpd/conf/httpd.conf: SSLVerifyClient require RHEL-07-WG140 Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. CCE-80558-0 Configure A Valid Server Certificate Configure the web site to use a valid organizationally defined certificate. For DoD, this is a DoD server certificate issued by the DoD CA. RHEL-07-WG350 This check verifies that DoD is a hosted web site's CA. The certificate is actually a DoD-issued server certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not for the server (Certificate belongs to), if the certificate is not issued by DoD (Certificate was issued by), or if the current date is not included in the valid date (Certificate is valid from), then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised. CCE-80559-8 Install mod_ssl Install the mod_ssl module: The mod_ssl package can be installed with the following command: $ sudo yum install mod_ssl mod_ssl provides encryption capabilities for the httpd Web server. Unencrypted content is transmitted in plain text which could be passively monitored and accessed by unauthorized parties. CCE-80320-5 Restrict Web Directory The default configuration for the web (/var/www/html) Directory allows directory indexing (Indexes) and the following of symbolic links (FollowSymLinks). Neither of these is recommended. The /var/www/html directory hierarchy should not be viewable via the web, and symlinks should only be followed if the owner of the symlink also owns the linked file. Ensure that this policy is adhered to by altering the related section of the configuration: <Directory "/var/www/html"> # ... Options SymLinksIfOwnerMatch # ... </Directory> Access to the web server's directory hierarchy could allow access to unauthorized files by web clients. Following symbolic links could also allow such access. CCE-80317-1 Restrict Other Critical Directories All accessible web directories should be configured with similarly restrictive settings. The Options directive should be limited to necessary functionality and the AllowOverride directive should be used only if needed. The Order and Deny access control tags should be used to deny access by default, allowing access only where necessary. Directories accessible from a web client should be configured with the least amount of access possible in order to avoid unauthorized access to restricted content or server information. CCE-80318-9 Restrict Root Directory The httpd root directory should always have the most restrictive configuration enabled. <Directory / > Options None AllowOverride None Order allow,deny </Directory> The Web Server's root directory content should be protected from unauthorized access by web clients. CCE-80316-3 Ignore HTTPD .htaccess Files Set AllowOverride to none for each instant of <Directory>. RHEL-07-WG400 CGI scripts represents one of the most common and exploitable means of compromising a web server. By definition, CGI are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not otherwise limited unless the SA or Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript and shell (sh, ksh, bash) are popular choices. CCE-80554-9 Disable Anonymous FTP Access If any directories that contain dynamic scripts can be accessed via FTP by any group or user that does not require access, remove permissions to such directories that allow anonymous access. Also, ensure that any such access employs an encrypted connection. RHEL-07-WG430 The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site. CCE-80553-1 Remove Write Permissions From Filesystem Paths And Server Scripts Configure permissions for each instance of Alias, ScriptAlias, and ScriptAliasMatch that exist. $ sudo find DIR -type d -exec chmod 755 {} \; $ sudo find DIR -type f -exec chmod 555 {} \; Where DIR matches the paths from Alias, ScriptAlias, and ScriptAliasMatch. RHEL-07-WG290 Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset. CCE-80556-4 Limit Available Methods Web server methods are defined in section 9 of RFC 2616 ( http://www.ietf.org/rfc/rfc2616.txt). If a web server does not require the implementation of all available methods, they should be disabled. Note: GET and POST are the most common methods. A majority of the others are limited to the WebDAV protocol. <Directory /var/www/html> # ... # Only allow specific methods (this command is case-sensitive!) <LimitExcept GET POST> Order allow,deny </LimitExcept> # ... </Directory> Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server. CCE-80319-7 Web Content Directories Must Not Be Shared Anonymously Web content directories should not be shared anonymously over remote filesystems such as nfs and smb. Remove the shares from the applicable directories. RHEL-07-WG210 Sharing web content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their contents to unnecessary access. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web content or cause web server performance problems. CCE-80555-6 Disable LDAP Support The ldap module provides HTTP authentication via an LDAP directory. If its functionality is unnecessary, comment out the related modules: #LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so If LDAP is to be used, SSL encryption should be used as well. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80306-4 Disable CGI Support The cgi module allows HTML to interact with the CGI web programming language. If this functionality is unnecessary, comment out the module: #LoadModule cgi_module modules/mod_cgi.so If the web server requires the use of CGI, enable mod_cgi. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80315-5 Disable URL Correction on Misspelled Entries The speling module attempts to find a document match by allowing one misspelling in an otherwise failed request. If this functionality is unnecessary, comment out the module: #LoadModule speling_module modules/mod_speling.so This functionality weakens server security by making site enumeration easier. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80312-2 Disable Server Activity Status The status module provides real-time access to statistics on the internal operation of the web server. This may constitute an unnecessary information leak and should be disabled unless necessary. To do so, comment out the related module: #LoadModule status_module modules/mod_status.so If there is a critical need for this module, ensure that access to the status page is properly restricted to a limited set of hosts in the status handler configuration. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80310-6 Disable HTTP Digest Authentication The auth_digest module provides encrypted authentication sessions. If this functionality is unnecessary, comment out the related module: #LoadModule auth_digest_module modules/mod_auth_digest.so Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80304-9 Disable MIME Magic The mime_magic module provides a second layer of MIME support that in most configurations is likely extraneous. If its functionality is unnecessary, comment out the related module: #LoadModule mime_magic_module modules/mod_mime_magic.so Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80308-0 Disable Web Server Configuration Display The info module creates a web page illustrating the configuration of the web server. This can create an unnecessary security leak and should be disabled. If its functionality is unnecessary, comment out the module: #LoadModule info_module modules/mod_info.so If there is a critical need for this module, use the Location directive to provide an access control list to restrict access to the information. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80311-4 Disable Server Side Includes Server Side Includes provide a method of dynamically generating web pages through the insertion of server-side code. However, the technology is also deprecated and introduces significant security concerns. If this functionality is unnecessary, comment out the related module: #LoadModule include_module modules/mod_include.so If there is a critical need for Server Side Includes, they should be enabled with the option IncludesNoExec to prevent arbitrary code execution. Additionally, user supplied data should be encoded to prevent cross-site scripting vulnerabilities. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80307-2 Disable HTTP mod_rewrite The mod_rewrite module is very powerful and can protect against certain classes of web attacks. However, it is also very complex and has a significant history of vulnerabilities itself. If its functionality is unnecessary, comment out the related module: #LoadModule rewrite_module modules/mod_rewrite.so Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80305-6 Disable Cache Support The cache module allows httpd to cache data, optimizing access to frequently accessed content. However, it introduces potential security flaws such as the possibility of circumventing Allow and Deny directives. If this functionality is unnecessary, comment out the module: #LoadModule cache_module modules/mod_cache.so If caching is required, it should not be enabled for any limited-access content. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80314-8 Disable WebDAV (Distributed Authoring and Versioning) WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. If its functionality is unnecessary, comment out the related modules: #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.so If there is a critical need for WebDAV, extra care should be taken in its configuration. Since DAV access allows remote clients to manipulate server files, any location on the server that is DAV enabled should be protected by access controls. Minimizing the number of loadable modules available to the web server, reduces risk by limiting the capabilities allowed by the web server. CCE-80309-8 Disable Proxy Support The proxy module provides proxying support, allowing httpd to forward requests and serve as a gateway for other servers. If its functionality is unnecessary, comment out the module: #LoadModule proxy_module modules/mod_proxy.so If proxy support is needed, load mod_proxy and the appropriate proxy protocol handler module (one of mod_proxy_http, mod_proxy_ftp, or mod_proxy_connect). Additionally, make certain that a server is secure before enabling proxying, as open proxy servers are a security risk. mod_proxy_balancer enables load balancing, but requires that mod status be enabled. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. CCE-80313-0 Enable log_config_module For HTTPD Logging The log_config_module should exist and be configured in the /etc/httpd/conf/httpd.conf file by adding the following module to configure logging: log_config_module RHEL-07-WG240 A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Without these log files, SAs and web managers are seriously hindered in their efforts to respond appropriately to suspicious or criminal actions targeted at the web site. CCE-80552-3 Configure HTTP PERL Scripts To Use TAINT Option If the mod_perl module is installed, enable Perl Taint checking in /etc/httpd/conf/httpd.conf. To enable Perl Taint checking, add or uncomment the following to /etc/httpd/conf.d/perl.conf: PerlSwitches -T RHEL-07-WG460 PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation. Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message. CCE-80560-6 Ensure Web Content Located on Separate partition The DocumentRoot directory is used for storing web content and data. Ensure that the DocumentRoot directory exists on a separate logical volume at installation time, or migrate it using LVM. RHEL-07-WG205 Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is can be to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion. Disable Web Content Symbolic Links For each <Directory> instance, remove the following: FollowSymLinks If symbolic links are allowed, the following can be added for each <Directory> instance: Options SymLinksIfOwnerMatchDisable RHEL-07-WG360 A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory. Remove .java And .jpp Files .java and .jpp files should not exist and should be removed from the web server. RHEL-07-WG490 From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application's logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code. Each Web Content Directory Must Contain An index.html File Every DocumentRoot that is configured should have an index.html file that exists. Add an index.html file to every configured DocumentRoot. RHEL-07-WG170 The goal is to completely control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories with default pages. This practice helps ensure that the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. The robots.txt Files Must Not Exist Remove any robots.txt files that may exist with any web content. Other methods must be employed if there is information on the web site that needs protection from search engines and public view. Inspect all instances of DocumentRoot and Alias and remove any robots.txt file. $ sudo rm -f path/to/robots.txt RHEL-07-WG310 Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user. To request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker's time searching and traversing the web site to find files that might be relevant. If information on the web site needs to be protected from search engines and public view, other methods must be used. Configure A Banner Page For Each Website Configure a login banner for each website when authentication is required for user access. RHEL-07-WG265 A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff. Encrypt All File Uploads Use only secure encrypted logons and connections for uploading files to the web site. RHEL-07-WG235 Logging in to a web server via an unencrypted protocol or service, to upload documents to the web site, is a risk if proper encryption is not utilized to protect the data being transmitted. An encrypted protocol or service must be used for remote access to web administration tasks. Enable HTTPD Error Logging ErrorLog should be enabled and set to the following in /etc/httpd/conf/httpd.conf: ErrorLog "logs/error_log" RHEL-07-WA00605 The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. CCE-81130-7 A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension To minimize exposure of private assets to unnecesarry risk by attackers, public web servers must be isolated from internal systems. Logically relocate public web servers to be isolated from internal systems. In addition, ensure the public web server does not have trusted connections with assets outside the confines of the demilitarizez done (DMZ) other than application and/or database servers that are a part of the same system as the web server. RHEL-07-WA060 Public web servers are by nature more vulnerabile to attack from publically based sources, such as the public Internet. Once compromised, a public server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DoD DMZ Extension, if hosted on the NIPRNet, with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources. An improperly located public web server is a potential threat to the entire network. A private web server must be located on a separate controlled access subnet Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Isolate the private web server from the public DMZ and separate it from the internal general population LAN. RHEL-07-WA070 Insider threat may be accidental or intentional but, in either case, can cause a disruption in service of the web server. To protect the private web server from these threats, it must be located on a separate controlled access subnet and must not be part of the public DMZ that houses the public web servers. it also cannot be located inside the enclave as part of the local general population LAN. Configure The Number of Allowed Simultaneous Requests The MaxKeepAliveRequests directive should be set and configured to or greater by setting the following in /etc/httpd/conf/httpd.conf: MaxKeepAliveRequests RHEL-07-WG110 Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive, (i.e., a parameter used to limit the amount of time a connection may be inactive). CCE-80551-5 Public web server resources must not be shared with private assets It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. RHEL-07-WG040 When folders, drives, or other resources are directly shared between the public web server and private servers the intent of data and resource segregation can be compromised. In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that isolates inbound traffic from external network to the internal network, resources such as printers, files, and folders/directories will not be shared between public web servers and assets located within the internal network. The web server password(s) must be entrusted to the SA or Web Manager Normally, a service account is established for the web server. This is because a privileged account is not desirable and the server is designed to run for long uninterrupted periods of time. The SA or Web Manager will need password access to the web server to restart the service in the event or an emergency as the web server is not to restart automatically after an unscheduled interruption. RHEL-07-WG050 If the password is not entrusted to an SA or web manager the ability to ensure the availability of the web server is compromised. Configure Error Log Format LogFormat should be enabled and set to the following in /etc/httpd/conf/httpd.conf: LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined RHEL-07-WA00612 The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. The LogFormat directive defines the format and information to be included in the access log entries. CCE-80548-1 Backup interactive scripts on the production web server are prohibited Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. RHEL-07-WG420 Such backup copies contain the same sensitive information as the actual scripts being executed and, as such, are useful to malicious users. Techniques and systems exist today that search web servers for such files and are able to exploit the information contained in them. Backup copies of files are automatically created by some text editors such such as emacs and VIM. Editors may write a backup file with an extension ~ added to the name of the original file. The edit plus editor will create a .bak file. Of course, this would imply the presence and use of development tools on the web server, which is a finding under WG130. Having backup scripts on the web server provides one more opportunity for malicious persons to view these scripts and use the information found in them. MIME types for csh or sh shell programs must be disabled Users must not be allowed to access the shell programs. RHEL-07-WG370 Shell programs might execute shell escapes and could then perform unauthorized activities that could damage the security posture of the web server. A shell is a program that serves as the basic interface between the user and the operating system. In this regard, there are shells that are security risks in the context of a web server and shells that are unauthorized. Enable HTTPD System Logging CustomLog should be enabled and set to the following in /etc/httpd/conf/httpd.conf: CustomLog "logs/access_log" combined RHEL-07-WA00615 The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. The CustomLog directive specifies the log file, syslog facility, or piped logging utility. CCE-80549-9 Enable HTTPD LogLevel LogLevel should be enabled and set to . Add or edit the following in /etc/httpd/conf/httpd.conf: LogLevel RHEL-07-WA00620 The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. While the ErrorLog directive configures the error log file name, the LogLevel directive is used to configure the severity level for the error logs. The log level values are the standard syslog levels: emerg, alert, crit, error, warn, notice, info and debug. CCE-80550-7 Installation of a compiler on production web server is prohibited The presence of a compiler on a production server facilitates the malicious user's task of creating custom versions of programs and installing Trojan Horses or viruses. RHEL-07-WG080 An attacker's code could be uploaded and compiled on the server under attack. Configure SSSD LDAP Backend Client CA Certificate Location Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacertdir option in /etc/sssd/sssd.conf to point to the path for the X.509 certificates used for peer authentication. ldap_tls_cacertdir /path/to/tls/cacert CCI-001453 SRG-OS-000250-GPOS-00093 RHEL-07-040190 SV-86853r3_rule Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. CCE-80515-0 var_sssd_ldap_tls_ca_dir="" SSSD_CONF="/etc/sssd/sssd.conf" LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_cacertdir' DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" # Try find [domain/..] and ldap_tls_cacertdir in sssd.conf, if it exists, set to CA directory # if it isn't here, add it, if [domain/..] doesn't exist, add it here for default domain if grep -qzosP $LDAP_REGEX $SSSD_CONF; then sed -i "s~ldap_tls_cacertdir[^(\n)]*~ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir~" $SSSD_CONF elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then sed -i "/$DOMAIN_REGEX/a ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[domain/default]\nldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" >> $SSSD_CONF fi - name: XCCDF Value var_sssd_ldap_tls_ca_dir # promote to variable set_fact: var_sssd_ldap_tls_ca_dir: !!str tags: - always - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes tags: - sssd_ldap_configure_tls_ca_dir - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80515-0 - DISA-STIG-RHEL-07-040190 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group and set CA directory (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } - { section: domain/default, option: ldap_tls_cacertdir, value: "{{ var_sssd_ldap_tls_ca_dir }}" } when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_ldap_configure_tls_ca_dir - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80515-0 - DISA-STIG-RHEL-07-040190 - name: "Configure LDAPs path to CA directory" ini_file: path: /etc/sssd/sssd.conf section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}" option: ldap_tls_cacertdir value: "{{ var_sssd_ldap_tls_ca_dir }}" create: yes mode: 0600 when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_ldap_configure_tls_ca_dir - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80515-0 - DISA-STIG-RHEL-07-040190 Configure SSSD LDAP Backend to Use TLS For All Transactions This check verifies that Red Hat Enterprise Linux 7 implements cryptography to protect the integrity of remote LDAP authentication sessions. To determine if LDAP is being used for authentication, use the following command: $ sudo grep -i useldapauth /etc/sysconfig/authconfig If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command: $ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf RHEL-07-040180 SV-86851r3_rule 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-001453 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(2) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000250-GPOS-00093 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. CCE-80546-5 AUTHCONFIG="/etc/sysconfig/authconfig" USELDAPAUTH_REGEX="^USELDAPAUTH=" SSSD_CONF="/etc/sssd/sssd.conf" LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls' DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" # Try find USELDAPAUTH in authconfig. If its here set to 'yes', otherwise append USELDAPAUTH=yes grep -qs "^USELDAPAUTH=" "$AUTHCONFIG" && sed -i 's/^USELDAPAUTH=.*/USELDAPAUTH=yes/g' $AUTHCONFIG if ! [ $? -eq 0 ]; then echo "USELDAPAUTH=yes" >> $AUTHCONFIG fi # Try find [domain/..] and ldap_id_use_start_tls in sssd.conf, if it exists, set to 'True' # if ldap_id_use_start_tls isn't here, add it # if [domain/..] doesn't exist, add it here for default domain if grep -qzosP $LDAP_REGEX $SSSD_CONF; then sed -i 's/ldap_id_use_start_tls[^(\n)]*/ldap_id_use_start_tls = True/' $SSSD_CONF elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then sed -i "/$DOMAIN_REGEX/a ldap_id_use_start_tls = True" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[domain/default]\nldap_id_use_start_tls = True" >> $SSSD_CONF fi - name: "Set LDAP to be used for authentication" lineinfile: path: /etc/sysconfig/authconfig regexp: '^USELDAPAUTH=' line: 'USELDAPAUTH=yes' create: yes tags: - sssd_ldap_start_tls - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80546-5 - NIST-800-53-AC-17(2) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040180 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes tags: - sssd_ldap_start_tls - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80546-5 - NIST-800-53-AC-17(2) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040180 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group and use STARTTLS (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: domain/default section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } - { section: domain/default, option: ldap_id_use_start_tls, value: true} when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_ldap_start_tls - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80546-5 - NIST-800-53-AC-17(2) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040180 - name: "Configure LDAP to use STARTTLS" ini_file: path: /etc/sssd/sssd.conf section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}" option: ldap_id_use_start_tls value: true create: yes mode: 0600 when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_ldap_start_tls - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80546-5 - NIST-800-53-AC-17(2) - NIST-800-53-CM-7 - DISA-STIG-RHEL-07-040180 Configure SSSD LDAP Backend Client CA Certificate Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacert option in /etc/sssd/sssd.conf to point to the path for the X.509 certificates used for peer authentication. ldap_tls_cacert /path/to/tls/ca.cert CCI-001453 SRG-OS-000250-GPOS-00093 RHEL-07-040200 SV-86855r3_rule Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. CCE-80516-8 Configure SSSD's Memory Cache to Expire SSSD's memory cache should be configured to set to expire records after seconds. To configure SSSD to expire memory cache, set memcache_timeout to under the [nss] section in /etc/sssd/sssd.conf. For example: [nss] memcache_timeout = 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-002007 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(10) IA-5(13) PR.AC-1 PR.AC-6 PR.AC-7 FIA_AFL.1 SRG-OS-000383-GPOS-00166 If cached authentication information is out-of-date, the validity of the authentication information may be questionable. CCE-80364-3 var_sssd_memcache_timeout="" SSSD_CONF="/etc/sssd/sssd.conf" MEMCACHE_TIMEOUT_REGEX="[[:space:]]*\[nss]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" NSS_REGEX="[[:space:]]*\[nss]" # Try find [nss] and memcache_timeout in sssd.conf, if it exists, set to # var_sssd_memcache_timeout, if it isn't here, add it, if [nss] doesn't # exist, add it there if grep -qzosP $MEMCACHE_TIMEOUT_REGEX $SSSD_CONF; then sed -i "s/memcache_timeout[^(\n)]*/memcache_timeout = $var_sssd_memcache_timeout/" $SSSD_CONF elif grep -qs $NSS_REGEX $SSSD_CONF; then sed -i "/$NSS_REGEX/a memcache_timeout = $var_sssd_memcache_timeout" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[nss]\nmemcache_timeout = $var_sssd_memcache_timeout" >> $SSSD_CONF fi - name: XCCDF Value var_sssd_memcache_timeout # promote to variable set_fact: var_sssd_memcache_timeout: !!str tags: - always - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes changed_when: False tags: - sssd_memcache_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80364-3 - NIST-800-53-IA-5(10) - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_memcache_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80364-3 - NIST-800-53-IA-5(10) - NIST-800-53-IA-5(13) - name: "Configure SSSD's Memory Cache to Expire" ini_file: dest: /etc/sssd/sssd.conf section: nss option: memcache_timeout value: "{{ var_sssd_memcache_timeout }}" create: yes mode: 0600 tags: - sssd_memcache_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80364-3 - NIST-800-53-IA-5(10) - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure PAM in SSSD Services SSSD should be configured to run SSSD pam services. To configure SSSD to known SSH hosts, add pam to services under the [sssd] section in /etc/sssd/sssd.conf. For example: [sssd] services = sudo, autofs, pam RHEL-07-041002 SV-87051r4_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-001948 CCI-001953 CCI-001954 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2(11) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000375-GPOS-00160 SRG-OS-000375-GPOS-00161 SRG-OS-000375-GPOS-00162 SRG-OS-000107-VMM-000530 Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. CCE-80437-7 SSSD_SERVICES_PAM_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*pam.*$" SSSD_SERVICES_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*$" SSSD_PAM_SERVICES="[sssd] services = pam" SSSD_CONF="/etc/sssd/sssd.conf" # If there is services line with pam, good # If there is services line without pam, append pam # If not echo services line with pam grep -q "$SSSD_SERVICES_PAM_REGEX" $SSSD_CONF || \ grep -q "$SSSD_SERVICES_REGEX" $SSSD_CONF && \ sed -i "s/$SSSD_SERVICES_REGEX/&, pam/" $SSSD_CONF || \ echo "$SSSD_PAM_SERVICES" >> $SSSD_CONF Enable Smartcards in SSSD SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set pam_cert_auth to true under the [pam] section in /etc/sssd/sssd.conf. For example: [pam] pam_cert_auth = true CCI-001954 SRG-OS-000375-GPOS-00160 SRG-OS-000107-VMM-000530 Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80570-5 SSSD_CONF="/etc/sssd/sssd.conf" SSSD_OPT="pam_cert_auth" SSSD_OPT_VAL=true PAM_REGEX="[[:space:]]*\[pam]" PAM_OPT_REGEX="${PAM_REGEX}([^\n\[]*\n+)+?[[:space:]]*${SSSD_OPT}" if grep -qzosP $PAM_OPT_REGEX $SSSD_CONF; then sed -i "s/${SSSD_OPT}[^(\n)]*/${SSSD_OPT} = ${SSSD_OPT_VAL}/" $SSSD_CONF elif grep -qs $PAM_REGEX $SSSD_CONF; then sed -i "/$PAM_REGEX/a ${SSSD_OPT} = ${SSSD_OPT_VAL}" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[pam]\n${SSSD_OPT} = ${SSSD_OPT_VAL}" >> $SSSD_CONF fi - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes changed_when: False tags: - sssd_enable_smartcards - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80570-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_enable_smartcards - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80570-5 - name: "Enable Smartcards in SSSD" ini_file: dest: /etc/sssd/sssd.conf section: pam option: pam_cert_auth value: true create: yes mode: 0600 tags: - sssd_enable_smartcards - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80570-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure SSSD to Expire Offline Credentials SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example: [pam] offline_credentials_expiration = 1 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-002007 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(13) PR.AC-1 PR.AC-6 PR.AC-7 FIA_AFL.1 SRG-OS-000383-GPOS-00166 If cached authentication information is out-of-date, the validity of the authentication information may be questionable. CCE-80365-0 SSSD_CONF="/etc/sssd/sssd.conf" SSSD_OPT="offline_credentials_expiration" SSSD_OPT_VAL=1 PAM_REGEX="[[:space:]]*\[pam]" PAM_OPT_REGEX="${PAM_REGEX}([^\n\[]*\n+)+?[[:space:]]*${SSSD_OPT}" # Try find [pam] and offline_credentials_expiration in sssd.conf, if it exists # set it to 1, if it doesn't exist add it, if [pam] section doesn't exist add # the section and the configuration option. if grep -qzosP $PAM_OPT_REGEX $SSSD_CONF; then sed -i "s/${SSSD_OPT}[^(\n)]*/${SSSD_OPT} = ${SSSD_OPT_VAL}/" $SSSD_CONF elif grep -qs $PAM_REGEX $SSSD_CONF; then sed -i "/$PAM_REGEX/a ${SSSD_OPT} = ${SSSD_OPT_VAL}" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[pam]\n${SSSD_OPT} = ${SSSD_OPT_VAL}" >> $SSSD_CONF fi - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes changed_when: False tags: - sssd_offline_cred_expiration - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80365-0 - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_offline_cred_expiration - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80365-0 - NIST-800-53-IA-5(13) - name: "Configure SSD to Expire Offline Credentials" ini_file: dest: /etc/sssd/sssd.conf section: pam option: offline_credentials_expiration value: 1 create: yes mode: 0600 tags: - sssd_offline_cred_expiration - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80365-0 - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Install the SSSD Package The sssd package should be installed. The sssd package can be installed with the following command: $ sudo yum install sssd 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(10) PR.AC-1 PR.AC-6 PR.AC-7 CCE-80362-7 package_install sssd - name: Ensure sssd is installed package: name: sssd state: present tags: - package_sssd_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80362-7 - NIST-800-53-IA-5(10) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_sssd class install_sssd { package { 'sssd': ensure => 'installed', } } package --add=sssd Configure SSSD to Expire SSH Known Hosts SSSD should be configured to expire keys from known SSH hosts after seconds. To configure SSSD to known SSH hosts, set ssh_known_hosts_timeout to under the [ssh] section in /etc/sssd/sssd.conf. For example: [ssh] ssh_known_hosts_timeout = 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-002007 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(13) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000383-GPOS-00166 If cached authentication information is out-of-date, the validity of the authentication information may be questionable. CCE-80366-8 var_sssd_ssh_known_hosts_timeout="" SSSD_CONF="/etc/sssd/sssd.conf" SSH_KNOWN_HOSTS_TIMEOUT_REGEX="[[:space:]]*\[ssh]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" SSH_REGEX="[[:space:]]*\[ssh]" # Try find [ssh] and ssh_known_hosts_timeout in sssd.conf, if it exists, set to # var_sssd_ssh_known_hosts_timeout, if it isn't here, add it, if [ssh] doesn't # exist, add it there if grep -qzosP $SSH_KNOWN_HOSTS_TIMEOUT_REGEX $SSSD_CONF; then sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout/" $SSSD_CONF elif grep -qs $SSH_REGEX $SSSD_CONF; then sed -i "/$SSH_REGEX/a ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> $SSSD_CONF fi - name: XCCDF Value var_sssd_ssh_known_hosts_timeout # promote to variable set_fact: var_sssd_ssh_known_hosts_timeout: !!str tags: - always - name: "Test for domain group" shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain ignore_errors: yes changed_when: False tags: - sssd_ssh_known_hosts_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80366-8 - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Add default domain group (if no domain there)" ini_file: path: /etc/sssd/sssd.conf section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" create: yes mode: 0600 with_items: - { section: sssd, option: domains, value: default} - { section: domain/default, option: id_provider, value: files } when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - sssd_ssh_known_hosts_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80366-8 - NIST-800-53-IA-5(13) - name: "Configure SSSD to Expire SSH Known Hosts" ini_file: dest: /etc/sssd/sssd.conf section: ssh option: ssh_known_hosts_timeout value: "{{ var_sssd_ssh_known_hosts_timeout }}" create: yes mode: 0600 tags: - sssd_ssh_known_hosts_timeout - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80366-8 - NIST-800-53-IA-5(13) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the SSSD Service The SSSD service should be enabled. The sssd service can be enabled with the following command: $ sudo systemctl enable sssd.service 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(10) PR.AC-1 PR.AC-6 PR.AC-7 CCE-80363-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'sssd.service' "$SYSTEMCTL_EXEC" enable 'sssd.service' - name: Enable service sssd service: name: sssd enabled: "yes" state: "started" tags: - service_sssd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80363-5 - NIST-800-53-IA-5(10) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Time Service Maxpoll Interval The maxpoll should be configured to in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following: maxpoll RHEL-07-040500 SV-86893r4_rule 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-001891 CCI-002046 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1)(a) PR.PT-1 SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144 Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. CCE-80439-3 var_time_service_set_maxpoll="" config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" # Set maxpoll values to var_time_service_set_maxpoll sed -i "s/^\(server.*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \2/" "$config_file" # Add maxpoll to server entries without maxpoll grep "^server" "$config_file" | grep -v maxpoll | while read -r line ; do sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file" done Uninstall Automatic Bug Reporting Tool (abrt) The Automatic Bug Reporting Tool (abrt) collects and reports crash data when an application crash is detected. Using a variety of plugins, abrt can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The abrt package can be removed with the following command: $ sudo yum erase abrt Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. package_remove abrt - name: Ensure abrt is removed package: name: abrt state: absent tags: - package_abrt_removed - medium_severity - disable_strategy - low_complexity - low_disruption include remove_abrt class remove_abrt { package { 'abrt': ensure => 'purged', } } package --remove=abrt Disable Control Group Rules Engine (cgred) The cgred service moves tasks into control groups according to parameters set in the /etc/cgrules.conf configuration file. The cgred service can be disabled with the following command: $ sudo systemctl disable cgred.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Unless control groups are used to manage system resources, running the cgred service service is not necessary. CCE-80255-3 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'cgred.service' "$SYSTEMCTL_EXEC" disable 'cgred.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cgred.socket\>' && "$SYSTEMCTL_EXEC" disable 'cgred.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'cgred.service' - name: Disable service cgred service: name: cgred enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_cgred_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80255-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service cgred if applicable service: name: cgred.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_cgred_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80255-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable D-Bus IPC Service (messagebus) D-Bus provides an IPC mechanism used by a growing list of programs, such as those used for Gnome, Bluetooth, and Avahi. Due to these dependencies, disabling D-Bus may not be practical for many systems. The messagebus service can be disabled with the following command: $ sudo systemctl disable messagebus.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 If no services which require D-Bus are needed, then it can be disabled. As a broker for IPC between processes of different privilege levels, it could be a target for attack. However, disabling D-Bus is likely to be impractical for any system which needs to provide a graphical login session. CCE-80260-3 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'messagebus.service' "$SYSTEMCTL_EXEC" disable 'messagebus.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^messagebus.socket\>' && "$SYSTEMCTL_EXEC" disable 'messagebus.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'messagebus.service' - name: Disable service messagebus service: name: messagebus enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_messagebus_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80260-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service messagebus if applicable service: name: messagebus.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_messagebus_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80260-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Advanced Configuration and Power Interface (acpid) The Advanced Configuration and Power Interface Daemon (acpid) dispatches ACPI events (such as power/reset button depressed) to userspace programs. The acpid service can be disabled with the following command: $ sudo systemctl disable acpid.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 ACPI support is highly desirable for systems in some network roles, such as laptops or desktops. For other systems, such as servers, it may permit accidental or trivially achievable denial of service situations and disabling it is appropriate. CCE-80252-0 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'acpid.service' "$SYSTEMCTL_EXEC" disable 'acpid.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^acpid.socket\>' && "$SYSTEMCTL_EXEC" disable 'acpid.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'acpid.service' - name: Disable service acpid service: name: acpid enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_acpid_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80252-0 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service acpid if applicable service: name: acpid.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_acpid_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80252-0 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Network Router Discovery Daemon (rdisc) The rdisc service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The rdisc service can be disabled with the following command: $ sudo systemctl disable rdisc.service 1 11 12 13 14 15 16 18 3 4 6 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS01.05 DSS03.01 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 CCI-000382 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.11.2.6 A.12.1.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-17(8) AC-4 CM-7 DE.AE-1 ID.AM-3 PR.AC-3 PR.AC-5 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information. CCE-80268-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rdisc.service' "$SYSTEMCTL_EXEC" disable 'rdisc.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rdisc.socket\>' && "$SYSTEMCTL_EXEC" disable 'rdisc.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rdisc.service' - name: Disable service rdisc service: name: rdisc enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rdisc_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80268-6 - NIST-800-53-AC-17(8) - NIST-800-53-AC-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rdisc if applicable service: name: rdisc.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rdisc_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80268-6 - NIST-800-53-AC-17(8) - NIST-800-53-AC-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Network Console (netconsole) The netconsole service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The netconsole service can be disabled with the following command: $ sudo systemctl disable netconsole.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000381 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The netconsole service is not necessary unless there is a need to debug kernel panics, which is not common. CCE-80261-1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'netconsole.service' "$SYSTEMCTL_EXEC" disable 'netconsole.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^netconsole.socket\>' && "$SYSTEMCTL_EXEC" disable 'netconsole.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'netconsole.service' - name: Disable service netconsole service: name: netconsole enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_netconsole_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80261-1 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service netconsole if applicable service: name: netconsole.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_netconsole_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80261-1 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Certmonger Service (certmonger) Certmonger is a D-Bus based service that attempts to simplify interaction with certifying authorities on networks which use public-key infrastructure. It is often combined with Red Hat's IPA (Identity Policy Audit) security information management solution to aid in the management of certificates. The certmonger service can be disabled with the following command: $ sudo systemctl disable certmonger.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The services provided by certmonger may be essential for systems fulfilling some roles a PKI infrastructure, but its functionality is not necessary for many other use cases. CCE-80253-8 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'certmonger.service' "$SYSTEMCTL_EXEC" disable 'certmonger.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^certmonger.socket\>' && "$SYSTEMCTL_EXEC" disable 'certmonger.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'certmonger.service' - name: Disable service certmonger service: name: certmonger enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_certmonger_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80253-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service certmonger if applicable service: name: certmonger.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_certmonger_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80253-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Quota Netlink (quota_nld) The quota_nld service provides notifications to users of disk space quota violations. It listens to the kernel via a netlink socket for disk quota violations and notifies the appropriate user of the violation using D-Bus or by sending a message to the terminal that the user has last accessed. The quota_nld service can be disabled with the following command: $ sudo systemctl disable quota_nld.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 If disk quotas are enforced on the local system, then the quota_nld service likely provides useful functionality and should remain enabled. However, if disk quotas are not used or user notification of disk quota violation is not desired then there is no need to run this service. CCE-80267-8 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'quota_nld.service' "$SYSTEMCTL_EXEC" disable 'quota_nld.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^quota_nld.socket\>' && "$SYSTEMCTL_EXEC" disable 'quota_nld.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'quota_nld.service' - name: Disable service quota_nld service: name: quota_nld enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_quota_nld_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80267-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service quota_nld if applicable service: name: quota_nld.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_quota_nld_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80267-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable Process Accounting (psacct) The process accounting service, psacct, works with programs including acct and ac to allow system administrators to view user activity, such as commands issued by users of the system. The psacct service can be enabled with the following command: $ sudo systemctl enable psacct.service 1 11 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.06 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 4.3.2.6.7 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 6.1 SR 6.2 SR 7.6 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.15.2.2 A.9.1.2 AU-12 CM-7 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.IP-1 PR.PT-1 PR.PT-3 The psacct service can provide administrators a convenient view into some user activities. However, it should be noted that the auditing system and its audit records provide more authoritative and comprehensive records. CCE-80265-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'psacct.service' "$SYSTEMCTL_EXEC" enable 'psacct.service' - name: Enable service psacct service: name: psacct enabled: "yes" state: "started" tags: - service_psacct_enabled - unknown_severity - enable_strategy - low_complexity - low_disruption - CCE-80265-2 - NIST-800-53-AU-12 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Red Hat Network Service (rhnsd) The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The rhnsd service can be disabled with the following command: $ sudo systemctl disable rhnsd.service 1.2.5 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000382 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the rhnsd daemon can remain on. CCE-80269-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rhnsd.service' "$SYSTEMCTL_EXEC" disable 'rhnsd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rhnsd.socket\>' && "$SYSTEMCTL_EXEC" disable 'rhnsd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rhnsd.service' - name: Disable service rhnsd service: name: rhnsd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rhnsd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80269-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rhnsd if applicable service: name: rhnsd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rhnsd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80269-4 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Install the psacct package The process accounting service, psacct, works with programs including acct and ac to allow system administrators to view user activity, such as commands issued by users of the system. The psacct package can be installed with the following command: $ sudo yum install psacct 1 11 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.06 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 4.3.2.6.7 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 6.1 SR 6.2 SR 7.6 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.15.2.2 A.9.1.2 AU-12 CM-7 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.IP-1 PR.PT-1 PR.PT-3 The psacct service can provide administrators a convenient view into some user activities. However, it should be noted that the auditing system and its audit records provide more authoritative and comprehensive records. package_install psacct - name: Ensure psacct is installed package: name: psacct state: present tags: - package_psacct_installed - unknown_severity - enable_strategy - low_complexity - low_disruption - NIST-800-53-AU-12 - NIST-800-53-CM-7 include install_psacct class install_psacct { package { 'psacct': ensure => 'installed', } } package --add=psacct Disable Software RAID Monitor (mdmonitor) The mdmonitor service is used for monitoring a software RAID array; hardware RAID setups do not use this service. The mdmonitor service can be disabled with the following command: $ sudo systemctl disable mdmonitor.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 If software RAID monitoring is not required, there is no need to run this service. CCE-80259-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'mdmonitor.service' "$SYSTEMCTL_EXEC" disable 'mdmonitor.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^mdmonitor.socket\>' && "$SYSTEMCTL_EXEC" disable 'mdmonitor.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'mdmonitor.service' - name: Disable service mdmonitor service: name: mdmonitor enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_mdmonitor_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80259-5 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service mdmonitor if applicable service: name: mdmonitor.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_mdmonitor_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80259-5 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable IRQ Balance (irqbalance) The irqbalance service optimizes the balance between power savings and performance through distribution of hardware interrupts across multiple processors. The irqbalance service can be enabled with the following command: $ sudo systemctl enable irqbalance.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 In an environment with multiple processors (now common), the irqbalance service provides potential speedups for handling interrupt requests. CCE-80257-9 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'irqbalance.service' "$SYSTEMCTL_EXEC" enable 'irqbalance.service' - name: Enable service irqbalance service: name: irqbalance enabled: "yes" state: "started" tags: - service_irqbalance_enabled - unknown_severity - enable_strategy - low_complexity - low_disruption - CCE-80257-9 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Odd Job Daemon (oddjobd) The oddjobd service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with oddjobd through the system message bus. The oddjobd service can be disabled with the following command: $ sudo systemctl disable oddjobd.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000381 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The oddjobd service may provide necessary functionality in some environments, and can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues. CCE-80263-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'oddjobd.service' "$SYSTEMCTL_EXEC" disable 'oddjobd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^oddjobd.socket\>' && "$SYSTEMCTL_EXEC" disable 'oddjobd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'oddjobd.service' - name: Disable service oddjobd service: name: oddjobd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_oddjobd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80263-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service oddjobd if applicable service: name: oddjobd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_oddjobd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80263-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable SMART Disk Monitoring Service (smartd) SMART (Self-Monitoring, Analysis, and Reporting Technology) is a feature of hard drives that allows them to detect symptoms of disk failure and relay an appropriate warning. The smartd service can be disabled with the following command: $ sudo systemctl disable smartd.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 SMART can help protect against denial of service due to failing hardware. Nevertheless, if it is not needed or the system's drives are not SMART-capable (such as solid state drives), it can be disabled. CCE-80272-8 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'smartd.service' "$SYSTEMCTL_EXEC" disable 'smartd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^smartd.socket\>' && "$SYSTEMCTL_EXEC" disable 'smartd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'smartd.service' - name: Disable service smartd service: name: smartd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_smartd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80272-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service smartd if applicable service: name: smartd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_smartd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80272-8 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Apache Qpid (qpidd) The qpidd service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The qpidd service can be disabled with the following command: $ sudo systemctl disable qpidd.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000382 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections, which increases the attack surface of the system. If the system is not intended to receive AMQP traffic, then the qpidd service is not needed and should be disabled or removed. CCE-80266-0 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'qpidd.service' "$SYSTEMCTL_EXEC" disable 'qpidd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^qpidd.socket\>' && "$SYSTEMCTL_EXEC" disable 'qpidd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'qpidd.service' - name: Disable service qpidd service: name: qpidd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_qpidd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80266-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service qpidd if applicable service: name: qpidd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_qpidd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80266-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Automatic Bug Reporting Tool (abrtd) The Automatic Bug Reporting Tool (abrtd) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The abrtd service can be disabled with the following command: $ sudo systemctl disable abrtd.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. CCE-26872-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'abrtd.service' "$SYSTEMCTL_EXEC" disable 'abrtd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^abrtd.socket\>' && "$SYSTEMCTL_EXEC" disable 'abrtd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'abrtd.service' - name: Disable service abrtd service: name: abrtd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_abrtd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-26872-2 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service abrtd if applicable service: name: abrtd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_abrtd_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-26872-2 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable CPU Speed (cpupower) The cpupower service can adjust the clock speed of supported CPUs based upon the current processing load thereby conserving power and reducing heat. The cpupower service can be disabled with the following command: $ sudo systemctl disable cpupower.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The cpupower service is only necessary if adjusting the CPU clock speed provides benefit. Traditionally this has included laptops (to enhance battery life), but may also apply to server or desktop environments where conserving power is highly desirable or necessary. CCE-80256-1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'cpupower.service' "$SYSTEMCTL_EXEC" disable 'cpupower.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cpupower.socket\>' && "$SYSTEMCTL_EXEC" disable 'cpupower.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'cpupower.service' - name: Disable service cpupower service: name: cpupower enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_cpupower_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80256-1 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service cpupower if applicable service: name: cpupower.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_cpupower_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80256-1 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Cyrus SASL Authentication Daemon (saslauthd) The saslauthd service handles plaintext authentication requests on behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into a single process, and can also be used to provide proxy authentication services to clients that do not understand SASL based authentication. The saslauthd service can be disabled with the following command: $ sudo systemctl disable saslauthd.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The saslauthd service provides essential functionality for performing authentication in some directory environments, such as those which use Kerberos and LDAP. For others, however, in which only local files may be consulted, it is not necessary and should be disabled. CCE-80271-0 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'saslauthd.service' "$SYSTEMCTL_EXEC" disable 'saslauthd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^saslauthd.socket\>' && "$SYSTEMCTL_EXEC" disable 'saslauthd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'saslauthd.service' - name: Disable service saslauthd service: name: saslauthd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_saslauthd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80271-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service saslauthd if applicable service: name: saslauthd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_saslauthd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80271-0 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Control Group Config (cgconfig) Control groups allow an administrator to allocate system resources (such as CPU, memory, network bandwidth, etc) among a defined group (or groups) of processes executing on a system. The cgconfig daemon starts at boot and establishes the predefined control groups. The cgconfig service can be disabled with the following command: $ sudo systemctl disable cgconfig.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Unless control groups are used to manage system resources, running the cgconfig service is not necessary. CCE-80254-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'cgconfig.service' "$SYSTEMCTL_EXEC" disable 'cgconfig.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cgconfig.socket\>' && "$SYSTEMCTL_EXEC" disable 'cgconfig.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'cgconfig.service' - name: Disable service cgconfig service: name: cgconfig enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_cgconfig_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80254-6 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service cgconfig if applicable service: name: cgconfig.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_cgconfig_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80254-6 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable ntpdate Service (ntpdate) The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in /etc/ntp/step-tickers or /etc/ntp.conf and then sets the local hardware clock to the newly synchronized system time. The ntpdate service can be disabled with the following command: $ sudo systemctl disable ntpdate.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000382 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The ntpdate service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated. CCE-80262-9 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'ntpdate.service' "$SYSTEMCTL_EXEC" disable 'ntpdate.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^ntpdate.socket\>' && "$SYSTEMCTL_EXEC" disable 'ntpdate.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'ntpdate.service' - name: Disable service ntpdate service: name: ntpdate enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_ntpdate_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80262-9 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service ntpdate if applicable service: name: ntpdate.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_ntpdate_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80262-9 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable KDump Kernel Crash Analyzer (kdump) The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command: $ sudo systemctl disable kdump.service RHEL-07-021300 SV-86681r2_rule 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000366 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 CM-6(b) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. CCE-80258-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'kdump.service' "$SYSTEMCTL_EXEC" disable 'kdump.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^kdump.socket\>' && "$SYSTEMCTL_EXEC" disable 'kdump.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'kdump.service' - name: Disable service kdump service: name: kdump enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_kdump_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80258-7 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-CM-6(b) - DISA-STIG-RHEL-07-021300 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service kdump if applicable service: name: kdump.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_kdump_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80258-7 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-CM-6(b) - DISA-STIG-RHEL-07-021300 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") kdump --disable Disable Red Hat Subscription Manager Daemon (rhsmcertd) The Red Hat Subscription Manager (rhsmcertd) periodically checks for changes in the entitlement certificates for a registered system and updates it accordingly. The rhsmcertd service can be disabled with the following command: $ sudo systemctl disable rhsmcertd.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The rhsmcertd service can provide administrators with some additional control over which of their systems are entitled to particular subscriptions. However, for systems that are managed locally or which are not expected to require remote changes to their subscription status, it is unnecessary and can be disabled. CCE-80270-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rhsmcertd.service' "$SYSTEMCTL_EXEC" disable 'rhsmcertd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rhsmcertd.socket\>' && "$SYSTEMCTL_EXEC" disable 'rhsmcertd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rhsmcertd.service' - name: Disable service rhsmcertd service: name: rhsmcertd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rhsmcertd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80270-2 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rhsmcertd if applicable service: name: rhsmcertd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rhsmcertd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80270-2 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Portreserve (portreserve) The portreserve service is a TCP port reservation utility that can be used to prevent portmap from binding to well known TCP ports that are required for other services. The portreserve service can be disabled with the following command: $ sudo systemctl disable portreserve.service 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 The portreserve service provides helpful functionality by preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed. CCE-80264-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'portreserve.service' "$SYSTEMCTL_EXEC" disable 'portreserve.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^portreserve.socket\>' && "$SYSTEMCTL_EXEC" disable 'portreserve.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'portreserve.service' - name: Disable service portreserve service: name: portreserve enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_portreserve_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80264-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service portreserve if applicable service: name: portreserve.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_portreserve_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80264-5 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable System Statistics Reset Service (sysstat) The sysstat service resets various I/O and CPU performance statistics to zero in order to begin counting from a fresh state at boot time. The sysstat service can be disabled with the following command: $ sudo systemctl disable sysstat.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 By default the sysstat service merely runs a program at boot to reset the statistics, which can be retrieved using programs such as sar and sadc. These may provide useful insight into system operation, but unless used this service can be disabled. CCE-80273-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'sysstat.service' "$SYSTEMCTL_EXEC" disable 'sysstat.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^sysstat.socket\>' && "$SYSTEMCTL_EXEC" disable 'sysstat.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'sysstat.service' - name: Disable service sysstat service: name: sysstat enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_sysstat_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80273-6 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service sysstat if applicable service: name: sysstat.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_sysstat_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80273-6 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable Use of Strict Mode Checking SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file: StrictModes yes RHEL-07-040450 SV-86887r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-17(b) PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. CCE-80222-3 replace_or_append '/etc/ssh/sshd_config' '^StrictModes' 'yes' 'CCE-80222-3' '%s %s' - name: "Enable Use of Strict Mode Checking" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?strictmodes line: StrictModes yes validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_enable_strictmodes - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80222-3 - NIST-800-53-AC-6 - NIST-800-53-AC-17(b) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable SSH Support for User Known Hosts SSH can allow system users user host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled. To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: IgnoreUserKnownHosts yes RHEL-07-040380 SV-86873r3_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-17(b) CM-6(a) PR.IP-1 FIA_AFL.1 SRG-OS-000480-GPOS-00227 Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. CCE-80372-6 replace_or_append '/etc/ssh/sshd_config' '^IgnoreUserKnownHosts' 'yes' 'CCE-80372-6' '%s %s' - name: "Disable SSH Support for User Known Hosts" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^IgnoreUserKnownHosts line: IgnoreUserKnownHosts yes insertbefore: ^Match firstmatch: yes validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_disable_user_known_hosts - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80372-6 - NIST-800-53-AC-17(b) - NIST-800-53-CM-6(a) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040380 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable SSH Access via Empty Passwords To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. RHEL-07-010300 SV-86563r3_rule 5.2.9 11 12 13 14 15 16 18 3 5 9 5.5.6 APO01.06 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 3.1.1 3.1.5 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-6 AC-17(b) CM-6(b) PR.AC-4 PR.AC-6 PR.DS-5 PR.IP-1 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00229 SRG-OS-000480-VMM-002000 Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. CCE-27471-2 replace_or_append '/etc/ssh/sshd_config' '^PermitEmptyPasswords' 'no' 'CCE-27471-2' '%s %s' - name: Disable SSH Access via Empty Passwords lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^PermitEmptyPasswords line: PermitEmptyPasswords no validate: /usr/sbin/sshd -t -f %s tags: - sshd_disable_empty_passwords - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-27471-2 - NIST-800-53-AC-3 - NIST-800-53-AC-6 - NIST-800-53-AC-17(b) - NIST-800-53-CM-6(b) - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - CJIS-5.5.6 - DISA-STIG-RHEL-07-010300 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Set SSH Client Alive Max Count To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, edit /etc/ssh/sshd_config as follows: ClientAliveCountMax RHEL-07-040340 SV-86865r4_rule 5.2.12 1 12 13 14 15 16 18 3 5 7 8 5.5.6 APO13.01 BAI03.01 BAI03.02 BAI03.03 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.11 CCI-001133 CCI-002361 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.14.1.1 A.14.2.1 A.14.2.5 A.18.1.4 A.6.1.2 A.6.1.5 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(5) SA-8 AC-12 AC-17(b) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.IP-2 SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109A SRG-OS-000480-VMM-002000 This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. CCE-27082-7 var_sshd_set_keepalive="" replace_or_append '/etc/ssh/sshd_config' '^ClientAliveCountMax' "$var_sshd_set_keepalive" 'CCE-27082-7' '%s %s' - name: XCCDF Value var_sshd_set_keepalive # promote to variable set_fact: var_sshd_set_keepalive: !!str tags: - always - name: Set SSH Client Alive Count lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^ClientAliveCountMax line: 'ClientAliveCountMax {{ var_sshd_set_keepalive }}' validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_set_keepalive - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27082-7 - NIST-800-53-AC-2(5) - NIST-800-53-SA-8 - NIST-800-53-AC-12 - NIST-800-53-AC-17(b) - NIST-800-171-3.1.11 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040340 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Limit Users' SSH Access By default, the SSH configuration allows any user with an account to access the system. In order to specify the users that are allowed to login via SSH and deny all other users, add or correct the following line in the /etc/ssh/sshd_config file: DenyUsers USER1 USER2 Where USER1 and USER2 are valid user names. 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.1.12 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system. CCE-80219-9 Enable SSH Warning Banner To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config: Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner. RHEL-07-040170 SV-86849r4_rule 5.2.16 1 12 15 16 5.5.6 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 CCI-000050 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) AC-17(b) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 SRG-OS-000023-VMM-000060 The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. CCE-27314-4 grep -q ^Banner /etc/ssh/sshd_config && \ sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "Banner /etc/issue" >> /etc/ssh/sshd_config fi - name: Enable SSH Warning Banner lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^Banner line: Banner /etc/issue validate: /usr/sbin/sshd -t -f %s tags: - sshd_enable_warning_banner - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27314-4 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c)(1) - NIST-800-53-AC-8(c)(2) - NIST-800-53-AC-8(c)(3) - NIST-800-53-AC-17(b) - NIST-800-171-3.1.9 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040170 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Use Only FIPS 140-2 Validated MACs Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs: MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1 The man page sshd_config(5) contains a list of supported MACs. Only the following message authentication codes are FIPS 140-2 certified on Red Hat Enterprise Linux 7: - hmac-sha1 - hmac-sha2-256 - hmac-sha2-512 - hmac-sha1-etm@openssh.com - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for Red Hat Enterprise Linux 7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf RHEL-07-040400 SV-86877r3_rule 5.2.12 1 12 13 15 16 5 8 APO01.06 APO13.01 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.07 DSS06.02 DSS06.03 3.1.13 3.13.11 3.13.8 CCI-001453 164.308(b)(1) 164.308(b)(2) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) 164.314(b)(2)(i) 4.3.3.5.1 4.3.3.6.6 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.11.2.6 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-17(b) AC-17(2) IA-7 SC-13 PR.AC-1 PR.AC-3 PR.DS-5 PR.PT-4 SRG-OS-000250-GPOS-00093 SRG-OS-000480-VMM-002000 DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. CCE-27455-5 sshd_approved_macs="" replace_or_append '/etc/ssh/sshd_config' '^MACs' "$sshd_approved_macs" 'CCE-27455-5' '%s %s' - name: XCCDF Value sshd_approved_macs # promote to variable set_fact: sshd_approved_macs: !!str tags: - always - name: "Use Only Approved MACs" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^MACs line: "MACs {{ sshd_approved_macs }}" validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_use_approved_macs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27455-5 - NIST-800-53-AC-17(b) - NIST-800-53-AC-17(2) - NIST-800-53-IA-7 - NIST-800-53-SC-13 - NIST-800-171-3.1.13 - NIST-800-171-3.13.11 - NIST-800-171-3.13.8 - DISA-STIG-RHEL-07-040400 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Do Not Allow SSH Environment Options To ensure users are not able to override environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config: PermitUserEnvironment no RHEL-07-010460 SV-86581r3_rule 5.2.10 11 3 9 5.5.6 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-17(b) CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00229 SRG-OS-000480-VMM-002000 SSH environment options potentially allow users to bypass access restriction in some configurations. CCE-27363-1 replace_or_append '/etc/ssh/sshd_config' '^PermitUserEnvironment' 'no' 'CCE-27363-1' '%s %s' - name: Do Not Allow SSH Environment Options lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^PermitUserEnvironment line: PermitUserEnvironment no validate: /usr/sbin/sshd -t -f %s tags: - sshd_do_not_permit_user_env - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27363-1 - NIST-800-53-AC-17(b) - NIST-800-53-CM-6(b) - NIST-800-171-3.1.12 - CJIS-5.5.6 - DISA-STIG-RHEL-07-010460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Kerberos Authentication Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the /etc/ssh/sshd_config file: KerberosAuthentication no RHEL-07-040440 SV-86885r3_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000368 CCI-000318 CCI-001812 CCI-001813 CCI-001814 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(c) PR.IP-1 FIA_AFL.1 SRG-OS-000364-GPOS-00151 SRG-OS-000480-VMM-002000 Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. CCE-80221-5 replace_or_append '/etc/ssh/sshd_config' '^KerberosAuthentication' 'no' 'CCE-80221-5' '%s %s' - name: "Disable Kerberos Authentication" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?kerberosauthentication line: KerberosAuthentication no validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_disable_kerb_auth - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80221-5 - NIST-800-53-CM-6(c) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Allow Only SSH Protocol 2 Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears: Protocol 2 As of openssh-server version 7.4 and above, the only protocol supported is version 2, and line Protocol 2 in /etc/ssh/sshd_config is not necessary. RHEL-07-040390 SV-86875r4_rule 5.2.2 1 12 15 16 5 8 5.5.6 APO13.01 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.13 3.5.4 CCI-000197 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-17(b) AC-17(8).1(ii) IA-5(1)(c) PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 PR.PT-4 SRG-OS-000074-GPOS-00042 SRG-OS-000480-GPOS-00227 SRG-OS-000033-VMM-000140 SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. CCE-27320-1 replace_or_append '/etc/ssh/sshd_config' '^Protocol' '2' 'CCE-27320-1' '%s %s' - name: "Allow Only SSH Protocol 2" lineinfile: dest: /etc/ssh/sshd_config regexp: "^Protocol [0-9]" line: "Protocol 2" validate: /usr/sbin/sshd -t -f %s #notify: :reload ssh tags: - sshd_allow_only_protocol2 - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-27320-1 - NIST-800-53-AC-17(b) - NIST-800-53-AC-17(8).1(ii) - NIST-800-53-IA-5(1)(c) - NIST-800-171-3.1.13 - NIST-800-171-3.5.4 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040390 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable SSH Support for .rhosts Files SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files. To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: IgnoreRhosts yes RHEL-07-040350 SV-86867r3_rule 5.2.6 11 12 14 15 16 18 3 5 9 5.5.6 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.1.12 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-17(b) CM-6(a) PR.AC-4 PR.AC-6 PR.IP-1 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00227 SRG-OS-000107-VMM-000530 SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. CCE-27377-1 replace_or_append '/etc/ssh/sshd_config' '^IgnoreRhosts' 'yes' 'CCE-27377-1' '%s %s' - name: Disable SSH Support for .rhosts Files lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^IgnoreRhosts line: IgnoreRhosts yes validate: /usr/sbin/sshd -t -f %s tags: - sshd_disable_rhosts - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27377-1 - NIST-800-53-AC-3 - NIST-800-53-AC-17(b) - NIST-800-53-CM-6(a) - NIST-800-171-3.1.12 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040350 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable SSH Support for Rhosts RSA Authentication SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: RhostsRSAAuthentication no As of openssh-server version 7.4 and above, the RhostsRSAAuthentication option has been deprecated, and the line RhostsRSAAuthentication no in /etc/ssh/sshd_config is not necessary. RHEL-07-040330 SV-86863r4_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(a) AC-17(b) PR.IP-1 FIA_AFL.1 SRG-OS-000480-GPOS-00227 Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. CCE-80373-4 replace_or_append '/etc/ssh/sshd_config' '^RhostsRSAAuthentication' 'no' 'CCE-80373-4' '%s %s' - name: Disable SSH Support for Rhosts RSA Authentication lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^RhostsRSAAuthentication line: RhostsRSAAuthentication no validate: /usr/sbin/sshd -t -f %s tags: - sshd_disable_rhosts_rsa - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80373-4 - NIST-800-53-CM-6(a) - NIST-800-53-AC-17(b) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040330 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Set LogLevel to INFO The INFO parameter specifices that record login and logout activity will be logged. To specify the log level in SSH, add or correct the following line in the /etc/ssh/sshd_config file: LogLevel INFO 5.2.3 AC-17(b) SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. CCE-80645-5 Enable Encrypted X11 Forwarding By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled. To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config: X11Forwarding yes RHEL-07-040710 SV-86927r4_rule 5.2.4 1 11 12 13 15 16 18 20 3 4 6 9 BAI03.08 BAI07.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS03.01 3.1.13 CCI-000366 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 7.6 A.12.1.1 A.12.1.2 A.12.1.4 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-2(1)(b) DE.AE-1 PR.DS-7 PR.IP-1 SRG-OS-000480-GPOS-00227 Open X displays allow an attacker to capture keystrokes and to execute commands remotely. CCE-80226-4 - name: Enable Encrypted X11 Forwarding lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^X11Forwarding line: X11Forwarding yes validate: /usr/sbin/sshd -t -f %s tags: - sshd_enable_x11_forwarding - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-80226-4 - NIST-800-53-CM-2(1)(b) - NIST-800-171-3.1.13 - DISA-STIG-RHEL-07-040710 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Use Only FIPS 140-2 Validated Ciphers Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc The man page sshd_config(5) contains a list of supported ciphers. The following ciphers are FIPS 140-2 certified on Red Hat Enterprise Linux 7: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for Red Hat Enterprise Linux 7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf RHEL-07-040110 SV-86845r3_rule 5.2.10 1 11 12 14 15 16 18 3 5 6 8 9 5.5.6 APO11.04 APO13.01 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 MEA02.01 3.1.13 3.13.11 3.13.8 CCI-000068 CCI-000366 CCI-000803 164.308(b)(1) 164.308(b)(2) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) 164.314(b)(2)(i) 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-3 AC-17(b) AC-17(2) AU-10(5) CM-6(b) IA-5(1)(c) IA-7 SI-7 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.AC-7 PR.IP-1 PR.PT-1 PR.PT-3 PR.PT-4 SRG-OS-000033-GPOS-00014 SRG-OS-000120-GPOS-00061 SRG-OS-000125-GPOS-00065 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173 SRG-OS-000033-VMM-000140 SRG-OS-000478-VMM-001980 Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux 7. CCE-27295-5 replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' 'CCE-27295-5' '%s %s' - name: Use Only Approved Ciphers lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^Ciphers line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_use_approved_ciphers - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27295-5 - NIST-800-53-AC-3 - NIST-800-53-AC-17(b) - NIST-800-53-AC-17(2) - NIST-800-53-AU-10(5) - NIST-800-53-CM-6(b) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-7 - NIST-800-53-SI-7 - NIST-800-171-3.1.13 - NIST-800-171-3.13.11 - NIST-800-171-3.13.8 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Host-Based Authentication SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config: HostbasedAuthentication no RHEL-07-010470 SV-86583r3_rule 5.2.7 11 12 14 15 16 18 3 5 9 5.5.6 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-17 CM-6(b) PR.AC-4 PR.AC-6 PR.IP-1 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00229 SRG-OS-000480-VMM-002000 SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. CCE-27413-4 grep -q ^HostbasedAuthentication /etc/ssh/sshd_config && \ sed -i "s/HostbasedAuthentication.*/HostbasedAuthentication no/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config fi - name: Disable Host-Based Authentication lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^HostbasedAuthentication line: HostbasedAuthentication no tags: - disable_host_auth - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27413-4 - NIST-800-53-AC-3 - NIST-800-53-AC-17 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.12 - CJIS-5.5.6 - DISA-STIG-RHEL-07-010470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable SSH Server firewalld Firewall Exception By default, inbound connections to SSH's port are allowed. If the SSH server is being used but denied by the firewall, this exception should be added to the firewall configuration. To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=ssh 3.1.12 AC-17(a) If inbound SSH connections are expected, adding a firewall rule exception will allow remote access through the SSH port. CCE-80361-9 - name: Ensure firewalld is installed package: name: "{{ item }}" state: present with_items: - firewalld tags: - firewalld_sshd_port_enabled - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80361-9 - NIST-800-53-AC-17(a) - NIST-800-171-3.1.12 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: XCCDF Value sshd_listening_port # promote to variable set_fact: sshd_listening_port: !!str tags: - always - name: Enable SSHD in firewalld (custom port) firewalld: port: "{{ sshd_listening_port }}/tcp" permanent: yes state: enabled when: sshd_listening_port != 22 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - firewalld_sshd_port_enabled - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80361-9 - NIST-800-53-AC-17(a) - NIST-800-171-3.1.12 - name: Enable SSHD in firewalld (default port) firewalld: service: ssh permanent: yes state: enabled when: sshd_listening_port == 22 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - firewalld_sshd_port_enabled - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-80361-9 - NIST-800-53-AC-17(a) - NIST-800-171-3.1.12 Set SSH authentication attempt limit The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. to set MaxAUthTries edit /etc/ssh/sshd_config as follows: MaxAuthTries tries 5.2.5 Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. Use Only Strong MACs Limit the MACs to strong hash algorithms. The following line in /etc/ssh/sshd_config demonstrates use of those MACs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information Enable Use of Privilege Separation When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file: UsePrivilegeSeparation sandbox RHEL-07-040460 SV-86889r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-17(b) PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. CCE-80223-1 replace_or_append '/etc/ssh/sshd_config' '^UsePrivilegeSeparation' 'sandbox' 'CCE-80223-1' '%s %s' - name: "Enable use of Privilege Separation" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?useprivilegeseparation line: UsePrivilegeSeparation sandbox validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_use_priv_separation - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80223-1 - NIST-800-53-AC-6 - NIST-800-53-AC-17(b) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040460 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable SSH Print Last Log When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file: PrintLastLog yes RHEL-07-040360 SV-86869r3_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 CCI-000366 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-9 AC-17(b) PR.AC-7 SRG-OS-000480-GPOS-00227 Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. CCE-80225-6 replace_or_append '/etc/ssh/sshd_config' '^PrintLastLog' 'yes' 'CCE-80225-6' '%s %s' - name: Print last log lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^PrintLastLog line: PrintLastLog yes validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_print_last_log - medium_severity - CCE-80225-6 - NIST-800-53-AC-9 - NIST-800-53-AC-17(b) - DISA-STIG-RHEL-07-040360 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Use Only Strong Ciphers Limit the ciphers to strong algorithms. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of those ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr The man page sshd_config(5) contains a list of supported ciphers. Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use. Disable GSSAPI Authentication Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the /etc/ssh/sshd_config file: GSSAPIAuthentication no RHEL-07-040430 SV-86883r3_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000368 CCI-000318 CCI-001812 CCI-001813 CCI-001814 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-17(b) CM-6(c) PR.IP-1 FIA_AFL.1 SRG-OS-000364-GPOS-00151 SRG-OS-000480-VMM-002000 GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. CCE-80220-7 replace_or_append '/etc/ssh/sshd_config' '^GSSAPIAuthentication' 'no' 'CCE-80220-7' '%s %s' - name: "Disable GSSAPI Authentication" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?gssapiauthentication line: GSSAPIAuthentication no validate: /usr/sbin/sshd -t -f %s #notify: sshd -t -f %s tags: - sshd_disable_gssapi_auth - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80220-7 - NIST-800-53-AC-17(b) - NIST-800-53-CM-6(c) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040430 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Compression Or Set Compression to delayed Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise , it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file: Compression no or Compression delayed RHEL-07-040470 SV-86891r3_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially wih root privileges. CCE-80224-9 replace_or_append '/etc/ssh/sshd_config' '^Compression' 'no' 'CCE-80224-9' '%s %s' - name: "Disable Compression or Set Compression to delayed" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?compression line: Compression delayed validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_disable_compression - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80224-9 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.12 - DISA-STIG-RHEL-07-040470 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable SSH Root Login The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config: PermitRootLogin no RHEL-07-040370 SV-86871r3_rule 5.2.8 1 11 12 13 14 15 16 18 3 5 5.5.6 APO01.06 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.06 DSS06.10 3.1.1 3.1.5 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-3 AC-6(2) AC-17(b) IA-2 IA-2(5) PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. CCE-27445-6 SSHD_CONFIG='/etc/ssh/sshd_config' # Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) # Obtain line number of first uncommented case-insensitive occurence of # PermitRootLogin directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG) # Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] then # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence # of PermitRootLogin directive sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG fi # Case: Match block directive present in $SSHD_CONFIG else # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] then # Prepend 'PermitRootLogin no' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed # before first Match block directive elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence # of PermitRootLogin directive sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed # after first Match block directive else # Prepend 'PermitRootLogin no' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG fi fi - name: "Disable SSH Root Login" lineinfile: create: yes dest: "/etc/ssh/sshd_config" regexp: "^PermitRootLogin" line: "PermitRootLogin no" insertafter: '(?i)^#?authentication' validate: /usr/sbin/sshd -t -f %s #notify: restart sshd tags: - sshd_disable_root_login - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27445-6 - NIST-800-53-AC-3 - NIST-800-53-AC-6(2) - NIST-800-53-AC-17(b) - NIST-800-53-IA-2 - NIST-800-53-IA-2(5) - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040370 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable SSH Server If Possible (Unusual) The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. The sshd service can be disabled with the following command: $ sudo systemctl disable sshd.service This is unusual, as SSH is a common method for encrypted and authenticated remote access. CCE-80217-3 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'sshd.service' "$SYSTEMCTL_EXEC" disable 'sshd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^sshd.socket\>' && "$SYSTEMCTL_EXEC" disable 'sshd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'sshd.service' - name: Disable service sshd service: name: sshd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_sshd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80217-3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service sshd if applicable service: name: sshd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_sshd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80217-3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Install the OpenSSH Server Package The openssh-server package should be installed. The openssh-server package can be installed with the following command: $ sudo yum install openssh-server RHEL-07-040300 SV-86857r3_rule 13 14 APO01.06 DSS05.02 DSS05.04 DSS05.07 DSS06.02 DSS06.06 CCI-002418 CCI-002420 CCI-002421 CCI-002422 SR 3.1 SR 3.8 SR 4.1 SR 4.2 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-8 PR.DS-2 PR.DS-5 SRG-OS-000423-GPOS-00187 SRG-OS-000423-GPOS-00188 SRG-OS-000423-GPOS-00189 SRG-OS000423-GPOS-00190 Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. CCE-80215-7 package_install openssh-server - name: Ensure openssh-server is installed package: name: openssh-server state: present tags: - package_openssh-server_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80215-7 - NIST-800-53-SC-8 - DISA-STIG-RHEL-07-040300 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_openssh-server class install_openssh-server { package { 'openssh-server': ensure => 'installed', } } package --add=openssh-server Remove SSH Server firewalld Firewall exception (Unusual) By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. To configure firewalld to prevent access, run the following command(s): firewall-cmd --permanent --remove-service=ssh 3.1.12 If inbound SSH connections are not expected, disallowing access to the SSH port will avoid possible exploitation of the port by an attacker. CCE-80218-1 Enable the OpenSSH Service The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command: $ sudo systemctl enable sshd.service RHEL-07-040310 SV-86859r3_rule 13 14 APO01.06 DSS05.02 DSS05.04 DSS05.07 DSS06.02 DSS06.06 3.1.13 3.5.4 3.13.8 CCI-002418 CCI-002420 CCI-002421 CCI-002422 SR 3.1 SR 3.8 SR 4.1 SR 4.2 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-8 PR.DS-2 PR.DS-5 SRG-OS-000423-GPOS-00187 SRG-OS-000423-GPOS-00188 SRG-OS-000423-GPOS-00189 SRG-OS000423-GPOS-00190 Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. CCE-80216-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'sshd.service' "$SYSTEMCTL_EXEC" enable 'sshd.service' - name: Enable service sshd service: name: sshd enabled: "yes" state: "started" tags: - service_sshd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80216-5 - NIST-800-53-SC-8 - NIST-800-171-3.1.13 - NIST-800-171-3.5.4 - NIST-800-171-3.13.8 - DISA-STIG-RHEL-07-040310 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Verify Permissions on SSH Server Public *.pub Key Files To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub RHEL-07-040410 SV-86879r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.13 3.13.10 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 If a public host key file is modified by an unauthorized user, the SSH service may be compromised. CCE-27311-0 find /etc/ssh -regex '^/etc/ssh/.*.pub$' -exec chmod 0644 {} \; - name: Find /etc/ssh file(s) find: paths: "/etc/ssh" patterns: "^.*.pub$" use_regex: yes register: files_found tags: - file_permissions_sshd_pub_key - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27311-0 - NIST-800-53-AC-6 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-RHEL-07-040410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set permissions for /etc/ssh file(s) file: path: "{{ item.path }}" mode: 0644 with_items: - "{{ files_found.files }}" tags: - file_permissions_sshd_pub_key - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27311-0 - NIST-800-53-AC-6 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-RHEL-07-040410 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include ssh_public_key_perms class ssh_public_key_perms { exec { 'sshd_pub_key': command => "chmod 0644 /etc/ssh/*.pub", path => '/bin:/usr/bin' } } Verify Permissions on SSH Server Private *_key Key Files To properly set the permissions of /etc/ssh/*_key, run the command: $ sudo chmod 0640 /etc/ssh/*_key RHEL-07-040420 SV-86881r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.13 3.13.10 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-17 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 If an unauthorized user obtains the private SSH host key file, the host could be impersonated. CCE-27485-2 find /etc/ssh -regex '^/etc/ssh/.*_key$' -exec chmod 0640 {} \; - name: Find /etc/ssh file(s) find: paths: "/etc/ssh" patterns: "^.*_key$" use_regex: yes register: files_found tags: - file_permissions_sshd_private_key - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27485-2 - NIST-800-53-AC-6 - NIST-800-53-AC-17 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-RHEL-07-040420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set permissions for /etc/ssh file(s) file: path: "{{ item.path }}" mode: 0640 with_items: - "{{ files_found.files }}" tags: - file_permissions_sshd_private_key - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27485-2 - NIST-800-53-AC-6 - NIST-800-53-AC-17 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-RHEL-07-040420 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include ssh_private_key_perms class ssh_private_key_perms { exec { 'sshd_priv_key': command => "chmod 0640 /etc/ssh/*_key", path => '/bin:/usr/bin' } } Remove SSH Server iptables Firewall exception (Unusual) By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. Edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line: -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT This is unusual, as SSH is a common method for encrypted and authenticated remote access. If inbound SSH connections are not expected, disallowing access to the SSH port will avoid possible exploitation of the port by an attacker. Configure System to Forward All Mail For The Root Account Set up an alias for root that forwards to a monitored email address: $ sudo echo "root: " >> /etc/aliases $ sudo newaliases A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address. Disable Postfix Network Listening Edit the file /etc/postfix/main.cf to ensure that only the following inet_interfaces line appears: inet_interfaces = localhost 2.2.15 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000382 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 This ensures postfix accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack. CCE-80289-2 Prevent Unrestricted Mail Relaying Modify the /etc/postfix/main.cf file to restrict client connections to the local network with the following command: $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-040680 SV-86921r3_rule If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. CCE-80512-7 if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf else sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf fi Configure SMTP Greeting Banner Edit /etc/postfix/main.cf, and add or correct the following line, substituting some other wording for the banner information if you prefer: smtpd_banner = $myhostname ESMTP 1 14 15 16 3 5 6 7 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AC-22 AU-13 DE.CM-3 PR.PT-1 The default greeting banner discloses that the listening mail process is Postfix. When remote mail senders connect to the MTA on port 25, they are greeted by an initial banner as part of the SMTP dialogue. This banner is necessary, but it frequently gives away too much information, including the MTA software which is in use, and sometimes also its version number. Remote mail senders do not need this information in order to send mail, so the banner should be changed to reveal only the hostname (which is already known and may be useful) and the word ESMTP, to indicate that the modern SMTP protocol variant is supported. CCE-80290-0 Uninstall Sendmail Package Sendmail is not the default mail transfer agent and is not installed by default. The sendmail package can be removed with the following command: $ sudo yum erase sendmail 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. CCE-80288-4 package_remove sendmail - name: Ensure sendmail is removed package: name: sendmail state: absent tags: - package_sendmail_removed - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80288-4 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include remove_sendmail class remove_sendmail { package { 'sendmail': ensure => 'purged', } } package --remove=sendmail Enable Postfix Service The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The postfix service can be enabled with the following command: $ sudo systemctl enable postfix.service Local mail delivery is essential to some system maintenance and notification tasks. CCE-80287-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'postfix.service' "$SYSTEMCTL_EXEC" enable 'postfix.service' - name: Enable service postfix service: name: postfix enabled: "yes" state: "started" tags: - service_postfix_enabled - unknown_severity - enable_strategy - low_complexity - low_disruption - CCE-80287-6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Dovecot to Use the SSL Key file This option tells Dovecot where to find the the mail server's SSL Key. Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line (note: the path below is the default path set by the Dovecot installation. If you are using a different path, ensure you reference the appropriate file): ssl_key = </etc/pki/dovecot/private/dovecot.pem SSL certificates are used by the client to authenticate the identity of the server, as well as to encrypt credentials and message traffic. Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. CCE-80298-3 Disable Plaintext Authentication To prevent Dovecot from attempting plaintext authentication of clients, edit /etc/dovecot/conf.d/10-auth.conf and add\or correct the following line: disable_plaintext_auth = yes Using plain text authentication to the mail server could allow an attacker access to credentials by monitoring network traffic. CCE-80299-1 Enable the SSL flag in /etc/dovecot.conf To allow clients to make encrypted connections the ssl flag in Dovecot's configuration file needs to be set to yes. Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line: ssl = yes SSL encrypt network traffic between the Dovecot server and its clients protecting user credentials, mail as it is downloaded, and clients may use SSL certificates to authenticate the server, preventing another system from impersonating the server. CCE-80296-7 Configure Dovecot to Use the SSL Certificate file This option tells Dovecot where to find the the mail server's SSL Certificate. Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line (note: the path below is the default path set by the Dovecot installation. If you are using a different path, ensure you reference the appropriate file): ssl_cert = </etc/pki/dovecot/certs/dovecot.pem" SSL certificates are used by the client to authenticate the identity of the server, as well as to encrypt credentials and message traffic. Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. CCE-80297-5 Disable Dovecot Service The dovecot service can be disabled with the following command: $ sudo systemctl disable dovecot.service 2.2.11 Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed. CCE-80294-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'dovecot.service' "$SYSTEMCTL_EXEC" disable 'dovecot.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^dovecot.socket\>' && "$SYSTEMCTL_EXEC" disable 'dovecot.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'dovecot.service' - name: Disable service dovecot service: name: dovecot enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_dovecot_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80294-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service dovecot if applicable service: name: dovecot.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_dovecot_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80294-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Uninstall dovecot Package The dovecot package can be removed with the following command: $ sudo yum erase dovecot If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. CCE-80295-9 package_remove dovecot - name: Ensure dovecot is removed package: name: dovecot state: absent tags: - package_dovecot_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80295-9 include remove_dovecot class remove_dovecot { package { 'dovecot': ensure => 'purged', } } package --remove=dovecot Uninstall the nis package The support for Yellowpages should not be installed unless it is required. NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used. Uninstall the inet-based telnet server The inet-based telnet daemon should be uninstalled. NT007(R03) 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. Uninstall the ntpdate package ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled. ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP. package_remove ntpdate - name: Ensure ntpdate is removed package: name: ntpdate state: absent tags: - package_ntpdate_removed - low_severity - disable_strategy - low_complexity - low_disruption include remove_ntpdate class remove_ntpdate { package { 'ntpdate': ensure => 'purged', } } package --remove=ntpdate Uninstall the ssl compliant telnet server The telnet daemon, even with ssl support, should be uninstalled. NT007(R02) 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 telnet, even with ssl support, should not be installed. When remote shell is required, up-to-date ssh daemon can be used. Uninstall the telnet server The telnet daemon should be uninstalled. NT007(R03) 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. Use Root-Squashing on All Exports If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobody). This provides some mild protection against remote abuse of an NFS server. Root squashing is enabled by default, and should not be disabled. Ensure that no line in /etc/exports contains the option no_root_squash. If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system. CCE-80241-3 Ensure All-Squashing Disabled On All Exports The all_squash maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the all_squash option from the file /etc/exports. The all_squash option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID. Use Kerberos Security on All Exports Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add sec=krb5:krb5i:krb5p to each export in /etc/exports. 1 12 14 15 16 18 3 5 DSS05.04 DSS05.10 DSS06.10 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.3 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.6.1.2 A.9.1.2 A.9.2.1 A.9.2.3 A.9.2.4 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-14(1) PR.AC-4 PR.AC-7 SRG-OS-000480-GPOS-00227 When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. CCE-27464-7 Ensure Insecure File Locking is Not Allowed By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the insecure_locks option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the insecure_locks option from the file /etc/exports. CCI-000764 Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. CCE-80243-9 Restrict NFS Clients to Privileged Ports By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control over systems connected to its network, and if NFS requests are prohibited at the border firewall, this offers some protection against malicious requests from unprivileged users. Therefore, the default should not be changed. To ensure that the default has not been changed, ensure no line in /etc/exports contains the option insecure. 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 Allowing client requests to be made from ports higher than 1024 could allow a unprivileged user to initiate an NFS connection. If the unprivileged user account has been compromised, an attacker could gain access to data on the NFS server. CCE-80242-1 Disable Secure RPC Client Service (rpcgssd) The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command: $ sudo systemctl disable rpcgssd.service CCE-80229-8 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rpcgssd.service' "$SYSTEMCTL_EXEC" disable 'rpcgssd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcgssd.socket\>' && "$SYSTEMCTL_EXEC" disable 'rpcgssd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rpcgssd.service' - name: Disable service rpcgssd service: name: rpcgssd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rpcgssd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80229-8 - name: Disable socket of service rpcgssd if applicable service: name: rpcgssd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rpcgssd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80229-8 Disable RPC ID Mapping Service (rpcidmapd) The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command: $ sudo systemctl disable rpcidmapd.service CCE-80231-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rpcidmapd.service' "$SYSTEMCTL_EXEC" disable 'rpcidmapd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcidmapd.socket\>' && "$SYSTEMCTL_EXEC" disable 'rpcidmapd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rpcidmapd.service' - name: Disable service rpcidmapd service: name: rpcidmapd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rpcidmapd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80231-4 - name: Disable socket of service rpcidmapd if applicable service: name: rpcidmapd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rpcidmapd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80231-4 Disable Network File System Lock Service (nfslock) The Network File System Lock (nfslock) service starts the required remote procedure call (RPC) processes which allow clients to lock files on the server. If the local system is not configured to mount NFS filesystems then this service should be disabled. The nfslock service can be disabled with the following command: $ sudo systemctl disable nfslock.service CCE-80228-0 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'nfslock.service' "$SYSTEMCTL_EXEC" disable 'nfslock.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^nfslock.socket\>' && "$SYSTEMCTL_EXEC" disable 'nfslock.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'nfslock.service' - name: Disable service nfslock service: name: nfslock enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_nfslock_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80228-0 - name: Disable socket of service nfslock if applicable service: name: nfslock.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_nfslock_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80228-0 Disable rpcbind Service The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. If the system does not require RPC (such as for NFS servers) then this service should be disabled. The rpcbind service can be disabled with the following command: $ sudo systemctl disable rpcbind.service 2.2.7 CCE-80230-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rpcbind.service' "$SYSTEMCTL_EXEC" disable 'rpcbind.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcbind.socket\>' && "$SYSTEMCTL_EXEC" disable 'rpcbind.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rpcbind.service' - name: Disable service rpcbind service: name: rpcbind enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rpcbind_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80230-6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rpcbind if applicable service: name: rpcbind.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rpcbind_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80230-6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Network File Systems (netfs) The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command: $ sudo systemctl disable netfs.service Configure lockd to use static UDP port Configure the lockd daemon to use a static UDP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: LOCKD_UDPPORT=lockd-port Where lockd-port is a port which is not used by any other service on your network. Restricting services to always use a given port enables firewalling to be done more effectively. CCE-80233-0 Configure lockd to use static TCP port Configure the lockd daemon to use a static TCP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: LOCKD_TCPPORT=lockd-port Where lockd-port is a port which is not used by any other service on your network. Restrict service to always use a given port, so that firewalling can be done effectively. CCE-80232-2 Configure statd to use static port Configure the statd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: STATD_PORT=statd-port Where statd-port is a port which is not used by any other service on your network. Restricting services to always use a given port enables firewalling to be done more effectively. CCE-80234-8 Configure mountd to use static port Configure the mountd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: MOUNTD_PORT=statd-port Where mountd-port is a port which is not used by any other service on your network. Restricting services to always use a given port enables firewalling to be done more effectively. CCE-80235-5 Mount Remote Filesystems with noexec Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. RHEL-07-021021 SV-87813r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. CCE-80436-9 include_mount_options_functions ensure_mount_option_for_vfstype "nfs[4]?" "noexec" - name: "Get nfs and nfs4 mount points, that don't have noexec" shell: grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "noexec" | awk '{print $2}' register: points_register check_mode: no changed_when: False tags: - mount_option_noexec_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80436-9 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021021 - name: "Add noexec to mount points" shell: awk '$2=="{{ item }}"{$4=$4",noexec"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab with_items: - "{{ points_register.stdout_lines }}" when: (points_register.stdout | length > 0) and True tags: - mount_option_noexec_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80436-9 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021021 Mount Remote Filesystems with Kerberos Security Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. RHEL-07-040750 SV-86935r4_rule 1 12 14 15 16 18 3 5 DSS05.04 DSS05.10 DSS06.10 CCI-000366 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.3 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.6.1.2 A.9.1.2 A.9.2.1 A.9.2.3 A.9.2.4 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-14(1) PR.AC-4 PR.AC-7 SRG-OS-000480-GPOS-00227 When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. CCE-27458-9 include_mount_options_functions ensure_mount_option_for_vfstype "nfs[4]?" "sec=krb5:krb5i:krb5p" - name: "Get nfs and nfs4 mount points, that don't have Kerberos security option" shell: grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "sec=krb5:krb5i:krb5p" | awk '{print $2}' register: points_register check_mode: no changed_when: False tags: - mount_option_krb_sec_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-27458-9 - NIST-800-53-AC-14(1) - DISA-STIG-RHEL-07-040750 - name: "Add Kerberos security to mount points" shell: awk '$2=="{{ item }}"{$4=$4",sec=krb5:krb5i:krb5p"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab with_items: - "{{ points_register.stdout_lines }}" when: (points_register.stdout | length > 0) and True tags: - mount_option_krb_sec_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-27458-9 - NIST-800-53-AC-14(1) - DISA-STIG-RHEL-07-040750 Mount Remote Filesystems with nosuid Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. RHEL-07-021020 SV-86669r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. CCE-80240-5 include_mount_options_functions ensure_mount_option_for_vfstype "nfs[4]?" "nosuid" - name: "Get nfs and nfs4 mount points, that don't have nosuid" shell: grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "nosuid" | awk '{print $2}' register: points_register check_mode: no changed_when: False tags: - mount_option_nosuid_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80240-5 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021020 - name: "Add nosuid to mount points" shell: awk '$2=="{{ item }}"{$4=$4",nosuid"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab with_items: - "{{ points_register.stdout_lines }}" when: (points_register.stdout | length > 0) and True tags: - mount_option_nosuid_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80240-5 - NIST-800-53-AC-6 - DISA-STIG-RHEL-07-021020 Mount Remote Filesystems with nodev Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. CCE-80239-7 include_mount_options_functions ensure_mount_option_for_vfstype "nfs[4]?" "nodev" - name: "Get nfs and nfs4 mount points, that don't have nodev" shell: grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "nodev" | awk '{print $2}' register: points_register check_mode: no changed_when: False tags: - mount_option_nodev_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80239-7 - NIST-800-53-CM-7 - NIST-800-53-MP-2 - name: "Add nodev to mount points" shell: awk '$2=="{{ item }}"{$4=$4",nodev"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab with_items: - "{{ points_register.stdout_lines }}" when: (points_register.stdout | length > 0) and True tags: - mount_option_nodev_remote_filesystems - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-80239-7 - NIST-800-53-CM-7 - NIST-800-53-MP-2 Specify UID and GID for Anonymous NFS Connections To specify the UID and GID for remote root users, edit the /etc/exports file and add the following for each export: anonuid=value greater than UID_MAX from /etc/login.defs anongid=value greater than GID_MAX from /etc/login.defs Note that a value of "-1" is technically acceptable as this will randomize the anonuid and anongid values on a Red Hat Enterprise Linux 6 based NFS server. While acceptable from a security perspective, a value of -1 may cause interoperability issues, particularly with Red Hat Enterprise Linux 7 client systems. Alternatively, functionally equivalent values of 60001, 65534, 65535 may be used. Specifying the anonymous UID and GID ensures that the remote root user is mapped to a local account which has no permissions on the system. CCE-80236-3 Disable Network File System (nfs) The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service should be disabled. The nfs service can be disabled with the following command: $ sudo systemctl disable nfs.service 2.2.7 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 Unnecessary services should be disabled to decrease the attack surface of the system. CCE-80237-1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'nfs.service' "$SYSTEMCTL_EXEC" disable 'nfs.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^nfs.socket\>' && "$SYSTEMCTL_EXEC" disable 'nfs.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'nfs.service' - name: Disable service nfs service: name: nfs enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_nfs_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80237-1 - NIST-800-53-AC-3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service nfs if applicable service: name: nfs.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_nfs_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80237-1 - NIST-800-53-AC-3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Secure RPC Server Service (rpcsvcgssd) The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcsvcgssd service can be disabled with the following command: $ sudo systemctl disable rpcsvcgssd.service Unnecessary services should be disabled to decrease the attack surface of the system. CCE-80238-9 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.service' "$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcsvcgssd.socket\>' && "$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rpcsvcgssd.service' - name: Disable service rpcsvcgssd service: name: rpcsvcgssd enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_rpcsvcgssd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80238-9 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service rpcsvcgssd if applicable service: name: rpcsvcgssd.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_rpcsvcgssd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80238-9 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Printer Browsing Entirely if Possible By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing. To disable printer browsing entirely, edit the CUPS configuration file, located at /etc/cups/cupsd.conf, to include the following: Browsing Off BrowseAllow none 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The CUPS print service can be configured to broadcast a list of available printers to the network. Other systems on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the system will no longer generate or receive such broadcasts. CCE-80283-5 Disable Print Server Capabilities To prevent remote users from potentially connecting to and using locally configured printers, disable the CUPS print server sharing capabilities. To do so, limit how the server will listen for print jobs by removing the more generic port directive from /etc/cups/cupsd.conf: Port 631 and replacing it with the Listen directive: Listen localhost:631 This will prevent remote users from printing to locally configured printers while still allowing local users on the system to print normally. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive. CCE-80284-3 Disable the CUPS Service The cups service can be disabled with the following command: $ sudo systemctl disable cups.service 2.2.4 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Turn off unneeded services to reduce attack surface. CCE-80282-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'cups.service' "$SYSTEMCTL_EXEC" disable 'cups.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cups.socket\>' && "$SYSTEMCTL_EXEC" disable 'cups.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'cups.service' - name: Disable service cups service: name: cups enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_cups_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80282-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service cups if applicable service: name: cups.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_cups_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80282-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Install the docker Package The docker package provides necessary software to create containers, which are self-sufficient and self-contained applications using the resource isolation features of the kernel. The docker package can be installed with the following command: $ sudo yum install docker To be able to run the docker service, the docker package has to be installed. package_install docker - name: Ensure docker is installed package: name: docker state: present tags: - package_docker_installed - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_docker class install_docker { package { 'docker': ensure => 'installed', } } package --add=docker Use direct-lvm with the Device Mapper Storage Driver To use Docker in production with the device mapper storage driver, the Docker daemon should be configured to use direct-lvm instead of loopback device as a storage. For setting up the LVM and configuring Docker, see the Docker Device Mapper Storage Documentation. For using Docker in production, the device mapper storage driver with loopback devices is discouraged. The suggested way of configuring device mapper storage driver is direct-lvm. Choosing the right storage driver and backing filesystem is crucial to stability and performance. CCE-80441-9 Ensure SELinux support is enabled in Docker To enable the SELinux for the Docker service, the Docker service must be configured to run the Docker daemon with --selinux-enabled option. In /etc/sysconfig/docker configuration file, add or correct the following line to enable SELinux support in the Docker daemon: OPTIONS='--selinux-enabled' If SELinux is not explicitely enabled in the Docker daemon configuration, Docker does not use SELinux which means Docker runs unconfined, and SELinux will not provide security separation for Docker container processes. However enabling SELinux for the Docker service prevents an attacker or rogue container from attacking other container processes and content as well as prevents taking over the host operating system. CCE-80442-7 Enable the Docker service The docker service is commonly needed to create containers. The docker service can be enabled with the following command: $ sudo systemctl enable docker.service To be able to find any problems with misconfiguration of the docker daemon and running containers, the docker service has to be enabled. CCE-80440-1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'docker.service' "$SYSTEMCTL_EXEC" enable 'docker.service' - name: Enable service docker service: name: docker enabled: "yes" state: "started" tags: - service_docker_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80440-1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Avahi Server Software The avahi-daemon service can be disabled with the following command: $ sudo systemctl disable avahi-daemon.service 2.2.3 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. CCE-80338-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'avahi-daemon.service' "$SYSTEMCTL_EXEC" disable 'avahi-daemon.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^avahi-daemon.socket\>' && "$SYSTEMCTL_EXEC" disable 'avahi-daemon.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'avahi-daemon.service' - name: Disable service avahi-daemon service: name: avahi-daemon enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_avahi-daemon_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80338-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service avahi-daemon if applicable service: name: avahi-daemon.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_avahi-daemon_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80338-7 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Check Avahi Responses' TTL Field To make Avahi ignore packets unless the TTL field is 255, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section: check-response-ttl=yes 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 This helps to ensure that only mDNS responses from the local network are processed, because the TTL field in a packet is decremented from its initial value of 255 whenever it is routed from one network to another. Although a properly-configured router or firewall should not allow mDNS packets into the local network at all, this option provides another check to ensure they are not permitted. CCE-80340-3 Disable Avahi Publishing To prevent Avahi from publishing its records, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [publish] section: disable-publishing=yes 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 This helps ensure that no record will be published by Avahi. Serve Avahi Only via Required Protocol If you are using only IPv4, edit /etc/avahi/avahi-daemon.conf and ensure the following line exists in the [server] section: use-ipv6=no Similarly, if you are using only IPv6, disable IPv4 sockets with the line: use-ipv4=no 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 CCE-80339-5 Restrict Information Published by Avahi If it is necessary to publish some information to the network, it should not be joined by any extraneous information, or by information supplied by a non-trusted source on the system. Prevent user applications from using Avahi to publish services by adding or correcting the following line in the [publish] section: disable-user-service-publishing=yes Implement as many of the following lines as possible, to restrict the information published by Avahi. publish-addresses=no publish-hinfo=no publish-workstation=no publish-domain=no Inspect the files in the directory /etc/avahi/services/. Unless there is an operational need to publish information about each of these services, delete the corresponding file. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 These options prevent publishing attempts from succeeding, and can be applied even if publishing is disabled entirely via disable-publishing. Alternatively, these can be used to restrict the types of published information in the event that some information must be published. CCE-80343-7 Prevent Other Programs from Using Avahi's Port To prevent other mDNS stacks from running, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section: disallow-other-stacks=yes 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. CCE-80341-1 Disable Squid The squid service can be disabled with the following command: $ sudo systemctl disable squid.service 2.2.13 Running proxy server software provides a network-based avenue of attack, and should be removed if not needed. CCE-80285-0 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'squid.service' "$SYSTEMCTL_EXEC" disable 'squid.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^squid.socket\>' && "$SYSTEMCTL_EXEC" disable 'squid.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'squid.service' - name: Disable service squid service: name: squid enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_squid_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80285-0 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service squid if applicable service: name: squid.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_squid_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80285-0 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Uninstall squid Package The squid package can be removed with the following command: $ sudo yum erase squid If there is no need to make the proxy server software available, removing it provides a safeguard against its activation. CCE-80286-8 package_remove squid - name: Ensure squid is removed package: name: squid state: absent tags: - package_squid_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80286-8 include remove_squid class remove_squid { package { 'squid': ensure => 'purged', } } package --remove=squid Configure auditd flush priority The auditd service can be configured to synchronously write audit event data to disk. Add or correct the following line in /etc/audit/auditd.conf to ensure that audit event data is fully synchronized with the log files on the disk: flush = 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.3.1 CCI-001576 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-9 AU-12(1) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. CCE-27331-8 var_auditd_flush="" AUDITCONFIG=/etc/audit/auditd.conf # if flush is present, flush param edited to var_auditd_flush # else flush param is defined by var_auditd_flush # # the freq param is only used value 'incremental' and will be # commented out if flush != incremental # # if flush == incremental && freq param is not defined, it # will be defined as the package-default value of 20 grep -q ^flush $AUDITCONFIG && \ sed -i 's/^flush.*/flush = '"$var_auditd_flush"'/g' $AUDITCONFIG if ! [ $? -eq 0 ]; then echo "flush = $var_auditd_flush" >> $AUDITCONFIG fi if ! [ "$var_auditd_flush" == "incremental" ]; then sed -i 's/^freq/##freq/g' $AUDITCONFIG elif [ "$var_auditd_flush" == "incremental" ]; then grep -q freq $AUDITCONFIG && \ sed -i 's/^#\+freq/freq/g' $AUDITCONFIG if ! [ $? -eq 0 ]; then echo "freq = 20" >> $AUDITCONFIG fi fi - name: XCCDF Value var_auditd_flush # promote to variable set_fact: var_auditd_flush: !!str tags: - always - name: Configure auditd Flush Priority lineinfile: dest: /etc/audit/auditd.conf regexp: '^\s*flush\s*=\s*.*$' line: "flush = {{ var_auditd_flush }}" state: present #notify: reload auditd tags: - auditd_data_retention_flush - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27331-8 - NIST-800-53-AU-9 - NIST-800-53-AU-12(1) - NIST-800-171-3.3.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Encrypt Audit Records Sent With audispd Plugin Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the enable_krb5 option in /etc/audisp/audisp-remote.conf, and set it with the following line: enable_krb5 = yes CCI-001851 FAU_GEN.1.1.c SRG-OS-000342-GPOS-00133 RHEL-07-030310 SV-86709r2_rule Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. CCE-80540-8 AUDISP_REMOTE_CONFIG="/etc/audisp/audisp-remote.conf" option="^enable_krb5" value="yes" replace_or_append $AUDISP_REMOTE_CONFIG "$option" "$value" "CCE-80540-8" - name: Configure Kerberos 5 Encryption in Audit Event Multiplexor (audispd) lineinfile: dest: /etc/audisp/audisp-remote.conf line: enable_krb5 = yes regexp: ^\s*enable_krb5\s*=\s*.*$ state: present create: true tags: - auditd_audispd_encrypt_sent_records - medium_severity - low_complexity - low_disruption - CCE-80540-8 - DISA-STIG-RHEL-07-030310 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure audispd Plugin To Send Logs To Remote Server Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the remote_server option in /etc/audisp/audisp-remote.conf with an IP address or hostname of the system that the audispd plugin should send audit records to. For example replacing REMOTE_SYSTEM with an IP address or hostname: remote_server = REMOTE_SYSTEM CCI-001851 FAU_GEN.1.1.c SRG-OS-000342-GPOS-00133 RHEL-07-030300 SV-86707r2_rule SRG-OS-000051-VMM-000230 SRG-OS-000058-VMM-000270 SRG-OS-000059-VMM-000280 SRG-OS-000479-VMM-001990 SRG-OS-000479-VMM-001990 Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. CCE-80541-6 var_audispd_remote_server="" AUDITCONFIG=/etc/audisp/audisp-remote.conf replace_or_append $AUDITCONFIG '^remote_server' "$var_audispd_remote_server" "CCE-80541-6" Configure audispd's Plugin network_failure_action On Network Failure Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately: network_failure_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. CCI-001851 SRG-OS-000342-GPOS-00133 RHEL-07-030321 SV-87815r3_rule Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. CCE-80538-2 Configure auditd Disk Full Action when Disk Space Is Full The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. var_auditd_disk_full_action="" replace_or_append /etc/audit/auditd.conf '^disk_full_action' "$var_auditd_disk_full_action" "" - name: XCCDF Value var_auditd_disk_full_action # promote to variable set_fact: var_auditd_disk_full_action: !!str tags: - always - name: Configure auditd Disk Full Action when Disk Space Is Full lineinfile: dest: /etc/audit/auditd.conf line: "disk_full_action = {{ var_auditd_disk_full_action }}" regexp: '^\s*disk_full_action\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_disk_full_action - medium_severity - restrict_strategy - low_complexity - low_disruption - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure auditd Disk Error Action on Disk Error The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: disk_error_action = ACTION Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. CCE-80646-3 var_auditd_disk_error_action="" # # If disk_error_action present in /etc/audit/auditd.conf, change value # to var_auditd_disk_error_action, else # add "disk_error_action = $var_auditd_disk_error_action" to /etc/audit/auditd.conf # if grep --silent ^disk_error_action /etc/audit/auditd.conf ; then sed -i 's/^disk_error_action.*/disk_error_action = '"$var_auditd_disk_error_action"'/g' /etc/audit/auditd.conf else echo -e "\n# Set disk_error_action to $var_auditd_disk_error_action per security requirements" >> /etc/audit/auditd.conf echo "disk_error_action = $var_auditd_disk_error_action" >> /etc/audit/auditd.conf fi - name: XCCDF Value var_auditd_disk_error_action # promote to variable set_fact: var_auditd_disk_error_action: !!str tags: - always - name: Configure auditd Disk Error Action on Disk Error lineinfile: dest: /etc/audit/auditd.conf line: "disk_error_action = {{ var_auditd_disk_error_action }}" regexp: '^\s*disk_error_action\s*=\s*.*$' state: present #notify: reload auditd tags: - auditd_data_disk_error_action - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80646-3 - NIST-800-53-AU-1(b) - NIST-800-53-AU-4 - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure audispd's Plugin disk_full_action When Disk Is Full Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. CCI-001851 SRG-OS-000342-GPOS-00133 RHEL-07-030320 SV-86711r3_rule Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. CCE-80539-0 Ensure auditd Collects Information on Kernel Module Loading - create_module To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S create_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. RHEL-07-030819 SV-93705r2_rule CCI-000172 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. CCE-80661-2 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S create_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S create_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # What architecture are we on? - name: Set architecture for audit create_module tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false contains: ^.*create_module.*$ patterns: '*.rules' register: find_create_module tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_create_module.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 - name: Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_create_module.files | map(attribute=''path'') | list | first }}' when: find_create_module.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 - name: Inserts/replaces the create_module rule in rules.d lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b32 -S create_module -k module-change' state: present create: true tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the create_module rule in rules.d on x86_64 lineinfile: path: '{{ all_files[0] }}' line: '-a always,exit -F arch=b64 -S create_module -k module-change' state: present create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 # Inserts/replaces the create_modules rule in /etc/audit/audit.rules - name: Inserts/replaces the create_module rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b32 -S create_module -k module-change' create: true tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the create_module rule in audit.rules when on x86_64 lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F arch=b64 -S create_module -k module-change' create: true when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_kernel_module_loading_create - medium_severity - low_complexity - CCE-80661-2 - DISA-STIG-RHEL-07-030819 Record Any Attempts to Run seunshare At a minimum, the audit system should collect any execution attempt of the seunshare command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/sbin/seunshare\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/seunshare.*$" patterns: "*.rules" register: find_seunshare tags: - audit_rules_execution_seunshare - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_seunshare.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_seunshare - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_seunshare.files | map(attribute='path') | list | first }}" when: find_seunshare.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_seunshare - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the seunshare rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_seunshare - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the seunshare rule in /etc/audit/audit.rules - name: Inserts/replaces the seunshare rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_seunshare - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Any Attempts to Run setfiles At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change RHEL-07-030590 SV-86765r5_rule CCI-000172 CCI-002884 SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80660-4 PATTERN="-a always,exit -F path=/usr/sbin/setfiles\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/setfiles.*$" patterns: "*.rules" register: find_setfiles tags: - audit_rules_execution_setfiles - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80660-4 - DISA-STIG-RHEL-07-030590 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_setfiles.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_setfiles - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80660-4 - DISA-STIG-RHEL-07-030590 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_setfiles.files | map(attribute='path') | list | first }}" when: find_setfiles.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_setfiles - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80660-4 - DISA-STIG-RHEL-07-030590 - name: Inserts/replaces the setfiles rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_setfiles - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80660-4 - DISA-STIG-RHEL-07-030590 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the setfiles rule in /etc/audit/audit.rules - name: Inserts/replaces the setfiles rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_setfiles - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80660-4 - DISA-STIG-RHEL-07-030590 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Any Attempts to Run setsebool At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change RHEL-07-030570 SV-86761r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80392-4 PATTERN="-a always,exit -F path=/usr/sbin/setsebool\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/setsebool.*$" patterns: "*.rules" register: find_setsebool tags: - audit_rules_execution_setsebool - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80392-4 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030570 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_setsebool.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_setsebool - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80392-4 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030570 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_setsebool.files | map(attribute='path') | list | first }}" when: find_setsebool.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_setsebool - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80392-4 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030570 - name: Inserts/replaces the setsebool rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_setsebool - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80392-4 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030570 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the setsebool rule in /etc/audit/audit.rules - name: Inserts/replaces the setsebool rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_setsebool - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80392-4 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030570 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Any Attempts to Run semanage At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change RHEL-07-030560 SV-86759r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80391-6 PATTERN="-a always,exit -F path=/usr/sbin/semanage\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/semanage.*$" patterns: "*.rules" register: find_semanage tags: - audit_rules_execution_semanage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80391-6 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030560 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_semanage.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_semanage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80391-6 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030560 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_semanage.files | map(attribute='path') | list | first }}" when: find_semanage.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_semanage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80391-6 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030560 - name: Inserts/replaces the semanage rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_semanage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80391-6 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030560 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the semanage rule in /etc/audit/audit.rules - name: Inserts/replaces the semanage rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_semanage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80391-6 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030560 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Any Attempts to Run chcon At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change RHEL-07-030580 SV-86763r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80393-2 PATTERN="-a always,exit -F path=/usr/bin/chcon\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/chcon.*$" patterns: "*.rules" register: find_chcon tags: - audit_rules_execution_chcon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80393-2 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030580 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_chcon.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_chcon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80393-2 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030580 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chcon.files | map(attribute='path') | list | first }}" when: find_chcon.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_chcon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80393-2 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030580 - name: Inserts/replaces the chcon rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_chcon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80393-2 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030580 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the chcon rule in /etc/audit/audit.rules - name: Inserts/replaces the chcon rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_chcon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80393-2 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030580 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Any Attempts to Run restorecon At a minimum, the audit system should collect any execution attempt of the restorecon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80394-0 PATTERN="-a always,exit -F path=/usr/sbin/restorecon\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/restorecon.*$" patterns: "*.rules" register: find_restorecon tags: - audit_rules_execution_restorecon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80394-0 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_restorecon.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_restorecon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80394-0 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_restorecon.files | map(attribute='path') | list | first }}" when: find_restorecon.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_execution_restorecon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80394-0 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - name: Inserts/replaces the restorecon rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_restorecon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80394-0 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the restorecon rule in /etc/audit/audit.rules - name: Inserts/replaces the restorecon rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_execution_restorecon - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80394-0 - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - passwd At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030630 SV-86773r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80395-7 PATTERN="-a always,exit -F path=/usr/bin/passwd\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/passwd.*$" patterns: "*.rules" register: find_passwd tags: - audit_rules_privileged_commands_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80395-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030630 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_passwd.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80395-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030630 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_passwd.files | map(attribute='path') | list | first }}" when: find_passwd.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80395-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030630 - name: Inserts/replaces the passwd rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80395-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030630 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the passwd rule in /etc/audit/audit.rules - name: Inserts/replaces the passwd rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_passwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80395-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030630 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - sudo At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030690 SV-86785r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80401-3 PATTERN="-a always,exit -F path=/usr/bin/sudo\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/sudo.*$" patterns: "*.rules" register: find_sudo tags: - audit_rules_privileged_commands_sudo - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80401-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030690 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_sudo.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_sudo - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80401-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030690 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_sudo.files | map(attribute='path') | list | first }}" when: find_sudo.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_sudo - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80401-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030690 - name: Inserts/replaces the sudo rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_sudo - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80401-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030690 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the sudo rule in /etc/audit/audit.rules - name: Inserts/replaces the sudo rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_sudo - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80401-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030690 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/sbin/usernetctl\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/usernetctl.*$" patterns: "*.rules" register: find_usernetctl tags: - audit_rules_privileged_commands_usernetctl - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_usernetctl.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_usernetctl - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_usernetctl.files | map(attribute='path') | list | first }}" when: find_usernetctl.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_usernetctl - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the usernetctl rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_usernetctl - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the usernetctl rule in /etc/audit/audit.rules - name: Inserts/replaces the usernetctl rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_usernetctl - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - postdrop At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030760 SV-86799r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80406-2 PATTERN="-a always,exit -F path=/usr/sbin/postdrop\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/postdrop.*$" patterns: "*.rules" register: find_postdrop tags: - audit_rules_privileged_commands_postdrop - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80406-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030760 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_postdrop.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_postdrop - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80406-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030760 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_postdrop.files | map(attribute='path') | list | first }}" when: find_postdrop.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_postdrop - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80406-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030760 - name: Inserts/replaces the postdrop rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_postdrop - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80406-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030760 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the postdrop rule in /etc/audit/audit.rules - name: Inserts/replaces the postdrop rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_postdrop - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80406-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030760 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - chsh At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030720 SV-86791r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80404-7 PATTERN="-a always,exit -F path=/usr/bin/chsh\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/chsh.*$" patterns: "*.rules" register: find_chsh tags: - audit_rules_privileged_commands_chsh - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80404-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030720 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_chsh.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_chsh - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80404-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030720 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chsh.files | map(attribute='path') | list | first }}" when: find_chsh.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_chsh - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80404-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030720 - name: Inserts/replaces the chsh rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_chsh - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80404-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030720 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the chsh rule in /etc/audit/audit.rules - name: Inserts/replaces the chsh rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_chsh - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80404-7 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030720 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/newgidmap\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/newgidmap.*$" patterns: "*.rules" register: find_newgidmap tags: - audit_rules_privileged_commands_newgidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_newgidmap.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newgidmap - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_newgidmap.files | map(attribute='path') | list | first }}" when: find_newgidmap.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newgidmap - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the newgidmap rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newgidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the newgidmap rule in /etc/audit/audit.rules - name: Inserts/replaces the newgidmap rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newgidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - postqueue At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030770 SV-86801r3_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80407-0 PATTERN="-a always,exit -F path=/usr/sbin/postqueue\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/postqueue.*$" patterns: "*.rules" register: find_postqueue tags: - audit_rules_privileged_commands_postqueue - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80407-0 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030770 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_postqueue.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_postqueue - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80407-0 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030770 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_postqueue.files | map(attribute='path') | list | first }}" when: find_postqueue.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_postqueue - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80407-0 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030770 - name: Inserts/replaces the postqueue rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_postqueue - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80407-0 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030770 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the postqueue rule in /etc/audit/audit.rules - name: Inserts/replaces the postqueue rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_postqueue - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80407-0 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030770 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - chage At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030660 SV-86779r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80398-1 PATTERN="-a always,exit -F path=/usr/bin/chage\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/chage.*$" patterns: "*.rules" register: find_chage tags: - audit_rules_privileged_commands_chage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80398-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030660 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_chage.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_chage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80398-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030660 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chage.files | map(attribute='path') | list | first }}" when: find_chage.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_chage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80398-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030660 - name: Inserts/replaces the chage rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_chage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80398-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030660 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the chage rule in /etc/audit/audit.rules - name: Inserts/replaces the chage rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_chage - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80398-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030660 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - userhelper At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030670 SV-86781r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80399-9 PATTERN="-a always,exit -F path=/usr/sbin/userhelper\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/userhelper.*$" patterns: "*.rules" register: find_userhelper tags: - audit_rules_privileged_commands_userhelper - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80399-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030670 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_userhelper.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_userhelper - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80399-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030670 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_userhelper.files | map(attribute='path') | list | first }}" when: find_userhelper.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_userhelper - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80399-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030670 - name: Inserts/replaces the userhelper rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_userhelper - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80399-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030670 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the userhelper rule in /etc/audit/audit.rules - name: Inserts/replaces the userhelper rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_userhelper - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80399-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030670 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - at At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/at\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/at.*$" patterns: "*.rules" register: find_at tags: - audit_rules_privileged_commands_at - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_at.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_at - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_at.files | map(attribute='path') | list | first }}" when: find_at.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_at - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the at rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_at - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the at rule in /etc/audit/audit.rules - name: Inserts/replaces the at rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_at - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030810 SV-86809r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80411-2 PATTERN="-a always,exit -F path=/usr/sbin/pam_timestamp_check\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/pam_timestamp_check.*$" patterns: "*.rules" register: find_pam_timestamp_check tags: - audit_rules_privileged_commands_pam_timestamp_check - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80411-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030810 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_pam_timestamp_check.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_pam_timestamp_check - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80411-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030810 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_pam_timestamp_check.files | map(attribute='path') | list | first }}" when: find_pam_timestamp_check.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_pam_timestamp_check - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80411-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030810 - name: Inserts/replaces the pam_timestamp_check rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_pam_timestamp_check - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80411-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030810 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the pam_timestamp_check rule in /etc/audit/audit.rules - name: Inserts/replaces the pam_timestamp_check rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_pam_timestamp_check - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80411-2 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030810 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - crontab At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030800 SV-86807r3_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80410-4 PATTERN="-a always,exit -F path=/usr/bin/crontab\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/crontab.*$" patterns: "*.rules" register: find_crontab tags: - audit_rules_privileged_commands_crontab - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80410-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030800 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_crontab.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_crontab - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80410-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030800 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_crontab.files | map(attribute='path') | list | first }}" when: find_crontab.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_crontab - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80410-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030800 - name: Inserts/replaces the crontab rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_crontab - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80410-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030800 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the crontab rule in /etc/audit/audit.rules - name: Inserts/replaces the crontab rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_crontab - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80410-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030800 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - umount At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030750 SV-86797r5_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80405-4 PATTERN="-a always,exit -F path=/usr/bin/umount\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/umount.*$" patterns: "*.rules" register: find_umount tags: - audit_rules_privileged_commands_umount - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80405-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030750 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_umount.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_umount - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80405-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030750 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_umount.files | map(attribute='path') | list | first }}" when: find_umount.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_umount - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80405-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030750 - name: Inserts/replaces the umount rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_umount - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80405-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030750 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the umount rule in /etc/audit/audit.rules - name: Inserts/replaces the umount rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_umount - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80405-4 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030750 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030640 SV-86775r5_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80396-5 PATTERN="-a always,exit -F path=/usr/sbin/unix_chkpwd\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/sbin/unix_chkpwd.*$" patterns: "*.rules" register: find_unix_chkpwd tags: - audit_rules_privileged_commands_unix_chkpwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80396-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030640 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_unix_chkpwd.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_unix_chkpwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80396-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030640 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_unix_chkpwd.files | map(attribute='path') | list | first }}" when: find_unix_chkpwd.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_unix_chkpwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80396-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030640 - name: Inserts/replaces the unix_chkpwd rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_unix_chkpwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80396-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030640 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the unix_chkpwd rule in /etc/audit/audit.rules - name: Inserts/replaces the unix_chkpwd rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_unix_chkpwd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80396-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030640 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80409-6 PATTERN="-a always,exit -F path=/usr/libexec/pt_chown\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/libexec/pt_chown.*$" patterns: "*.rules" register: find_pt_chown tags: - audit_rules_privileged_commands_pt_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80409-6 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_pt_chown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_pt_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80409-6 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_pt_chown.files | map(attribute='path') | list | first }}" when: find_pt_chown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_pt_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80409-6 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - name: Inserts/replaces the pt_chown rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_pt_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80409-6 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the pt_chown rule in /etc/audit/audit.rules - name: Inserts/replaces the pt_chown rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_pt_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80409-6 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030780 SV-86803r3_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80408-8 PATTERN="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/libexec/openssh/ssh-keysign.*$" patterns: "*.rules" register: find_ssh_keysign tags: - audit_rules_privileged_commands_ssh_keysign - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80408-8 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030780 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_ssh_keysign.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_ssh_keysign - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80408-8 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030780 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_ssh_keysign.files | map(attribute='path') | list | first }}" when: find_ssh_keysign.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_ssh_keysign - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80408-8 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030780 - name: Inserts/replaces the ssh_keysign rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_ssh_keysign - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80408-8 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030780 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the ssh_keysign rule in /etc/audit/audit.rules - name: Inserts/replaces the ssh_keysign rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_ssh_keysign - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80408-8 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030780 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030730 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80402-1 PATTERN="-a always,exit -F path=/usr/bin/sudoedit\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/sudoedit.*$" patterns: "*.rules" register: find_sudoedit tags: - audit_rules_privileged_commands_sudoedit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80402-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030730 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_sudoedit.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_sudoedit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80402-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030730 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_sudoedit.files | map(attribute='path') | list | first }}" when: find_sudoedit.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_sudoedit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80402-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030730 - name: Inserts/replaces the sudoedit rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_sudoedit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80402-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030730 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the sudoedit rule in /etc/audit/audit.rules - name: Inserts/replaces the sudoedit rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_sudoedit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80402-1 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030730 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - mount At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/mount\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/mount.*$" patterns: "*.rules" register: find_mount tags: - audit_rules_privileged_commands_mount - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_mount.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_mount - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_mount.files | map(attribute='path') | list | first }}" when: find_mount.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_mount - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the mount rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_mount - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the mount rule in /etc/audit/audit.rules - name: Inserts/replaces the mount rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_mount - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged FAU_GEN.1.1.c Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/newuidmap\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/newuidmap.*$" patterns: "*.rules" register: find_newuidmap tags: - audit_rules_privileged_commands_newuidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_newuidmap.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newuidmap - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_newuidmap.files | map(attribute='path') | list | first }}" when: find_newuidmap.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newuidmap - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the newuidmap rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newuidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the newuidmap rule in /etc/audit/audit.rules - name: Inserts/replaces the newuidmap rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newuidmap - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030650 SV-86777r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80397-3 PATTERN="-a always,exit -F path=/usr/bin/gpasswd\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/gpasswd.*$" patterns: "*.rules" register: find_gpasswd tags: - audit_rules_privileged_commands_gpasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80397-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030650 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_gpasswd.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_gpasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80397-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030650 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_gpasswd.files | map(attribute='path') | list | first }}" when: find_gpasswd.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_gpasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80397-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030650 - name: Inserts/replaces the gpasswd rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_gpasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80397-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030650 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the gpasswd rule in /etc/audit/audit.rules - name: Inserts/replaces the gpasswd rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_gpasswd - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80397-3 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030650 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - su At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030680 SV-86783r5_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80400-5 PATTERN="-a always,exit -F path=/usr/bin/su\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/su.*$" patterns: "*.rules" register: find_su tags: - audit_rules_privileged_commands_su - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80400-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030680 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_su.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_su - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80400-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030680 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_su.files | map(attribute='path') | list | first }}" when: find_su.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_su - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80400-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030680 - name: Inserts/replaces the su rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_su - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80400-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030680 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the su rule in /etc/audit/audit.rules - name: Inserts/replaces the su rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_su - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80400-5 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030680 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure auditd Collects Information on the Use of Privileged Commands - newgrp At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged RHEL-07-030710 SV-86789r4_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80403-9 PATTERN="-a always,exit -F path=/usr/bin/newgrp\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path=/usr/bin/newgrp.*$" patterns: "*.rules" register: find_newgrp tags: - audit_rules_privileged_commands_newgrp - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80403-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030710 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_newgrp.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newgrp - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80403-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030710 - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_newgrp.files | map(attribute='path') | list | first }}" when: find_newgrp.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_privileged_commands_newgrp - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80403-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030710 - name: Inserts/replaces the newgrp rule in rules.d lineinfile: path: "{{ all_files[0] }}" line: '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newgrp - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80403-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030710 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # Inserts/replaces the newgrp rule in /etc/audit/audit.rules - name: Inserts/replaces the newgrp rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged' create: yes tags: - audit_rules_privileged_commands_newgrp - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80403-9 - NIST-800-53-AU-3(1) - NIST-800-53-AU-12(c) - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-030710 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Record Unsuccessul Ownership Changes to Files - fchownat The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fchownat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchownat tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fchownat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchownat.files | map(attribute='path') | list | first }}" when: find_fchownat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fchownat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchownat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchownat - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Ownership Changes to Files - lchown The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lchown -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lchown -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit lchown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lchown tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_lchown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lchown.files | map(attribute='path') | list | first }}" when: find_lchown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the lchown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lchown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lchown rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lchown - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Permission Changes to Files - fchmodat The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fchmodat tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchmodat tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fchmodat.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchmodat.files | map(attribute='path') | list | first }}" when: find_fchmodat.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fchmodat rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmodat - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Permission Changes to Files - removexattr The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit removexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_removexattr tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_removexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_removexattr.files | map(attribute='path') | list | first }}" when: find_removexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the removexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the removexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Ownership Changes to Files - chown The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chown -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chown -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit chown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_chown tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_chown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chown.files | map(attribute='path') | list | first }}" when: find_chown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the chown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chown rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chown - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Ownership Changes to Files - fchown The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchown -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchown -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fchown tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchown tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fchown.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchown.files | map(attribute='path') | list | first }}" when: find_fchown.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fchown rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchown rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchown rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchown - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Permission Changes to Files - setxattr The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit setxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_setxattr tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_setxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_setxattr.files | map(attribute='path') | list | first }}" when: find_setxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the setxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the setxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_setxattr - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Permission Changes to Files - lremovexattr The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit lremovexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lremovexattr tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_lremovexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lremovexattr.files | map(attribute='path') | list | first }}" when: find_lremovexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the lremovexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Permission Changes to Files - fremovexattr The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fremovexattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fremovexattr tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fremovexattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fremovexattr.files | map(attribute='path') | list | first }}" when: find_fremovexattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fremovexattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Permission Changes to Files - fsetxattr The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fsetxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fsetxattr tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fsetxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fsetxattr.files | map(attribute='path') | list | first }}" when: find_fsetxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fsetxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Permission Changes to Files - lsetxattr The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit lsetxattr tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_lsetxattr tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_lsetxattr.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_lsetxattr.files | map(attribute='path') | list | first }}" when: find_lsetxattr.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the lsetxattr rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_lsetxattr - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Permission Changes to Files - chmod The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chmod -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chmod -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit chmod tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_chmod tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_chmod.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_chmod.files | map(attribute='path') | list | first }}" when: find_chmod.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the chmod rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chmod rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the chmod rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_chmod - medium_severity - restrict_strategy - low_complexity - low_disruption Record Unsuccessul Permission Changes to Files - fchmod The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # # What architecture are we on? # - name: Set architecture for audit fchmod tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") # # Inserts/replaces the rule in /etc/audit/rules.d # - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: "/etc/audit/rules.d" recurse: no contains: "-F key=perm_mod$" patterns: "*.rules" register: find_fchmod tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/access.rules when: find_fchmod.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Use matched file as the recipient for the rule set_fact: all_files: - "{{ find_fchmod.files | map(attribute='path') | list | first }}" when: find_fchmod.matched > 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption - name: Inserts/replaces the fchmod rule in rules.d when on x86 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmod rule in rules.d when on x86_64 lineinfile: path: "{{ all_files[0] }}" line: "{{ item }}" create: yes with_items: - "-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption # # Inserts/replaces the rule in /etc/audit/audit.rules # - name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules with_items: - "-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 lineinfile: line: "{{ item }}" state: present dest: /etc/audit/audit.rules create: yes with_items: - "-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" - "-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_unsuccessful_file_modification_fchmod - medium_severity - restrict_strategy - low_complexity - low_disruption Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd The audit system should collect write events to /etc/passwd file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify FAU_GEN.1.1.c Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group The audit system should collect write events to /etc/group file for all group and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify FAU_GEN.1.1.c Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Events that Modify User/Group Information via open syscall - /etc/passwd The audit system should collect write events to /etc/passwd file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify FAU_GEN.1.1.c Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. System Audit Logs Must Have Mode 0750 or Less Permissive If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command: $ sudo chmod 0750 /var/log/audit Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0700 /var/log/audit 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8 APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-1(b) AU-9 IR-5 DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4 If users can write to audit logs, audit trails can be modified or destroyed. if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') if ! [ "${GROUP}" == 'root' ] ; then chmod 0750 /var/log/audit else chmod 0700 /var/log/audit fi else chmod 0700 /var/log/audit fi Record Events that Modify User/Group Information via openat syscall - /etc/group The audit system should collect write events to /etc/group file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify FAU_GEN.1.1.c Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Events that Modify User/Group Information via open syscall - /etc/group The audit system should collect write events to /etc/group file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify FAU_GEN.1.1.c Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Events that Modify User/Group Information via openat syscall - /etc/passwd The audit system should collect write events to /etc/passwd file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify FAU_GEN.1.1.c Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Record Access Events to Audit Log directory The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory are collected. -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rule to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rule to /etc/audit/audit.rules file. FAU_GEN.1.1.c Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.' Shutdown System When Auditing Failures Occur If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -f 2 If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to the top of the /etc/audit/audit.rules file: -f 2 RHEL-07-030010 SV-86705r4_rule 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 3.3.1 3.3.4 CCI-000139 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-5 AU-5(b) PR.PT-1 SRG-OS-000046-GPOS-00022 SRG-OS-000047-GPOS-00023 It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. CCE-80997-0 # Traverse all of: # # /etc/audit/audit.rules, (for auditctl case) # /etc/audit/rules.d/*.rules (for augenrules case) # # files to check if '-f .*' setting is present in that '*.rules' file already. # If found, delete such occurrence since auditctl(8) manual page instructs the # '-f 2' rule should be placed as the last rule in the configuration find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' # Append '-f 2' requirement at the end of both: # * /etc/audit/audit.rules file (for auditctl case) # * /etc/audit/rules.d/immutable.rules (for augenrules case) for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" do echo '' >> $AUDIT_FILE echo '# Set the audit.rules configuration to halt system upon audit failure per security requirements' >> $AUDIT_FILE echo '-f 2' >> $AUDIT_FILE done Extend Audit Backlog Limit for the Audit Daemon To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192" The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken. # Correct the form of default kernel command line in GRUB if grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an audit_backlog_limit= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit_backlog_limit=[^[:space:]]*\(.*"\)/\1 audit_backlog_limit=8192 \2/' '/etc/default/grub' else # no audit_backlog_limit=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit_backlog_limit=8192"/' '/etc/default/grub' fi # Correct the form of kernel command line for each installed kernel in the bootloader grubby --update-kernel=ALL --args="audit_backlog_limit=8192" install the auditd service The auditd service should be installed. NT28(R50) The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparision with potential local access control policy such as SELinux policy. Ensure Logs Sent To Remote Host To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @loghost.example.com To use TCP for log message delivery: *.* @@loghost.example.com To use RELP for log message delivery: *.* :omrelp:loghost.example.com There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. RHEL-07-031000 SV-86833r2_rule 4.2.1.4 1 13 14 15 16 2 3 5 6 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS05.04 DSS05.07 MEA02.01 CCI-000366 CCI-001348 CCI-000136 CCI-001851 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(B) 164.308(a)(5)(ii)(C) 164.308(a)(6)(ii) 164.308(a)(8) 164.310(d)(2)(iii) 164.312(b) 164.314(a)(2)(i)(C) 164.314(a)(2)(iii) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.17.2.1 AU-3(2) AU-4(1) AU-9 PR.DS-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000480-GPOS-00227 SRG-OS-000032-VMM-000130 A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. CCE-27343-3 rsyslog_remote_loghost_address="" replace_or_append '/etc/rsyslog.conf' '^\*\.\*' "@@$rsyslog_remote_loghost_address" 'CCE-27343-3' '%s %s' - name: XCCDF Value rsyslog_remote_loghost_address # promote to variable set_fact: rsyslog_remote_loghost_address: !!str tags: - always - name: "Set rsyslog remote loghost" lineinfile: dest: /etc/rsyslog.conf regexp: "^\\*\\.\\*" line: "*.* @@{{ rsyslog_remote_loghost_address }}" create: yes tags: - rsyslog_remote_loghost - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27343-3 - NIST-800-53-AU-3(2) - NIST-800-53-AU-4(1) - NIST-800-53-AU-9 - DISA-STIG-RHEL-07-031000 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure cron Is Logging To Rsyslog Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf: cron.* /var/log/cron RHEL-07-021100 SV-86675r2_rule 1 14 15 16 3 5 6 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 CCI-000366 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.15.2.1 A.15.2.2 AU-2(d) ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000480-GPOS-00227 Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. CCE-80380-9 if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then mkdir -p /etc/rsyslog.d echo "cron.* /var/log/cron" >> /etc/rsyslog.d/cron.conf fi Enable syslog-ng Service The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian 8. The syslog-ng service can be enabled with the following command: $ sudo systemctl enable syslog-ng.service NT28(R46) NT28(R5) 5.1.2 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 A.17.2.1 AU-4(1) AU-12 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.DS-4 PR.PT-1 The syslog-ng service must be running in order to provide logging services, which are essential to system administration. Ensure syslog-ng is Installed syslog-ng can be installed in replacement of rsyslog. The syslog-ng-core package can be installed with the following command: $ sudo yum install syslog-ng-core NT28(R46) NT28(R5) 5.1.1 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-001311 CCI-001312 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9(2) PR.PT-1 The syslog-ng-core package provides the syslog-ng daemon, which provides system logging services. Enable rsyslog to Accept Messages via UDP, if Acting As Log Server The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over UDP: $ModLoad imudp $UDPServerRun 514 4.2.1.5 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9 PR.PT-1 Many devices, such as switches, routers, and other Unix-like systems, may only support the traditional syslog transmission over UDP. If the system must act as a log server, this enables it to receive their messages as well. CCE-80194-4 Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are not found in /etc/rsyslog.conf: $ModLoad imtcp $InputTCPServerRun port $ModLoad imudp $UDPServerRun port $ModLoad imrelp $InputRELPServerRun port RHEL-07-031010 SV-86835r2_rule 1 11 12 13 14 15 16 18 3 4 5 6 8 9 APO01.06 APO11.04 APO13.01 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.07 DSS06.02 MEA02.01 CCI-000318 CCI-000368 CCI-001812 CCI-001813 CCI-001814 4.2.3.4 4.3.3.3.9 4.3.3.4 4.3.3.5.8 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 4.4.3.3 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AU-9(2) AC-4 CM-6(c) DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.IP-1 PR.PT-1 PR.PT-4 SRG-OS-000480-GPOS-00227 Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. CCE-80192-8 Enable rsyslog to Accept Messages via TCP, if Acting As Log Server The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over TCP: $ModLoad imtcp $InputTCPServerRun 514 4.2.1.5 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9 PR.PT-1 If the system needs to act as a log server, this ensures that it can receive messages over a reliable TCP connection. CCE-80193-6 Configure Logwatch SplitHosts Line If SplitHosts is set, Logwatch will separate entries by hostname. This makes the report longer but significantly more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that information is almost always necessary SplitHosts = yes CCE-80197-7 Configure Logwatch HostLimit Line On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate on the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not just the one on which it is running. HostLimit = no CCE-80196-9 Disable Logwatch on Clients if a Logserver Exists Does your site have a central logserver which has been configured to report on logs received from all systems? If so: $ sudo rm /etc/cron.daily/0logwatch If no logserver exists, it will be necessary for each system to run Logwatch individually. Using a central logserver provides the security and reliability benefits discussed earlier, and also makes monitoring logs easier and less time-intensive for administrators. CCE-80198-5 Enable rsyslog Service The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 7. The rsyslog service can be enabled with the following command: $ sudo systemctl enable rsyslog.service NT28(R5) NT28(R46) 4.2.1.1 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 CCI-001311 CCI-001312 CCI-001557 CCI-001851 164.312(a)(2)(ii) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 A.17.2.1 AU-4(1) AU-12 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.DS-4 PR.PT-1 The rsyslog service must be running in order to provide logging services, which are essential to system administration. CCE-80188-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'rsyslog.service' "$SYSTEMCTL_EXEC" enable 'rsyslog.service' - name: Enable service rsyslog service: name: rsyslog enabled: "yes" state: "started" tags: - service_rsyslog_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80188-6 - NIST-800-53-AU-4(1) - NIST-800-53-AU-12 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure rsyslog is Installed Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ sudo yum install rsyslog NT28(R5) NT28(R46) 4.2.3 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-001311 CCI-001312 164.312(a)(2)(ii) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9(2) PR.PT-1 The rsyslog package provides the rsyslog daemon, which provides system logging services. CCE-80187-8 package_install rsyslog - name: Ensure rsyslog is installed package: name: rsyslog state: present tags: - package_rsyslog_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80187-8 - NIST-800-53-AU-9(2) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_rsyslog class install_rsyslog { package { 'rsyslog': ensure => 'installed', } } package --add=rsyslog Configure Kernel Parameter for Accepting Source-Routed Packets for Interfaces By Default To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0 1 12 13 14 15 16 18 4 6 8 9 APO01.06 APO13.01 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.PT-4 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-80335-1 sysctl_net_ipv6_conf_default_accept_source_route_value="" # # Set runtime for net.ipv6.conf.default.accept_source_route # /sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route=$sysctl_net_ipv6_conf_default_accept_source_route_value # # If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_source_route' "$sysctl_net_ipv6_conf_default_accept_source_route_value" 'CCE-80335-1' - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_source_route_value # promote to variable set_fact: sysctl_net_ipv6_conf_default_accept_source_route_value: !!str tags: - always - name: Ensure sysctl net.ipv6.conf.default.accept_source_route is set sysctl: name: net.ipv6.conf.default.accept_source_route value: "{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_default_accept_source_route - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80335-1 - NIST-800-53-AC-4 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0 RHEL-07-040830 SV-86943r2_rule 1 12 13 14 15 16 18 4 6 8 9 APO01.06 APO13.01 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.PT-4 SRG-OS-000480-GPOS-00227 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-80179-5 sysctl_net_ipv6_conf_all_accept_source_route_value="" # # Set runtime for net.ipv6.conf.all.accept_source_route # /sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route=$sysctl_net_ipv6_conf_all_accept_source_route_value # # If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_source_route' "$sysctl_net_ipv6_conf_all_accept_source_route_value" 'CCE-80179-5' - name: XCCDF Value sysctl_net_ipv6_conf_all_accept_source_route_value # promote to variable set_fact: sysctl_net_ipv6_conf_all_accept_source_route_value: !!str tags: - always - name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set sysctl: name: net.ipv6.conf.all.accept_source_route value: "{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_all_accept_source_route - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80179-5 - NIST-800-53-AC-4 - NIST-800-171-3.1.20 - DISA-STIG-RHEL-07-040830 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Kernel Parameter for IPv6 Forwarding To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0 1 11 12 13 14 15 16 2 3 7 8 9 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 DSS06.06 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.9.1.2 CM-7 SC-5 DE.CM-1 PR.DS-4 PR.IP-1 PR.PT-3 IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. CCE-80356-9 sysctl_net_ipv6_conf_all_forwarding_value="" # # Set runtime for net.ipv6.conf.all.forwarding # /sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding=$sysctl_net_ipv6_conf_all_forwarding_value # # If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.forwarding = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.forwarding' "$sysctl_net_ipv6_conf_all_forwarding_value" 'CCE-80356-9' - name: XCCDF Value sysctl_net_ipv6_conf_all_forwarding_value # promote to variable set_fact: sysctl_net_ipv6_conf_all_forwarding_value: !!str tags: - always - name: Ensure sysctl net.ipv6.conf.all.forwarding is set sysctl: name: net.ipv6.conf.all.forwarding value: "{{ sysctl_net_ipv6_conf_all_forwarding_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_all_forwarding - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80356-9 - NIST-800-53-CM-7 - NIST-800-53-SC-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Accepting IPv6 Redirects on All Interfaces To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0 3.3.2 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An illicit ICMP redirect message could result in a man-in-the-middle attack. CCE-80182-9 sysctl_net_ipv6_conf_all_accept_redirects_value="" # # Set runtime for net.ipv6.conf.all.accept_redirects # /sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects=$sysctl_net_ipv6_conf_all_accept_redirects_value # # If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_redirects' "$sysctl_net_ipv6_conf_all_accept_redirects_value" 'CCE-80182-9' - name: XCCDF Value sysctl_net_ipv6_conf_all_accept_redirects_value # promote to variable set_fact: sysctl_net_ipv6_conf_all_accept_redirects_value: !!str tags: - always - name: Ensure sysctl net.ipv6.conf.all.accept_redirects is set sysctl: name: net.ipv6.conf.all.accept_redirects value: "{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_all_accept_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80182-9 - NIST-800-53-CM-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Accepting IPv6 Router Advertisements by Default To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0 3.3.1 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An illicit router advertisement message could result in a man-in-the-middle attack. CCE-80181-1 sysctl_net_ipv6_conf_default_accept_ra_value="" # # Set runtime for net.ipv6.conf.default.accept_ra # /sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra=$sysctl_net_ipv6_conf_default_accept_ra_value # # If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_ra' "$sysctl_net_ipv6_conf_default_accept_ra_value" 'CCE-80181-1' - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_value # promote to variable set_fact: sysctl_net_ipv6_conf_default_accept_ra_value: !!str tags: - always - name: Ensure sysctl net.ipv6.conf.default.accept_ra is set sysctl: name: net.ipv6.conf.default.accept_ra value: "{{ sysctl_net_ipv6_conf_default_accept_ra_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_default_accept_ra - unknown_severity - disable_strategy - low_complexity - medium_disruption - CCE-80181-1 - NIST-800-53-CM-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Accepting IPv6 Router Advertisements on All Interfaces To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0 3.3.1 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An illicit router advertisement message could result in a man-in-the-middle attack. CCE-80180-3 sysctl_net_ipv6_conf_all_accept_ra_value="" # # Set runtime for net.ipv6.conf.all.accept_ra # /sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra=$sysctl_net_ipv6_conf_all_accept_ra_value # # If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_ra' "$sysctl_net_ipv6_conf_all_accept_ra_value" 'CCE-80180-3' - name: XCCDF Value sysctl_net_ipv6_conf_all_accept_ra_value # promote to variable set_fact: sysctl_net_ipv6_conf_all_accept_ra_value: !!str tags: - always - name: Ensure sysctl net.ipv6.conf.all.accept_ra is set sysctl: name: net.ipv6.conf.all.accept_ra value: "{{ sysctl_net_ipv6_conf_all_accept_ra_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_all_accept_ra - unknown_severity - disable_strategy - low_complexity - medium_disruption - CCE-80180-3 - NIST-800-53-CM-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Accepting IPv6 Redirects By Default To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 3.3.2 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An illicit ICMP redirect message could result in a man-in-the-middle attack. CCE-80183-7 sysctl_net_ipv6_conf_default_accept_redirects_value="" # # Set runtime for net.ipv6.conf.default.accept_redirects # /sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects=$sysctl_net_ipv6_conf_default_accept_redirects_value # # If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_redirects' "$sysctl_net_ipv6_conf_default_accept_redirects_value" 'CCE-80183-7' - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_redirects_value # promote to variable set_fact: sysctl_net_ipv6_conf_default_accept_redirects_value: !!str tags: - always - name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set sysctl: name: net.ipv6.conf.default.accept_redirects value: "{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv6_conf_default_accept_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80183-7 - NIST-800-53-CM-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Manually Assign IPv6 Router Address Edit the file /etc/sysconfig/network-scripts/ifcfg-interface, and add or correct the following line (substituting your gateway IP as appropriate): IPV6_DEFAULTGW=2001:0DB8::0001 Router addresses should be manually set and not accepted via any auto-configuration or router advertisement. CCI-000366 CCE-80186-0 Use Privacy Extensions for Address To introduce randomness into the automatic generation of IPv6 addresses, add or correct the following line in /etc/sysconfig/network-scripts/ifcfg-interface: IPV6_PRIVACY=rfc3041 Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. Ethernet) address, and so it becomes possible to track a piece of hardware over its lifetime using its traffic. If it is important for a system's IP address to not trivially reveal its hardware address, this setting should be applied. 3.1.20 CCI-000366 CCE-80185-2 # enable randomness in ipv6 address generation for interface in /etc/sysconfig/network-scripts/ifcfg-* do echo "IPV6_PRIVACY=rfc3041" >> $interface done Manually Assign Global IPv6 Address To manually assign an IP address for an interface, edit the file /etc/sysconfig/network-scripts/ifcfg-interface. Add or correct the following line (substituting the correct IPv6 address): IPV6ADDR=2001:0DB8::ABCD/64 Manually assigning an IP address is preferable to accepting one from routers or from the network otherwise. The example address here is an IPv6 address reserved for documentation purposes, as defined by RFC3849. CCI-000366 CCE-80184-5 Disable Interface Usage of IPv6 To disable interface usage of IPv6, add or correct the following lines in /etc/sysconfig/network: NETWORKING_IPV6=no IPV6INIT=no CCE-80176-1 Disable IPv6 Networking Support Automatic Loading To disable support for (ipv6) add the following line to /etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d): net.ipv6.conf.all.disable_ipv6 = 1 This disables IPv6 on all network interfaces as other services and system functionality require the IPv6 stack loaded to work. 3.3.3 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. CCE-80175-3 # # Set runtime for net.ipv6.conf.all.disable_ipv6 # /sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6=1 # # If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to "1" # else, add "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.disable_ipv6' "1" 'CCE-80175-3' - name: Ensure sysctl net.ipv6.conf.all.disable_ipv6 is set to 1 sysctl: name: net.ipv6.conf.all.disable_ipv6 value: 1 state: present reload: yes tags: - sysctl_net_ipv6_conf_all_disable_ipv6 - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80175-3 - NIST-800-53-CM-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable IPv6 Networking Support Automatic Loading To prevent the IPv6 kernel module (ipv6) from binding to the IPv6 networking stack, add the following line to /etc/modprobe.d/disabled.conf (or another file in /etc/modprobe.d): options ipv6 disable=1 This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. # Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf # Since according to: https://access.redhat.com/solutions/72733 # "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from # loading, instruct also sysctl configuration to disable IPv6 according to: # https://access.redhat.com/solutions/8709#rhel6disable declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6") for setting in ${IPV6_SETTINGS[@]} do # Set runtime =1 for setting /sbin/sysctl -q -n -w "$setting=1" # If setting is present in /etc/sysctl.conf, change value to "1" # else, add "$setting = 1" to /etc/sysctl.conf if grep -q ^"$setting" /etc/sysctl.conf ; then sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf else echo "" >> /etc/sysctl.conf echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf echo "$setting = 1" >> /etc/sysctl.conf fi done Disable Support for RPC IPv6 RPC services for NFSv4 try to load transport modules for udp6 and tcp6 by default, even if IPv6 has been disabled in /etc/modprobe.d. To prevent RPC services such as rpc.mountd from attempting to start IPv6 network listeners, remove or comment out the following two lines in /etc/netconfig: udp6 tpi_clts v inet6 udp - - tcp6 tpi_cots_ord v inet6 tcp - - 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 CCE-80177-9 # Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC # services for NFSv4 from attempting to start IPv6 network listeners declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6") for rpc_entry in ${IPV6_RPC_ENTRIES[@]} do sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig done Verify Any Configured IPSec Tunnel Connections Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (conn) configured in /etc/ipsec.conf and /etc/ipsec.d exists is an approved organizational connection. RHEL-07-040820 SV-86941r2_rule 1 12 13 14 15 16 18 4 6 8 9 APO01.06 APO13.01 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.07 DSS06.02 CCI-000336 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.PT-4 SRG-OS-000480-GPOS-00227 IP tunneling mechanisms can be used to bypass network filtering. CCE-80171-2 Verify ip6tables Enabled if Using IPv6 The ip6tables service can be enabled with the following command: $ sudo systemctl enable ip6tables.service 1 11 12 13 14 15 16 18 3 4 6 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CA-3(c) CM-7 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6. Verify iptables Enabled The iptables service can be enabled with the following command: $ sudo systemctl enable iptables.service 1 11 12 13 14 15 16 18 3 4 6 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CA-3(c) CM-7 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP. Set Default ip6tables Policy for Incoming Packets To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/ip6tables: :INPUT DROP [0:0] If changes were required, reload the ip6tables rules: $ sudo service ip6tables reload 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 In ip6tables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. Set Default iptables Policy for Forwarded Packets To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in /etc/sysconfig/iptables: :FORWARD DROP [0:0] 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 In iptables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. Set Default iptables Policy for Incoming Packets To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables: :INPUT DROP [0:0] 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. Set Default firewalld Zone for Incoming Packets To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in /etc/firewalld/firewalld.conf to be: DefaultZone=drop To prevent denying any access to the system, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. RHEL-07-040810 SV-86939r3_rule 11 14 3 9 5.10.1 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.3 3.4.7 3.13.6 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-6(b) CM-7 PR.IP-1 PR.PT-3 FMT_MOF_EXT.1 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. CCE-27349-0 Configure the Firewalld Ports Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command: $ sudo firewall-cmd --permanent --add-port=port_number/tcp or $ sudo firewall-cmd --permanent --add-port=service_name Run the command list above for each of the ports listed below: To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=ssh RHEL-07-040100 SV-86843r2_rule 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000382 CCI-002314 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 CM-7 CM-7.1(iii) CM-7(b) AC-17(1) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000096-GPOS-00050 SRG-OS-000297-GPOS-00115 SRG-OS-000480-VMM-002000 In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. CCE-80447-6 package_install firewalld firewalld_sshd_zone="" # This assumes that firewalld_sshd_zone is one of the pre-defined zones if [ ! -f /etc/firewalld/zones/${firewalld_sshd_zone}.xml ]; then cp /usr/lib/firewalld/zones/${firewalld_sshd_zone}.xml /etc/firewalld/zones/${firewalld_sshd_zone}.xml fi if ! grep -q 'service name="ssh"' /etc/firewalld/zones/${firewalld_sshd_zone}.xml; then sed -i '/<\/description>/a \ <service name="ssh"/>' /etc/firewalld/zones/${firewalld_sshd_zone}.xml fi # Check if any eth interface is bounded to the zone with SSH service enabled nic_bound=false eth_interface_list=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') for interface in $eth_interface_list; do if grep -q "ZONE=$firewalld_sshd_zone" /etc/sysconfig/network-scripts/ifcfg-$interface; then nic_bound=true break; fi done if [ $nic_bound = false ];then # Add first NIC to SSH enabled zone if ! firewall-cmd --state -q; then replace_or_append "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" '^ZONE=' "$firewalld_sshd_zone" 'CCE-80447-6' '%s=%s' else # If firewalld service is running, we need to do this step with firewall-cmd # Otherwise firewalld will comunicate with NetworkManage and will revert assigned zone # of NetworkManager managed interfaces upon reload firewall-cmd --zone=$firewalld_sshd_zone --add-interface=${eth_interface_list[0]} firewall-cmd --reload fi fi Configure firewalld To Rate Limit Connections Create a direct firewall rule to protect against DoS attacks with the following command: $ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT CCI-002385 SRG-OS-000420-GPOS-00186 RHEL-07-040510 SV-86895r3_rule DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. CCE-80542-4 Verify firewalld Enabled The firewalld service can be enabled with the following command: $ sudo systemctl enable firewalld.service RHEL-07-040520 SV-86897r2_rule 4.7 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.3 3.4.7 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 FMT_MOF_EXT.1 SRG-OS-000480-GPOS-00227 Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. CCE-80998-8 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'firewalld.service' "$SYSTEMCTL_EXEC" enable 'firewalld.service' - name: Enable service firewalld service: name: firewalld enabled: "yes" state: "started" tags: - service_firewalld_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80998-8 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.3 - NIST-800-171-3.4.7 - DISA-STIG-RHEL-07-040520 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Install firewalld The firewalld package can be installed with the following command: $ sudo yum install firewalld The firewalld package should be installed to provide access control methods. package_install firewalld - name: Ensure firewalld is installed package: name: firewalld state: present tags: - package_firewalld_installed - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_firewalld class install_firewalld { package { 'firewalld': ensure => 'installed', } } package --add=firewalld Configure Kernel Parameter for Accepting Source-Routed Packets By Default To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 RHEL-07-040620 SV-86909r2_rule 3.2.1 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 CCI-001551 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router. CCE-80162-1 sysctl_net_ipv4_conf_default_accept_source_route_value="" # # Set runtime for net.ipv4.conf.default.accept_source_route # /sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route=$sysctl_net_ipv4_conf_default_accept_source_route_value # # If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.accept_source_route' "$sysctl_net_ipv4_conf_default_accept_source_route_value" 'CCE-80162-1' - name: XCCDF Value sysctl_net_ipv4_conf_default_accept_source_route_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_accept_source_route_value: !!str tags: - always - name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set sysctl: name: net.ipv4.conf.default.accept_source_route value: "{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_default_accept_source_route - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80162-1 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040620 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1 RHEL-07-040630 SV-86911r2_rule 3.2.5 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. CCE-80165-4 sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value="" # # Set runtime for net.ipv4.icmp_echo_ignore_broadcasts # /sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value # # If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.icmp_echo_ignore_broadcasts' "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" 'CCE-80165-4' - name: XCCDF Value sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value # promote to variable set_fact: sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: !!str tags: - always - name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: "{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}" state: present reload: yes tags: - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80165-4 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040630 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter to Log Martian Packets By Default To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.log_martians = 1 3.2.4 1 11 12 13 14 15 16 2 3 7 8 9 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.04 DSS03.05 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.06 3.1.20 CCI-000126 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.11.2.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(7) CM-7 SC-5(3) DE.CM-1 PR.AC-3 PR.DS-4 PR.IP-1 PR.PT-3 PR.PT-4 The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. CCE-80161-3 sysctl_net_ipv4_conf_default_log_martians_value="" # # Set runtime for net.ipv4.conf.default.log_martians # /sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians=$sysctl_net_ipv4_conf_default_log_martians_value # # If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.log_martians' "$sysctl_net_ipv4_conf_default_log_martians_value" 'CCE-80161-3' - name: XCCDF Value sysctl_net_ipv4_conf_default_log_martians_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_log_martians_value: !!str tags: - always - name: Ensure sysctl net.ipv4.conf.default.log_martians is set sysctl: name: net.ipv4.conf.default.log_martians value: "{{ sysctl_net_ipv4_conf_default_log_martians_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_default_log_martians - unknown_severity - disable_strategy - low_complexity - medium_disruption - CCE-80161-3 - NIST-800-53-AC-17(7) - NIST-800-53-CM-7 - NIST-800-53-SC-5(3) - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter to Use Reverse Path Filtering by Default To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1 3.2.7 1 12 13 14 15 16 18 2 4 6 7 8 9 APO01.06 APO13.01 BAI04.04 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.PT-4 Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. CCE-80168-8 sysctl_net_ipv4_conf_default_rp_filter_value="" # # Set runtime for net.ipv4.conf.default.rp_filter # /sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter=$sysctl_net_ipv4_conf_default_rp_filter_value # # If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.rp_filter' "$sysctl_net_ipv4_conf_default_rp_filter_value" 'CCE-80168-8' - name: XCCDF Value sysctl_net_ipv4_conf_default_rp_filter_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_rp_filter_value: !!str tags: - always - name: Ensure sysctl net.ipv4.conf.default.rp_filter is set sysctl: name: net.ipv4.conf.default.rp_filter value: "{{ sysctl_net_ipv4_conf_default_rp_filter_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_default_rp_filter - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80168-8 - NIST-800-53-AC-4 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0 3.2.3 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-001503 CCI-001551 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. CCE-80159-7 sysctl_net_ipv4_conf_all_secure_redirects_value="" # # Set runtime for net.ipv4.conf.all.secure_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects=$sysctl_net_ipv4_conf_all_secure_redirects_value # # If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.secure_redirects' "$sysctl_net_ipv4_conf_all_secure_redirects_value" 'CCE-80159-7' - name: XCCDF Value sysctl_net_ipv4_conf_all_secure_redirects_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_secure_redirects_value: !!str tags: - always - name: Ensure sysctl net.ipv4.conf.all.secure_redirects is set sysctl: name: net.ipv4.conf.all.secure_redirects value: "{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_all_secure_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80159-7 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter to Use TCP Syncookies To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 3.2.8 1 12 13 14 15 16 18 2 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 SC-5(1)(2) SC-5(2) SC-5(3) DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.PT-4 SRG-OS-000480-GPOS-00227 A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. CCE-27495-1 sysctl_net_ipv4_tcp_syncookies_value="" # # Set runtime for net.ipv4.tcp_syncookies # /sbin/sysctl -q -n -w net.ipv4.tcp_syncookies=$sysctl_net_ipv4_tcp_syncookies_value # # If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.tcp_syncookies' "$sysctl_net_ipv4_tcp_syncookies_value" 'CCE-27495-1' - name: XCCDF Value sysctl_net_ipv4_tcp_syncookies_value # promote to variable set_fact: sysctl_net_ipv4_tcp_syncookies_value: !!str tags: - always - name: Ensure sysctl net.ipv4.tcp_syncookies is set sysctl: name: net.ipv4.tcp_syncookies value: "{{ sysctl_net_ipv4_tcp_syncookies_value }}" state: present reload: yes tags: - sysctl_net_ipv4_tcp_syncookies - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27495-1 - NIST-800-53-AC-4 - NIST-800-53-SC-5(1)(2) - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3) - NIST-800-171-3.1.20 - CJIS-5.10.1.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 RHEL-07-040641 SV-87827r4_rule 3.2.2 1 11 12 13 14 15 16 2 3 7 8 9 5.10.1.1 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 DSS06.06 3.1.20 CCI-000366 CCI-001503 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.9.1.2 CM-6(d) CM-7 SC-5 DE.CM-1 PR.DS-4 PR.IP-1 PR.PT-3 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required." CCE-80158-9 sysctl_net_ipv4_conf_all_accept_redirects_value="" # # Set runtime for net.ipv4.conf.all.accept_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects=$sysctl_net_ipv4_conf_all_accept_redirects_value # # If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.accept_redirects' "$sysctl_net_ipv4_conf_all_accept_redirects_value" 'CCE-80158-9' - name: XCCDF Value sysctl_net_ipv4_conf_all_accept_redirects_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_accept_redirects_value: !!str tags: - always - name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set sysctl: name: net.ipv4.conf.all.accept_redirects value: "{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_all_accept_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80158-9 - NIST-800-53-CM-6(d) - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040641 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter to Log Martian Packets To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.log_martians = 1 3.2.4 1 11 12 13 14 15 16 2 3 7 8 9 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.04 DSS03.05 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.06 3.1.20 CCI-000126 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.11.2.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(7) CM-7 SC-5(3) DE.CM-1 PR.AC-3 PR.DS-4 PR.IP-1 PR.PT-3 PR.PT-4 The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. CCE-80160-5 sysctl_net_ipv4_conf_all_log_martians_value="" # # Set runtime for net.ipv4.conf.all.log_martians # /sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians=$sysctl_net_ipv4_conf_all_log_martians_value # # If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.log_martians' "$sysctl_net_ipv4_conf_all_log_martians_value" 'CCE-80160-5' - name: XCCDF Value sysctl_net_ipv4_conf_all_log_martians_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_log_martians_value: !!str tags: - always - name: Ensure sysctl net.ipv4.conf.all.log_martians is set sysctl: name: net.ipv4.conf.all.log_martians value: "{{ sysctl_net_ipv4_conf_all_log_martians_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_all_log_martians - unknown_severity - disable_strategy - low_complexity - medium_disruption - CCE-80160-5 - NIST-800-53-AC-17(7) - NIST-800-53-CM-7 - NIST-800-53-SC-5(3) - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1 3.2.7 1 12 13 14 15 16 18 2 4 6 7 8 9 APO01.06 APO13.01 BAI04.04 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 CCI-001551 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.PT-4 Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. CCE-80167-0 sysctl_net_ipv4_conf_all_rp_filter_value="" # # Set runtime for net.ipv4.conf.all.rp_filter # /sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter=$sysctl_net_ipv4_conf_all_rp_filter_value # # If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.rp_filter' "$sysctl_net_ipv4_conf_all_rp_filter_value" 'CCE-80167-0' - name: XCCDF Value sysctl_net_ipv4_conf_all_rp_filter_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_rp_filter_value: !!str tags: - always - name: Ensure sysctl net.ipv4.conf.all.rp_filter is set sysctl: name: net.ipv4.conf.all.rp_filter value: "{{ sysctl_net_ipv4_conf_all_rp_filter_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_all_rp_filter - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80167-0 - NIST-800-53-AC-4 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter to Ignore Bogus ICMP Error Responses To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1 3.2.6 1 11 12 13 14 15 16 2 3 7 8 9 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 DSS06.06 3.1.20 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.9.1.2 CM-7 SC-5 DE.CM-1 PR.DS-4 PR.IP-1 PR.PT-3 Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. CCE-80166-2 sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value="" # # Set runtime for net.ipv4.icmp_ignore_bogus_error_responses # /sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses=$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value # # If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.icmp_ignore_bogus_error_responses' "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" 'CCE-80166-2' - name: XCCDF Value sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value # promote to variable set_fact: sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: !!str tags: - always - name: Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: "{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}" state: present reload: yes tags: - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity - disable_strategy - low_complexity - medium_disruption - CCE-80166-2 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter for Accepting Secure Redirects By Default To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.secure_redirects = 0 3.2.3 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-001551 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. CCE-80164-7 sysctl_net_ipv4_conf_default_secure_redirects_value="" # # Set runtime for net.ipv4.conf.default.secure_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects=$sysctl_net_ipv4_conf_default_secure_redirects_value # # If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.secure_redirects' "$sysctl_net_ipv4_conf_default_secure_redirects_value" 'CCE-80164-7' - name: XCCDF Value sysctl_net_ipv4_conf_default_secure_redirects_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_secure_redirects_value: !!str tags: - always - name: Ensure sysctl net.ipv4.conf.default.secure_redirects is set sysctl: name: net.ipv4.conf.default.secure_redirects value: "{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_default_secure_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80164-7 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfaces To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 RHEL-07-040610 SV-86907r2_rule 3.2.1 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-27434-0 sysctl_net_ipv4_conf_all_accept_source_route_value="" # # Set runtime for net.ipv4.conf.all.accept_source_route # /sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route=$sysctl_net_ipv4_conf_all_accept_source_route_value # # If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.accept_source_route' "$sysctl_net_ipv4_conf_all_accept_source_route_value" 'CCE-27434-0' - name: XCCDF Value sysctl_net_ipv4_conf_all_accept_source_route_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_accept_source_route_value: !!str tags: - always - name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set sysctl: name: net.ipv4.conf.all.accept_source_route value: "{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_all_accept_source_route - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27434-0 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 - DISA-STIG-RHEL-07-040610 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure Kernel Parameter for Accepting ICMP Redirects By Default To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 RHEL-07-040640 SV-86913r3_rule 3.2.2 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-001551 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required. CCE-80163-9 sysctl_net_ipv4_conf_default_accept_redirects_value="" # # Set runtime for net.ipv4.conf.default.accept_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects=$sysctl_net_ipv4_conf_default_accept_redirects_value # # If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.accept_redirects' "$sysctl_net_ipv4_conf_default_accept_redirects_value" 'CCE-80163-9' - name: XCCDF Value sysctl_net_ipv4_conf_default_accept_redirects_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_accept_redirects_value: !!str tags: - always - name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set sysctl: name: net.ipv4.conf.default.accept_redirects value: "{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}" state: present reload: yes tags: - sysctl_net_ipv4_conf_default_accept_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80163-9 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040640 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Kernel Parameter for IP Forwarding To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0 RHEL-07-040740 SV-86933r2_rule 3.1.1 1 11 12 13 14 15 16 2 3 7 8 9 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 DSS06.06 3.1.20 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.9.1.2 CM-7 SC-5 SC-32 DE.CM-1 PR.DS-4 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. CCE-80157-1 # # Set runtime for net.ipv4.ip_forward # /sbin/sysctl -q -n -w net.ipv4.ip_forward=0 # # If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.ip_forward' "0" 'CCE-80157-1' - name: Ensure sysctl net.ipv4.ip_forward is set to 0 sysctl: name: net.ipv4.ip_forward value: 0 state: present reload: yes tags: - sysctl_net_ipv4_ip_forward - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80157-1 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-32 - NIST-800-171-3.1.20 - DISA-STIG-RHEL-07-040740 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 RHEL-07-040660 SV-86917r3_rule 3.1.2 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5(1) DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers. CCE-80156-3 # # Set runtime for net.ipv4.conf.all.send_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects=0 # # If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.send_redirects' "0" 'CCE-80156-3' - name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0 sysctl: name: net.ipv4.conf.all.send_redirects value: 0 state: present reload: yes tags: - sysctl_net_ipv4_conf_all_send_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80156-3 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5(1) - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040660 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Kernel Parameter for Sending ICMP Redirects by Default To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 RHEL-07-040650 SV-86915r4_rule 3.1.2 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers. CCE-80999-6 # # Set runtime for net.ipv4.conf.default.send_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects=0 # # If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.send_redirects' "0" 'CCE-80999-6' - name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0 sysctl: name: net.ipv4.conf.default.send_redirects value: 0 state: present reload: yes tags: - sysctl_net_ipv4_conf_default_send_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80999-6 - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-RHEL-07-040650 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable DCCP Support The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install dccp /bin/true 3.5.1 11 14 3 9 5.10.1 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 CCI-001958 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 RHEL-07-020101 SV-92517r2_rule Disabling DCCP protects the system against exploitation of any flaws in its implementation. CCE-26828-4 if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then sed -i 's/^install dccp.*/install dccp /bin/true/g' /etc/modprobe.d/dccp.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf fi - name: Ensure kernel module 'dccp' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/dccp.conf" regexp: 'dccp' line: "install dccp /bin/true" tags: - kernel_module_dccp_disabled - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-26828-4 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 - CJIS-5.10.1 - DISA-STIG-RHEL-07-020101 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable RDS Support The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the rds kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install rds /bin/true 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Disabling RDS protects the system against exploitation of any flaws in its implementation. Disable TIPC Support The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install tipc /bin/true 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Disabling TIPC protects the system against exploitation of any flaws in its implementation. Disable SCTP Support The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install sctp /bin/true 3.5.2 11 14 3 9 5.10.1 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Disabling SCTP protects the system against exploitation of any flaws in its implementation. CCE-27106-4 if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then sed -i 's/^install sctp.*/install sctp /bin/true/g' /etc/modprobe.d/sctp.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf fi - name: Ensure kernel module 'sctp' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/sctp.conf" regexp: 'sctp' line: "install sctp /bin/true" tags: - kernel_module_sctp_disabled - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27106-4 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 - CJIS-5.10.1 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Bluetooth Kernel Modules The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module: install bluetooth /bin/true 11 12 14 15 3 8 9 5.13.1.3 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 3.1.16 CCI-000085 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) AC-18(a) AC-18(d) AC-18(3) CM-7 MP-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. CCE-27327-6 if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then sed -i 's/^install bluetooth.*/install bluetooth /bin/true/g' /etc/modprobe.d/bluetooth.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf fi - name: Ensure kernel module 'bluetooth' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/bluetooth.conf" regexp: 'bluetooth' line: "install bluetooth /bin/true" tags: - kernel_module_bluetooth_disabled - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27327-6 - NIST-800-53-AC-17(8) - NIST-800-53-AC-18(a) - NIST-800-53-AC-18(d) - NIST-800-53-AC-18(3) - NIST-800-53-CM-7 - NIST-800-53-MP-7 - NIST-800-171-3.1.16 - CJIS-5.13.1.3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable WiFi or Bluetooth in BIOS Some machines that include built-in wireless support offer the ability to disable the device through the BIOS. This is hardware-specific; consult your hardware manual or explore the BIOS setup during boot. 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000085 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) AC-18(a) AC-18(d) AC-18(3) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Disabling wireless support in the BIOS prevents easy activation of the wireless interface, generally requiring administrators to reboot the system first. CCE-27397-9 Disable Bluetooth Service The bluetooth service can be disabled with the following command: $ sudo systemctl disable bluetooth.service $ sudo service bluetooth stop 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 3.1.16 CCI-000085 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) AC-18(a) AC-18(d) AC-18(3) CM-7 MP-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range. CCE-27328-4 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'bluetooth.service' "$SYSTEMCTL_EXEC" disable 'bluetooth.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^bluetooth.socket\>' && "$SYSTEMCTL_EXEC" disable 'bluetooth.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'bluetooth.service' - name: Disable service bluetooth service: name: bluetooth enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_bluetooth_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27328-4 - NIST-800-53-AC-17(8) - NIST-800-53-AC-18(a) - NIST-800-53-AC-18(d) - NIST-800-53-AC-18(3) - NIST-800-53-CM-7 - NIST-800-53-MP-7 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service bluetooth if applicable service: name: bluetooth.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_bluetooth_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27328-4 - NIST-800-53-AC-17(8) - NIST-800-53-AC-18(a) - NIST-800-53-AC-18(d) - NIST-800-53-AC-18(3) - NIST-800-53-CM-7 - NIST-800-53-MP-7 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Deactivate Wireless Network Interfaces Deactivating wireless network interfaces should prevent normal usage of the wireless capability. Configure the system to disable all wireless network interfaces with the following command: $ sudo nmcli radio wifi off 4.3.1 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 3.1.16 CCI-000085 CCI-002418 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) AC-18(a) AC-18(d) AC-18(3) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000424-GPOS-00188 RHEL-07-041010 SV-87829r2_rule The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. CCE-27358-1 Disable Zeroconf Networking Zeroconf networking allows the system to assign itself an IP address and engage in IP communication without a statically-assigned address or even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0 subnet, add or correct the following line in /etc/sysconfig/network: NOZEROCONF=yes 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Zeroconf addresses are in the network 169.254.0.0. The networking scripts add entries to the system's routing table for these addresses. Zeroconf address assignment commonly occurs when the system is configured to use DHCP but fails to receive an address assignment from the DHCP server. CCE-80173-8 echo "NOZEROCONF=yes" >> /etc/sysconfig/network Ensure System is Not Acting as a Network Sniffer The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: $ ip link | grep PROMISC RHEL-07-040670 SV-86919r2_rule 1 11 14 3 9 APO11.06 APO12.06 BAI03.10 BAI09.01 BAI09.02 BAI09.03 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS04.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.2.3.4 4.3.3.3.7 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 SR 7.8 A.11.1.2 A.11.2.4 A.11.2.5 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.16.1.6 A.8.1.1 A.8.1.2 A.9.1.2 CM-7 CM-7(2).1(i) MA-3 DE.DP-5 ID.AM-1 PR.IP-1 PR.MA-1 PR.PT-3 SRG-OS-000480-GPOS-00227 Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel. CCE-80174-6 Configure Multiple DNS Servers in /etc/resolv.conf Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver ip_address entry in /etc/resolv.conf for each DNS server where ip_address is the IP address of a valid DNS server. For example: search example.com nameserver 192.168.0.1 nameserver 192.168.0.2 RHEL-07-040600 SV-86905r2_rule 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-22 PR.PT-4 SRG-OS-000480-GPOS-00227 To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. CCE-80438-5 Disable Client Dynamic DNS Updates Dynamic DNS allows clients to dynamically update their own DNS records. The updates are transmitted by unencrypted means which can reveal information to a potential malicious user. If the system does not require Dynamic DNS, remove all DHCP_HOSTNAME references from the /etc/sysconfig/network-scripts/ifcfg-interface scripts. If dhclient is used, remove all send host-name hostname references from the /etc/dhclient.conf configuration file and/or any reference from the /etc/dhcp directory. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00227 Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed. CCE-80357-7 Set Boot Loader Password in grub2 The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account name and password and and modify the /etc/grub.d/01_users configuration file with the new account name. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: $ grub2-setpassword When prompted, enter the password that was selected. NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i s/root/bootuser/g /etc/grub.d/01_users To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running: grub2-mkconfig -o /boot/grub2/grub.cfg NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. RHEL-07-010480 SV-86585r5_rule 1.4.2 1 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 3.4.5 CCI-000213 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 IA-2 IA-2(1) IA-5(e) AC-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.PT-3 FIA_AFL.1 SRG-OS-000080-GPOS-00048 Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html. CCE-27309-4 Verify /boot/grub2/grub.cfg Permissions File permissions for /boot/grub2/grub.cfg should be set to 600. To properly set the permissions of /boot/grub2/grub.cfg, run the command: $ sudo chmod 600 /boot/grub2/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Proper permissions ensure that only the root user can modify important boot parameters. CCE-27054-6 chmod 0600 /boot/grub2/grub.cfg - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg register: file_exists tags: - file_permissions_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27054-6 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure permission 0600 on /boot/grub2/grub.cfg file: path: /boot/grub2/grub.cfg mode: 0600 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_permissions_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27054-6 - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 Set the UEFI Boot Loader Password The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account name and password and and modify the /etc/grub.d/01_users configuration file with the new account name. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: $ grub2-setpassword When prompted, enter the password that was selected. NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i s/root/bootuser/g /etc/grub.d/01_users To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running: grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. RHEL-07-010490 SV-86587r4_rule 1.4.2 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.4.5 CCI-000213 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 FIA_AFL.1 SRG-OS-000080-GPOS-00048 Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html. CCE-80354-4 Boat Loader Is Not Installed On Removeable Media The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1' CCI-001814 SRG-OS-000364-GPOS-00151 RHEL-07-021700 SV-86699r2_rule Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. CCE-80517-6 IOMMU configuration directive On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. NT28(R11) On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by hardware devices. UEFI Boat Loader Is Not Installed On Removeable Media The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1' CCI-001814 SRG-OS-000364-GPOS-00151 Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. CCE-80518-4 Verify /boot/efi/EFI/redhat/grub.cfg Permissions File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700. To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: $ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg 1.4.1 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000225 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 Proper permissions ensure that only the root user can modify important boot parameters. chmod 700 /boot/efi/EFI/redhat/grub.cfg - name: Test for existence /boot/efi/EFI/redhat/grub.cfg stat: path: /boot/efi/EFI/redhat/grub.cfg register: file_exists tags: - file_permissions_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Ensure permission 0700 on /boot/efi/EFI/redhat/grub.cfg file: path: /boot/efi/EFI/redhat/grub.cfg mode: 0700 when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - file_permissions_efi_grub2_cfg - medium_severity - configure_strategy - low_complexity - low_disruption - NIST-800-53-AC-6(7) - NIST-800-171-3.4.5 Disable the openvpn_can_network_connect SELinux Boolean By default, the SELinux boolean openvpn_can_network_connect is enabled. This setting should be disabled. To disable the openvpn_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P openvpn_can_network_connect off var_openvpn_can_network_connect="" setsebool -P openvpn_can_network_connect $var_openvpn_can_network_connect - name: XCCDF Value var_openvpn_can_network_connect # promote to variable set_fact: var_openvpn_can_network_connect: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_openvpn_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean openvpn_can_network_connect accordingly seboolean: name: openvpn_can_network_connect state: "{{ var_openvpn_can_network_connect }}" persistent: yes tags: - sebool_openvpn_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_use_gpg SELinux Boolean By default, the SELinux boolean httpd_use_gpg is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_gpg SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_gpg off var_httpd_use_gpg="" setsebool -P httpd_use_gpg $var_httpd_use_gpg - name: XCCDF Value var_httpd_use_gpg # promote to variable set_fact: var_httpd_use_gpg: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_gpg - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_gpg accordingly seboolean: name: httpd_use_gpg state: "{{ var_httpd_use_gpg }}" persistent: yes tags: - sebool_httpd_use_gpg - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ssh_sysadm_login SELinux Boolean By default, the SELinux boolean ssh_sysadm_login is disabled. If this setting is enabled, it should be disabled. To disable the ssh_sysadm_login SELinux boolean, run the following command: $ sudo setsebool -P ssh_sysadm_login off var_ssh_sysadm_login="" setsebool -P ssh_sysadm_login $var_ssh_sysadm_login - name: XCCDF Value var_ssh_sysadm_login # promote to variable set_fact: var_ssh_sysadm_login: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ssh_sysadm_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ssh_sysadm_login accordingly seboolean: name: ssh_sysadm_login state: "{{ var_ssh_sysadm_login }}" persistent: yes tags: - sebool_ssh_sysadm_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_run_stickshift SELinux Boolean By default, the SELinux boolean httpd_run_stickshift is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_stickshift SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_stickshift off var_httpd_run_stickshift="" setsebool -P httpd_run_stickshift $var_httpd_run_stickshift - name: XCCDF Value var_httpd_run_stickshift # promote to variable set_fact: var_httpd_run_stickshift: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_run_stickshift - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_run_stickshift accordingly seboolean: name: httpd_run_stickshift state: "{{ var_httpd_run_stickshift }}" persistent: yes tags: - sebool_httpd_run_stickshift - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the polipo_connect_all_unreserved SELinux Boolean By default, the SELinux boolean polipo_connect_all_unreserved is disabled. If this setting is enabled, it should be disabled. To disable the polipo_connect_all_unreserved SELinux boolean, run the following command: $ sudo setsebool -P polipo_connect_all_unreserved off var_polipo_connect_all_unreserved="" setsebool -P polipo_connect_all_unreserved $var_polipo_connect_all_unreserved - name: XCCDF Value var_polipo_connect_all_unreserved # promote to variable set_fact: var_polipo_connect_all_unreserved: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polipo_connect_all_unreserved - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polipo_connect_all_unreserved accordingly seboolean: name: polipo_connect_all_unreserved state: "{{ var_polipo_connect_all_unreserved }}" persistent: yes tags: - sebool_polipo_connect_all_unreserved - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_sys_script_anon_write SELinux Boolean By default, the SELinux boolean httpd_sys_script_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the httpd_sys_script_anon_write SELinux boolean, run the following command: $ sudo setsebool -P httpd_sys_script_anon_write off var_httpd_sys_script_anon_write="" setsebool -P httpd_sys_script_anon_write $var_httpd_sys_script_anon_write - name: XCCDF Value var_httpd_sys_script_anon_write # promote to variable set_fact: var_httpd_sys_script_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_sys_script_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_sys_script_anon_write accordingly seboolean: name: httpd_sys_script_anon_write state: "{{ var_httpd_sys_script_anon_write }}" persistent: yes tags: - sebool_httpd_sys_script_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the pcp_bind_all_unreserved_ports SELinux Boolean By default, the SELinux boolean pcp_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the pcp_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P pcp_bind_all_unreserved_ports off var_pcp_bind_all_unreserved_ports="" setsebool -P pcp_bind_all_unreserved_ports $var_pcp_bind_all_unreserved_ports - name: XCCDF Value var_pcp_bind_all_unreserved_ports # promote to variable set_fact: var_pcp_bind_all_unreserved_ports: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_pcp_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean pcp_bind_all_unreserved_ports accordingly seboolean: name: pcp_bind_all_unreserved_ports state: "{{ var_pcp_bind_all_unreserved_ports }}" persistent: yes tags: - sebool_pcp_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the minidlna_read_generic_user_content SELinux Boolean By default, the SELinux boolean minidlna_read_generic_user_content is disabled. If this setting is enabled, it should be disabled. To disable the minidlna_read_generic_user_content SELinux boolean, run the following command: $ sudo setsebool -P minidlna_read_generic_user_content off var_minidlna_read_generic_user_content="" setsebool -P minidlna_read_generic_user_content $var_minidlna_read_generic_user_content - name: XCCDF Value var_minidlna_read_generic_user_content # promote to variable set_fact: var_minidlna_read_generic_user_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_minidlna_read_generic_user_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean minidlna_read_generic_user_content accordingly seboolean: name: minidlna_read_generic_user_content state: "{{ var_minidlna_read_generic_user_content }}" persistent: yes tags: - sebool_minidlna_read_generic_user_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the auditadm_exec_content SELinux Boolean By default, the SELinux boolean auditadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the auditadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P auditadm_exec_content on 80424-5 CCE-80424-5 var_auditadm_exec_content="" setsebool -P auditadm_exec_content $var_auditadm_exec_content - name: XCCDF Value var_auditadm_exec_content # promote to variable set_fact: var_auditadm_exec_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_auditadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80424-5 - NIST-800-171-80424-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean auditadm_exec_content accordingly seboolean: name: auditadm_exec_content state: "{{ var_auditadm_exec_content }}" persistent: yes tags: - sebool_auditadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80424-5 - NIST-800-171-80424-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the authlogin_radius SELinux Boolean By default, the SELinux boolean authlogin_radius is disabled. If this setting is enabled, it should be disabled. To disable the authlogin_radius SELinux boolean, run the following command: $ sudo setsebool -P authlogin_radius off 3.7.2 CCE-80426-0 var_authlogin_radius="" setsebool -P authlogin_radius $var_authlogin_radius - name: XCCDF Value var_authlogin_radius # promote to variable set_fact: var_authlogin_radius: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_authlogin_radius - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80426-0 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean authlogin_radius accordingly seboolean: name: authlogin_radius state: "{{ var_authlogin_radius }}" persistent: yes tags: - sebool_authlogin_radius - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80426-0 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the logwatch_can_network_connect_mail SELinux Boolean By default, the SELinux boolean logwatch_can_network_connect_mail is disabled. If this setting is enabled, it should be disabled. To disable the logwatch_can_network_connect_mail SELinux boolean, run the following command: $ sudo setsebool -P logwatch_can_network_connect_mail off var_logwatch_can_network_connect_mail="" setsebool -P logwatch_can_network_connect_mail $var_logwatch_can_network_connect_mail - name: XCCDF Value var_logwatch_can_network_connect_mail # promote to variable set_fact: var_logwatch_can_network_connect_mail: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logwatch_can_network_connect_mail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logwatch_can_network_connect_mail accordingly seboolean: name: logwatch_can_network_connect_mail state: "{{ var_logwatch_can_network_connect_mail }}" persistent: yes tags: - sebool_logwatch_can_network_connect_mail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the logrotate_use_nfs SELinux Boolean By default, the SELinux boolean logrotate_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the logrotate_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P logrotate_use_nfs off var_logrotate_use_nfs="" setsebool -P logrotate_use_nfs $var_logrotate_use_nfs - name: XCCDF Value var_logrotate_use_nfs # promote to variable set_fact: var_logrotate_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logrotate_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logrotate_use_nfs accordingly seboolean: name: logrotate_use_nfs state: "{{ var_logrotate_use_nfs }}" persistent: yes tags: - sebool_logrotate_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the git_cgi_use_cifs SELinux Boolean By default, the SELinux boolean git_cgi_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the git_cgi_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_use_cifs off var_git_cgi_use_cifs="" setsebool -P git_cgi_use_cifs $var_git_cgi_use_cifs - name: XCCDF Value var_git_cgi_use_cifs # promote to variable set_fact: var_git_cgi_use_cifs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_cgi_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_cgi_use_cifs accordingly seboolean: name: git_cgi_use_cifs state: "{{ var_git_cgi_use_cifs }}" persistent: yes tags: - sebool_git_cgi_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the postgresql_can_rsync SELinux Boolean By default, the SELinux boolean postgresql_can_rsync is disabled. If this setting is enabled, it should be disabled. To disable the postgresql_can_rsync SELinux boolean, run the following command: $ sudo setsebool -P postgresql_can_rsync off var_postgresql_can_rsync="" setsebool -P postgresql_can_rsync $var_postgresql_can_rsync - name: XCCDF Value var_postgresql_can_rsync # promote to variable set_fact: var_postgresql_can_rsync: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_postgresql_can_rsync - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean postgresql_can_rsync accordingly seboolean: name: postgresql_can_rsync state: "{{ var_postgresql_can_rsync }}" persistent: yes tags: - sebool_postgresql_can_rsync - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") disable the selinuxuser_execstack SELinux Boolean By default, the SELinux boolean selinuxuser_execstack is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disable the selinuxuser_execstack SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_execstack off 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) var_selinuxuser_execstack="" setsebool -P selinuxuser_execstack $var_selinuxuser_execstack - name: XCCDF Value var_selinuxuser_execstack # promote to variable set_fact: var_selinuxuser_execstack: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_execstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_execstack accordingly seboolean: name: selinuxuser_execstack state: "{{ var_selinuxuser_execstack }}" persistent: yes tags: - sebool_selinuxuser_execstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the entropyd_use_audio SELinux Boolean By default, the SELinux boolean entropyd_use_audio is enabled. This setting should be disabled as it uses audit input to generate entropy. To disable the entropyd_use_audio SELinux boolean, run the following command: $ sudo setsebool -P entropyd_use_audio off var_entropyd_use_audio="" setsebool -P entropyd_use_audio $var_entropyd_use_audio - name: XCCDF Value var_entropyd_use_audio # promote to variable set_fact: var_entropyd_use_audio: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_entropyd_use_audio - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean entropyd_use_audio accordingly seboolean: name: entropyd_use_audio state: "{{ var_entropyd_use_audio }}" persistent: yes tags: - sebool_entropyd_use_audio - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_execmem SELinux Boolean By default, the SELinux boolean httpd_execmem is disabled. If this setting is enabled, it should be disabled. To disable the httpd_execmem SELinux boolean, run the following command: $ sudo setsebool -P httpd_execmem off var_httpd_execmem="" setsebool -P httpd_execmem $var_httpd_execmem - name: XCCDF Value var_httpd_execmem # promote to variable set_fact: var_httpd_execmem: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_execmem accordingly seboolean: name: httpd_execmem state: "{{ var_httpd_execmem }}" persistent: yes tags: - sebool_httpd_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the mount_anyfile SELinux Boolean By default, the SELinux boolean mount_anyfile is enabled. If this setting is disabled, it should be enabled to allow any file or directory to be mounted. To enable the mount_anyfile SELinux boolean, run the following command: $ sudo setsebool -P mount_anyfile on var_mount_anyfile="" setsebool -P mount_anyfile $var_mount_anyfile - name: XCCDF Value var_mount_anyfile # promote to variable set_fact: var_mount_anyfile: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mount_anyfile - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mount_anyfile accordingly seboolean: name: mount_anyfile state: "{{ var_mount_anyfile }}" persistent: yes tags: - sebool_mount_anyfile - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the smartmon_3ware SELinux Boolean By default, the SELinux boolean smartmon_3ware is disabled. If this setting is enabled, it should be disabled. To disable the smartmon_3ware SELinux boolean, run the following command: $ sudo setsebool -P smartmon_3ware off var_smartmon_3ware="" setsebool -P smartmon_3ware $var_smartmon_3ware - name: XCCDF Value var_smartmon_3ware # promote to variable set_fact: var_smartmon_3ware: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_smartmon_3ware - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean smartmon_3ware accordingly seboolean: name: smartmon_3ware state: "{{ var_smartmon_3ware }}" persistent: yes tags: - sebool_smartmon_3ware - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the git_cgi_enable_homedirs SELinux Boolean By default, the SELinux boolean git_cgi_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the git_cgi_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_enable_homedirs off var_git_cgi_enable_homedirs="" setsebool -P git_cgi_enable_homedirs $var_git_cgi_enable_homedirs - name: XCCDF Value var_git_cgi_enable_homedirs # promote to variable set_fact: var_git_cgi_enable_homedirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_cgi_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_cgi_enable_homedirs accordingly seboolean: name: git_cgi_enable_homedirs state: "{{ var_git_cgi_enable_homedirs }}" persistent: yes tags: - sebool_git_cgi_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mailman_use_fusefs SELinux Boolean By default, the SELinux boolean mailman_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the mailman_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P mailman_use_fusefs off var_mailman_use_fusefs="" setsebool -P mailman_use_fusefs $var_mailman_use_fusefs - name: XCCDF Value var_mailman_use_fusefs # promote to variable set_fact: var_mailman_use_fusefs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mailman_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mailman_use_fusefs accordingly seboolean: name: mailman_use_fusefs state: "{{ var_mailman_use_fusefs }}" persistent: yes tags: - sebool_mailman_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_can_check_spam SELinux Boolean By default, the SELinux boolean httpd_can_check_spam is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_check_spam SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_check_spam off var_httpd_can_check_spam="" setsebool -P httpd_can_check_spam $var_httpd_can_check_spam - name: XCCDF Value var_httpd_can_check_spam # promote to variable set_fact: var_httpd_can_check_spam: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_check_spam - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_check_spam accordingly seboolean: name: httpd_can_check_spam state: "{{ var_httpd_can_check_spam }}" persistent: yes tags: - sebool_httpd_can_check_spam - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the fenced_can_ssh SELinux Boolean By default, the SELinux boolean fenced_can_ssh is disabled. If this setting is enabled, it should be disabled. To disable the fenced_can_ssh SELinux boolean, run the following command: $ sudo setsebool -P fenced_can_ssh off var_fenced_can_ssh="" setsebool -P fenced_can_ssh $var_fenced_can_ssh - name: XCCDF Value var_fenced_can_ssh # promote to variable set_fact: var_fenced_can_ssh: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_fenced_can_ssh - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean fenced_can_ssh accordingly seboolean: name: fenced_can_ssh state: "{{ var_fenced_can_ssh }}" persistent: yes tags: - sebool_fenced_can_ssh - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the nagios_run_pnp4nagios SELinux Boolean By default, the SELinux boolean nagios_run_pnp4nagios is disabled. If this setting is enabled, it should be disabled. To disable the nagios_run_pnp4nagios SELinux boolean, run the following command: $ sudo setsebool -P nagios_run_pnp4nagios off var_nagios_run_pnp4nagios="" setsebool -P nagios_run_pnp4nagios $var_nagios_run_pnp4nagios - name: XCCDF Value var_nagios_run_pnp4nagios # promote to variable set_fact: var_nagios_run_pnp4nagios: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nagios_run_pnp4nagios - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nagios_run_pnp4nagios accordingly seboolean: name: nagios_run_pnp4nagios state: "{{ var_nagios_run_pnp4nagios }}" persistent: yes tags: - sebool_nagios_run_pnp4nagios - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_can_network_connect SELinux Boolean By default, the SELinux boolean httpd_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect off var_httpd_can_network_connect="" setsebool -P httpd_can_network_connect $var_httpd_can_network_connect - name: XCCDF Value var_httpd_can_network_connect # promote to variable set_fact: var_httpd_can_network_connect: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_network_connect accordingly seboolean: name: httpd_can_network_connect state: "{{ var_httpd_can_network_connect }}" persistent: yes tags: - sebool_httpd_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mozilla_plugin_can_network_connect SELinux Boolean By default, the SELinux boolean mozilla_plugin_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_can_network_connect off var_mozilla_plugin_can_network_connect="" setsebool -P mozilla_plugin_can_network_connect $var_mozilla_plugin_can_network_connect - name: XCCDF Value var_mozilla_plugin_can_network_connect # promote to variable set_fact: var_mozilla_plugin_can_network_connect: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_plugin_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_plugin_can_network_connect accordingly seboolean: name: mozilla_plugin_can_network_connect state: "{{ var_mozilla_plugin_can_network_connect }}" persistent: yes tags: - sebool_mozilla_plugin_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the git_session_bind_all_unreserved_ports SELinux Boolean By default, the SELinux boolean git_session_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the git_session_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P git_session_bind_all_unreserved_ports off var_git_session_bind_all_unreserved_ports="" setsebool -P git_session_bind_all_unreserved_ports $var_git_session_bind_all_unreserved_ports - name: XCCDF Value var_git_session_bind_all_unreserved_ports # promote to variable set_fact: var_git_session_bind_all_unreserved_ports: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_session_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_session_bind_all_unreserved_ports accordingly seboolean: name: git_session_bind_all_unreserved_ports state: "{{ var_git_session_bind_all_unreserved_ports }}" persistent: yes tags: - sebool_git_session_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the tmpreaper_use_samba SELinux Boolean By default, the SELinux boolean tmpreaper_use_samba is disabled. If this setting is enabled, it should be disabled. To disable the tmpreaper_use_samba SELinux boolean, run the following command: $ sudo setsebool -P tmpreaper_use_samba off var_tmpreaper_use_samba="" setsebool -P tmpreaper_use_samba $var_tmpreaper_use_samba - name: XCCDF Value var_tmpreaper_use_samba # promote to variable set_fact: var_tmpreaper_use_samba: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tmpreaper_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tmpreaper_use_samba accordingly seboolean: name: tmpreaper_use_samba state: "{{ var_tmpreaper_use_samba }}" persistent: yes tags: - sebool_tmpreaper_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the selinuxuser_tcp_server SELinux Boolean By default, the SELinux boolean selinuxuser_tcp_server is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_tcp_server SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_tcp_server off var_selinuxuser_tcp_server="" setsebool -P selinuxuser_tcp_server $var_selinuxuser_tcp_server - name: XCCDF Value var_selinuxuser_tcp_server # promote to variable set_fact: var_selinuxuser_tcp_server: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_tcp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_tcp_server accordingly seboolean: name: selinuxuser_tcp_server state: "{{ var_selinuxuser_tcp_server }}" persistent: yes tags: - sebool_selinuxuser_tcp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_anon_write SELinux Boolean By default, the SELinux boolean httpd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the httpd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P httpd_anon_write off var_httpd_anon_write="" setsebool -P httpd_anon_write $var_httpd_anon_write - name: XCCDF Value var_httpd_anon_write # promote to variable set_fact: var_httpd_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_anon_write accordingly seboolean: name: httpd_anon_write state: "{{ var_httpd_anon_write }}" persistent: yes tags: - sebool_httpd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_can_connect_ldap SELinux Boolean By default, the SELinux boolean httpd_can_connect_ldap is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ldap SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_ldap off var_httpd_can_connect_ldap="" setsebool -P httpd_can_connect_ldap $var_httpd_can_connect_ldap - name: XCCDF Value var_httpd_can_connect_ldap # promote to variable set_fact: var_httpd_can_connect_ldap: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_connect_ldap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_connect_ldap accordingly seboolean: name: httpd_can_connect_ldap state: "{{ var_httpd_can_connect_ldap }}" persistent: yes tags: - sebool_httpd_can_connect_ldap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xen_use_nfs SELinux Boolean By default, the SELinux boolean xen_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the xen_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P xen_use_nfs off var_xen_use_nfs="" setsebool -P xen_use_nfs $var_xen_use_nfs - name: XCCDF Value var_xen_use_nfs # promote to variable set_fact: var_xen_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xen_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xen_use_nfs accordingly seboolean: name: xen_use_nfs state: "{{ var_xen_use_nfs }}" persistent: yes tags: - sebool_xen_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the daemons_use_tcp_wrapper SELinux Boolean By default, the SELinux boolean daemons_use_tcp_wrapper is disabled. If this setting is enabled, it should be disabled. To disable the daemons_use_tcp_wrapper SELinux boolean, run the following command: $ sudo setsebool -P daemons_use_tcp_wrapper off var_daemons_use_tcp_wrapper="" setsebool -P daemons_use_tcp_wrapper $var_daemons_use_tcp_wrapper - name: XCCDF Value var_daemons_use_tcp_wrapper # promote to variable set_fact: var_daemons_use_tcp_wrapper: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_daemons_use_tcp_wrapper - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean daemons_use_tcp_wrapper accordingly seboolean: name: daemons_use_tcp_wrapper state: "{{ var_daemons_use_tcp_wrapper }}" persistent: yes tags: - sebool_daemons_use_tcp_wrapper - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ftpd_connect_db SELinux Boolean By default, the SELinux boolean ftpd_connect_db is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_connect_db SELinux boolean, run the following command: $ sudo setsebool -P ftpd_connect_db off var_ftpd_connect_db="" setsebool -P ftpd_connect_db $var_ftpd_connect_db - name: XCCDF Value var_ftpd_connect_db # promote to variable set_fact: var_ftpd_connect_db: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_connect_db accordingly seboolean: name: ftpd_connect_db state: "{{ var_ftpd_connect_db }}" persistent: yes tags: - sebool_ftpd_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ftpd_use_nfs SELinux Boolean By default, the SELinux boolean ftpd_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_nfs off var_ftpd_use_nfs="" setsebool -P ftpd_use_nfs $var_ftpd_use_nfs - name: XCCDF Value var_ftpd_use_nfs # promote to variable set_fact: var_ftpd_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_use_nfs accordingly seboolean: name: ftpd_use_nfs state: "{{ var_ftpd_use_nfs }}" persistent: yes tags: - sebool_ftpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cron_can_relabel SELinux Boolean By default, the SELinux boolean cron_can_relabel is disabled. If this setting is enabled, it should be disabled. To disable the cron_can_relabel SELinux boolean, run the following command: $ sudo setsebool -P cron_can_relabel off var_cron_can_relabel="" setsebool -P cron_can_relabel $var_cron_can_relabel - name: XCCDF Value var_cron_can_relabel # promote to variable set_fact: var_cron_can_relabel: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cron_can_relabel - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cron_can_relabel accordingly seboolean: name: cron_can_relabel state: "{{ var_cron_can_relabel }}" persistent: yes tags: - sebool_cron_can_relabel - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the openvpn_run_unconfined SELinux Boolean By default, the SELinux boolean openvpn_run_unconfined is disabled. If this setting is enabled, it should be disabled. To disable the openvpn_run_unconfined SELinux boolean, run the following command: $ sudo setsebool -P openvpn_run_unconfined off var_openvpn_run_unconfined="" setsebool -P openvpn_run_unconfined $var_openvpn_run_unconfined - name: XCCDF Value var_openvpn_run_unconfined # promote to variable set_fact: var_openvpn_run_unconfined: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_openvpn_run_unconfined - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean openvpn_run_unconfined accordingly seboolean: name: openvpn_run_unconfined state: "{{ var_openvpn_run_unconfined }}" persistent: yes tags: - sebool_openvpn_run_unconfined - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the zebra_write_config SELinux Boolean By default, the SELinux boolean zebra_write_config is disabled. If this setting is enabled, it should be disabled. To disable the zebra_write_config SELinux boolean, run the following command: $ sudo setsebool -P zebra_write_config off var_zebra_write_config="" setsebool -P zebra_write_config $var_zebra_write_config - name: XCCDF Value var_zebra_write_config # promote to variable set_fact: var_zebra_write_config: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_zebra_write_config - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean zebra_write_config accordingly seboolean: name: zebra_write_config state: "{{ var_zebra_write_config }}" persistent: yes tags: - sebool_zebra_write_config - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_rw_qemu_ga_data SELinux Boolean By default, the SELinux boolean virt_rw_qemu_ga_data is disabled. If this setting is enabled, it should be disabled. To disable the virt_rw_qemu_ga_data SELinux boolean, run the following command: $ sudo setsebool -P virt_rw_qemu_ga_data off var_virt_rw_qemu_ga_data="" setsebool -P virt_rw_qemu_ga_data $var_virt_rw_qemu_ga_data - name: XCCDF Value var_virt_rw_qemu_ga_data # promote to variable set_fact: var_virt_rw_qemu_ga_data: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_rw_qemu_ga_data - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_rw_qemu_ga_data accordingly seboolean: name: virt_rw_qemu_ga_data state: "{{ var_virt_rw_qemu_ga_data }}" persistent: yes tags: - sebool_virt_rw_qemu_ga_data - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the condor_tcp_network_connect SELinux Boolean By default, the SELinux boolean condor_tcp_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the condor_tcp_network_connect SELinux boolean, run the following command: $ sudo setsebool -P condor_tcp_network_connect off var_condor_tcp_network_connect="" setsebool -P condor_tcp_network_connect $var_condor_tcp_network_connect - name: XCCDF Value var_condor_tcp_network_connect # promote to variable set_fact: var_condor_tcp_network_connect: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_condor_tcp_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean condor_tcp_network_connect accordingly seboolean: name: condor_tcp_network_connect state: "{{ var_condor_tcp_network_connect }}" persistent: yes tags: - sebool_condor_tcp_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the fcron_crond SELinux Boolean By default, the SELinux boolean fcron_crond is disabled. If this setting is enabled, it should be disabled. To disable the fcron_crond SELinux boolean, run the following command: $ sudo setsebool -P fcron_crond off var_fcron_crond="" setsebool -P fcron_crond $var_fcron_crond - name: XCCDF Value var_fcron_crond # promote to variable set_fact: var_fcron_crond: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_fcron_crond - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean fcron_crond accordingly seboolean: name: fcron_crond state: "{{ var_fcron_crond }}" persistent: yes tags: - sebool_fcron_crond - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the nfsd_anon_write SELinux Boolean By default, the SELinux boolean nfsd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the nfsd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P nfsd_anon_write off var_nfsd_anon_write="" setsebool -P nfsd_anon_write $var_nfsd_anon_write - name: XCCDF Value var_nfsd_anon_write # promote to variable set_fact: var_nfsd_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nfsd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nfsd_anon_write accordingly seboolean: name: nfsd_anon_write state: "{{ var_nfsd_anon_write }}" persistent: yes tags: - sebool_nfsd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the logadm_exec_content SELinux Boolean By default, the SELinux boolean logadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the logadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P logadm_exec_content on var_logadm_exec_content="" setsebool -P logadm_exec_content $var_logadm_exec_content - name: XCCDF Value var_logadm_exec_content # promote to variable set_fact: var_logadm_exec_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logadm_exec_content accordingly seboolean: name: logadm_exec_content state: "{{ var_logadm_exec_content }}" persistent: yes tags: - sebool_logadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_dbus_sssd SELinux Boolean By default, the SELinux boolean httpd_dbus_sssd is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dbus_sssd SELinux boolean, run the following command: $ sudo setsebool -P httpd_dbus_sssd off var_httpd_dbus_sssd="" setsebool -P httpd_dbus_sssd $var_httpd_dbus_sssd - name: XCCDF Value var_httpd_dbus_sssd # promote to variable set_fact: var_httpd_dbus_sssd: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_dbus_sssd - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_dbus_sssd accordingly seboolean: name: httpd_dbus_sssd state: "{{ var_httpd_dbus_sssd }}" persistent: yes tags: - sebool_httpd_dbus_sssd - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_manage_ipa SELinux Boolean By default, the SELinux boolean httpd_manage_ipa is disabled. If this setting is enabled, it should be disabled. To disable the httpd_manage_ipa SELinux boolean, run the following command: $ sudo setsebool -P httpd_manage_ipa off var_httpd_manage_ipa="" setsebool -P httpd_manage_ipa $var_httpd_manage_ipa - name: XCCDF Value var_httpd_manage_ipa # promote to variable set_fact: var_httpd_manage_ipa: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_manage_ipa - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_manage_ipa accordingly seboolean: name: httpd_manage_ipa state: "{{ var_httpd_manage_ipa }}" persistent: yes tags: - sebool_httpd_manage_ipa - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the haproxy_connect_any SELinux Boolean By default, the SELinux boolean haproxy_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the haproxy_connect_any SELinux boolean, run the following command: $ sudo setsebool -P haproxy_connect_any off var_haproxy_connect_any="" setsebool -P haproxy_connect_any $var_haproxy_connect_any - name: XCCDF Value var_haproxy_connect_any # promote to variable set_fact: var_haproxy_connect_any: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_haproxy_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean haproxy_connect_any accordingly seboolean: name: haproxy_connect_any state: "{{ var_haproxy_connect_any }}" persistent: yes tags: - sebool_haproxy_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_setrlimit SELinux Boolean By default, the SELinux boolean httpd_setrlimit is disabled. If this setting is enabled, it should be disabled. To disable the httpd_setrlimit SELinux boolean, run the following command: $ sudo setsebool -P httpd_setrlimit off var_httpd_setrlimit="" setsebool -P httpd_setrlimit $var_httpd_setrlimit - name: XCCDF Value var_httpd_setrlimit # promote to variable set_fact: var_httpd_setrlimit: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_setrlimit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_setrlimit accordingly seboolean: name: httpd_setrlimit state: "{{ var_httpd_setrlimit }}" persistent: yes tags: - sebool_httpd_setrlimit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the antivirus_use_jit SELinux Boolean By default, the SELinux boolean antivirus_use_jit is disabled. If this setting is enabled, it should be disabled. To disable the antivirus_use_jit SELinux boolean, run the following command: $ sudo setsebool -P antivirus_use_jit off 3.7.2 CCE-80423-7 var_antivirus_use_jit="" setsebool -P antivirus_use_jit $var_antivirus_use_jit - name: XCCDF Value var_antivirus_use_jit # promote to variable set_fact: var_antivirus_use_jit: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_antivirus_use_jit - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80423-7 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean antivirus_use_jit accordingly seboolean: name: antivirus_use_jit state: "{{ var_antivirus_use_jit }}" persistent: yes tags: - sebool_antivirus_use_jit - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80423-7 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the rsync_full_access SELinux Boolean By default, the SELinux boolean rsync_full_access is disabled. If this setting is enabled, it should be disabled. To disable the rsync_full_access SELinux boolean, run the following command: $ sudo setsebool -P rsync_full_access off var_rsync_full_access="" setsebool -P rsync_full_access $var_rsync_full_access - name: XCCDF Value var_rsync_full_access # promote to variable set_fact: var_rsync_full_access: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_rsync_full_access - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean rsync_full_access accordingly seboolean: name: rsync_full_access state: "{{ var_rsync_full_access }}" persistent: yes tags: - sebool_rsync_full_access - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_run_ipa SELinux Boolean By default, the SELinux boolean httpd_run_ipa is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_ipa SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_ipa off var_httpd_run_ipa="" setsebool -P httpd_run_ipa $var_httpd_run_ipa - name: XCCDF Value var_httpd_run_ipa # promote to variable set_fact: var_httpd_run_ipa: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_run_ipa - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_run_ipa accordingly seboolean: name: httpd_run_ipa state: "{{ var_httpd_run_ipa }}" persistent: yes tags: - sebool_httpd_run_ipa - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure the httpd_builtin_scripting SELinux Boolean By default, the SELinux boolean httpd_builtin_scripting is enabled. This setting should be disabled if httpd is not running php or some similary scripting language. To disable the httpd_builtin_scripting SELinux boolean, run the following command: $ sudo setsebool -P httpd_builtin_scripting off var_httpd_builtin_scripting="" setsebool -P httpd_builtin_scripting $var_httpd_builtin_scripting - name: XCCDF Value var_httpd_builtin_scripting # promote to variable set_fact: var_httpd_builtin_scripting: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_builtin_scripting - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_builtin_scripting accordingly seboolean: name: httpd_builtin_scripting state: "{{ var_httpd_builtin_scripting }}" persistent: yes tags: - sebool_httpd_builtin_scripting - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the staff_use_svirt SELinux Boolean By default, the SELinux boolean staff_use_svirt is disabled. If this setting is enabled, it should be disabled. To disable the staff_use_svirt SELinux boolean, run the following command: $ sudo setsebool -P staff_use_svirt off var_staff_use_svirt="" setsebool -P staff_use_svirt $var_staff_use_svirt - name: XCCDF Value var_staff_use_svirt # promote to variable set_fact: var_staff_use_svirt: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_staff_use_svirt - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean staff_use_svirt accordingly seboolean: name: staff_use_svirt state: "{{ var_staff_use_svirt }}" persistent: yes tags: - sebool_staff_use_svirt - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the user_exec_content SELinux Boolean By default, the SELinux boolean user_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the user_exec_content SELinux boolean, run the following command: $ sudo setsebool -P user_exec_content on var_user_exec_content="" setsebool -P user_exec_content $var_user_exec_content - name: XCCDF Value var_user_exec_content # promote to variable set_fact: var_user_exec_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_user_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean user_exec_content accordingly seboolean: name: user_exec_content state: "{{ var_user_exec_content }}" persistent: yes tags: - sebool_user_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the samba_run_unconfined SELinux Boolean By default, the SELinux boolean samba_run_unconfined is disabled. If this setting is enabled, it should be disabled. To disable the samba_run_unconfined SELinux boolean, run the following command: $ sudo setsebool -P samba_run_unconfined off var_samba_run_unconfined="" setsebool -P samba_run_unconfined $var_samba_run_unconfined - name: XCCDF Value var_samba_run_unconfined # promote to variable set_fact: var_samba_run_unconfined: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_run_unconfined - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_run_unconfined accordingly seboolean: name: samba_run_unconfined state: "{{ var_samba_run_unconfined }}" persistent: yes tags: - sebool_samba_run_unconfined - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mozilla_plugin_use_spice SELinux Boolean By default, the SELinux boolean mozilla_plugin_use_spice is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_spice SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_spice off var_mozilla_plugin_use_spice="" setsebool -P mozilla_plugin_use_spice $var_mozilla_plugin_use_spice - name: XCCDF Value var_mozilla_plugin_use_spice # promote to variable set_fact: var_mozilla_plugin_use_spice: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_plugin_use_spice - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_plugin_use_spice accordingly seboolean: name: mozilla_plugin_use_spice state: "{{ var_mozilla_plugin_use_spice }}" persistent: yes tags: - sebool_mozilla_plugin_use_spice - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mpd_use_nfs SELinux Boolean By default, the SELinux boolean mpd_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the mpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P mpd_use_nfs off var_mpd_use_nfs="" setsebool -P mpd_use_nfs $var_mpd_use_nfs - name: XCCDF Value var_mpd_use_nfs # promote to variable set_fact: var_mpd_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mpd_use_nfs accordingly seboolean: name: mpd_use_nfs state: "{{ var_mpd_use_nfs }}" persistent: yes tags: - sebool_mpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_read_user_content SELinux Boolean By default, the SELinux boolean httpd_read_user_content is disabled. If this setting is enabled, it should be disabled. To disable the httpd_read_user_content SELinux boolean, run the following command: $ sudo setsebool -P httpd_read_user_content off var_httpd_read_user_content="" setsebool -P httpd_read_user_content $var_httpd_read_user_content - name: XCCDF Value var_httpd_read_user_content # promote to variable set_fact: var_httpd_read_user_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_read_user_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_read_user_content accordingly seboolean: name: httpd_read_user_content state: "{{ var_httpd_read_user_content }}" persistent: yes tags: - sebool_httpd_read_user_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the rsync_client SELinux Boolean By default, the SELinux boolean rsync_client is disabled. If this setting is enabled, it should be disabled. To disable the rsync_client SELinux boolean, run the following command: $ sudo setsebool -P rsync_client off var_rsync_client="" setsebool -P rsync_client $var_rsync_client - name: XCCDF Value var_rsync_client # promote to variable set_fact: var_rsync_client: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_rsync_client - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean rsync_client accordingly seboolean: name: rsync_client state: "{{ var_rsync_client }}" persistent: yes tags: - sebool_rsync_client - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the dbadm_read_user_files SELinux Boolean By default, the SELinux boolean dbadm_read_user_files is disabled. If this setting is enabled, it should be disabled. To disable the dbadm_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P dbadm_read_user_files off var_dbadm_read_user_files="" setsebool -P dbadm_read_user_files $var_dbadm_read_user_files - name: XCCDF Value var_dbadm_read_user_files # promote to variable set_fact: var_dbadm_read_user_files: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_dbadm_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean dbadm_read_user_files accordingly seboolean: name: dbadm_read_user_files state: "{{ var_dbadm_read_user_files }}" persistent: yes tags: - sebool_dbadm_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the deny_ptrace SELinux Boolean By default, the SELinux boolean deny_ptrace is disabled. If this setting is enabled, it should be disabled. To disable the deny_ptrace SELinux boolean, run the following command: $ sudo setsebool -P deny_ptrace off var_deny_ptrace="" setsebool -P deny_ptrace $var_deny_ptrace - name: XCCDF Value var_deny_ptrace # promote to variable set_fact: var_deny_ptrace: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_deny_ptrace - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean deny_ptrace accordingly seboolean: name: deny_ptrace state: "{{ var_deny_ptrace }}" persistent: yes tags: - sebool_deny_ptrace - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the nfs_export_all_rw SELinux Boolean By default, the SELinux boolean nfs_export_all_rw is enabled. If this setting is disabled, it should be enabled as it allows NFS to export read/write mounts. To enable the nfs_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P nfs_export_all_rw on var_nfs_export_all_rw="" setsebool -P nfs_export_all_rw $var_nfs_export_all_rw - name: XCCDF Value var_nfs_export_all_rw # promote to variable set_fact: var_nfs_export_all_rw: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nfs_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nfs_export_all_rw accordingly seboolean: name: nfs_export_all_rw state: "{{ var_nfs_export_all_rw }}" persistent: yes tags: - sebool_nfs_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the rsync_anon_write SELinux Boolean By default, the SELinux boolean rsync_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the rsync_anon_write SELinux boolean, run the following command: $ sudo setsebool -P rsync_anon_write off var_rsync_anon_write="" setsebool -P rsync_anon_write $var_rsync_anon_write - name: XCCDF Value var_rsync_anon_write # promote to variable set_fact: var_rsync_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_rsync_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean rsync_anon_write accordingly seboolean: name: rsync_anon_write state: "{{ var_rsync_anon_write }}" persistent: yes tags: - sebool_rsync_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_can_network_memcache SELinux Boolean By default, the SELinux boolean httpd_can_network_memcache is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_memcache SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_memcache off var_httpd_can_network_memcache="" setsebool -P httpd_can_network_memcache $var_httpd_can_network_memcache - name: XCCDF Value var_httpd_can_network_memcache # promote to variable set_fact: var_httpd_can_network_memcache: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_network_memcache - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_network_memcache accordingly seboolean: name: httpd_can_network_memcache state: "{{ var_httpd_can_network_memcache }}" persistent: yes tags: - sebool_httpd_can_network_memcache - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the virt_sandbox_use_audit SELinux Boolean By default, the SELinux boolean virt_sandbox_use_audit is enabled. If this setting is disabled, it should be enabled to allow sandboxed containers to send audit messages. To enable the virt_sandbox_use_audit SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_audit on var_virt_sandbox_use_audit="" setsebool -P virt_sandbox_use_audit $var_virt_sandbox_use_audit - name: XCCDF Value var_virt_sandbox_use_audit # promote to variable set_fact: var_virt_sandbox_use_audit: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_sandbox_use_audit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_sandbox_use_audit accordingly seboolean: name: virt_sandbox_use_audit state: "{{ var_virt_sandbox_use_audit }}" persistent: yes tags: - sebool_virt_sandbox_use_audit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mozilla_read_content SELinux Boolean By default, the SELinux boolean mozilla_read_content is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_read_content SELinux boolean, run the following command: $ sudo setsebool -P mozilla_read_content off var_mozilla_read_content="" setsebool -P mozilla_read_content $var_mozilla_read_content - name: XCCDF Value var_mozilla_read_content # promote to variable set_fact: var_mozilla_read_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_read_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_read_content accordingly seboolean: name: mozilla_read_content state: "{{ var_mozilla_read_content }}" persistent: yes tags: - sebool_mozilla_read_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xserver_object_manager SELinux Boolean By default, the SELinux boolean xserver_object_manager is disabled. If this setting is enabled, it should be disabled. To disable the xserver_object_manager SELinux boolean, run the following command: $ sudo setsebool -P xserver_object_manager off var_xserver_object_manager="" setsebool -P xserver_object_manager $var_xserver_object_manager - name: XCCDF Value var_xserver_object_manager # promote to variable set_fact: var_xserver_object_manager: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xserver_object_manager - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xserver_object_manager accordingly seboolean: name: xserver_object_manager state: "{{ var_xserver_object_manager }}" persistent: yes tags: - sebool_xserver_object_manager - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_tty_comm SELinux Boolean By default, the SELinux boolean httpd_tty_comm is disabled. If this setting is enabled, it should be disabled. To disable the httpd_tty_comm SELinux boolean, run the following command: $ sudo setsebool -P httpd_tty_comm off var_httpd_tty_comm="" setsebool -P httpd_tty_comm $var_httpd_tty_comm - name: XCCDF Value var_httpd_tty_comm # promote to variable set_fact: var_httpd_tty_comm: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_tty_comm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_tty_comm accordingly seboolean: name: httpd_tty_comm state: "{{ var_httpd_tty_comm }}" persistent: yes tags: - sebool_httpd_tty_comm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the collectd_tcp_network_connect SELinux Boolean By default, the SELinux boolean collectd_tcp_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the collectd_tcp_network_connect SELinux boolean, run the following command: $ sudo setsebool -P collectd_tcp_network_connect off var_collectd_tcp_network_connect="" setsebool -P collectd_tcp_network_connect $var_collectd_tcp_network_connect - name: XCCDF Value var_collectd_tcp_network_connect # promote to variable set_fact: var_collectd_tcp_network_connect: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_collectd_tcp_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean collectd_tcp_network_connect accordingly seboolean: name: collectd_tcp_network_connect state: "{{ var_collectd_tcp_network_connect }}" persistent: yes tags: - sebool_collectd_tcp_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xdm_sysadm_login SELinux Boolean By default, the SELinux boolean xdm_sysadm_login is disabled. If this setting is enabled, it should be disabled. To disable the xdm_sysadm_login SELinux boolean, run the following command: $ sudo setsebool -P xdm_sysadm_login off var_xdm_sysadm_login="" setsebool -P xdm_sysadm_login $var_xdm_sysadm_login - name: XCCDF Value var_xdm_sysadm_login # promote to variable set_fact: var_xdm_sysadm_login: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xdm_sysadm_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xdm_sysadm_login accordingly seboolean: name: xdm_sysadm_login state: "{{ var_xdm_sysadm_login }}" persistent: yes tags: - sebool_xdm_sysadm_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the pcp_read_generic_logs SELinux Boolean By default, the SELinux boolean pcp_read_generic_logs is disabled. If this setting is enabled, it should be disabled. To disable the pcp_read_generic_logs SELinux boolean, run the following command: $ sudo setsebool -P pcp_read_generic_logs off var_pcp_read_generic_logs="" setsebool -P pcp_read_generic_logs $var_pcp_read_generic_logs - name: XCCDF Value var_pcp_read_generic_logs # promote to variable set_fact: var_pcp_read_generic_logs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_pcp_read_generic_logs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean pcp_read_generic_logs accordingly seboolean: name: pcp_read_generic_logs state: "{{ var_pcp_read_generic_logs }}" persistent: yes tags: - sebool_pcp_read_generic_logs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the spamd_enable_home_dirs SELinux Boolean By default, the SELinux boolean spamd_enable_home_dirs is enabled. If this setting is disabled, it should be enabled. To enable the spamd_enable_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P spamd_enable_home_dirs on var_spamd_enable_home_dirs="" setsebool -P spamd_enable_home_dirs $var_spamd_enable_home_dirs - name: XCCDF Value var_spamd_enable_home_dirs # promote to variable set_fact: var_spamd_enable_home_dirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_spamd_enable_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean spamd_enable_home_dirs accordingly seboolean: name: spamd_enable_home_dirs state: "{{ var_spamd_enable_home_dirs }}" persistent: yes tags: - sebool_spamd_enable_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xguest_mount_media SELinux Boolean By default, the SELinux boolean xguest_mount_media is enabled. This setting should be disabled as guest users should not be able to mount any media. To disable the xguest_mount_media SELinux boolean, run the following command: $ sudo setsebool -P xguest_mount_media off var_xguest_mount_media="" setsebool -P xguest_mount_media $var_xguest_mount_media - name: XCCDF Value var_xguest_mount_media # promote to variable set_fact: var_xguest_mount_media: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xguest_mount_media - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xguest_mount_media accordingly seboolean: name: xguest_mount_media state: "{{ var_xguest_mount_media }}" persistent: yes tags: - sebool_xguest_mount_media - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean By default, the SELinux boolean polipo_session_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the polipo_session_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P polipo_session_bind_all_unreserved_ports off var_polipo_session_bind_all_unreserved_ports="" setsebool -P polipo_session_bind_all_unreserved_ports $var_polipo_session_bind_all_unreserved_ports - name: XCCDF Value var_polipo_session_bind_all_unreserved_ports # promote to variable set_fact: var_polipo_session_bind_all_unreserved_ports: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polipo_session_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polipo_session_bind_all_unreserved_ports accordingly seboolean: name: polipo_session_bind_all_unreserved_ports state: "{{ var_polipo_session_bind_all_unreserved_ports }}" persistent: yes tags: - sebool_polipo_session_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the container_connect_any SELinux Boolean By default, the SELinux boolean container_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the container_connect_any SELinux boolean, run the following command: $ sudo setsebool -P container_connect_any off var_container_connect_any="" setsebool -P container_connect_any $var_container_connect_any - name: XCCDF Value var_container_connect_any # promote to variable set_fact: var_container_connect_any: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_container_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean container_connect_any accordingly seboolean: name: container_connect_any state: "{{ var_container_connect_any }}" persistent: yes tags: - sebool_container_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the tftp_anon_write SELinux Boolean By default, the SELinux boolean tftp_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the tftp_anon_write SELinux boolean, run the following command: $ sudo setsebool -P tftp_anon_write off var_tftp_anon_write="" setsebool -P tftp_anon_write $var_tftp_anon_write - name: XCCDF Value var_tftp_anon_write # promote to variable set_fact: var_tftp_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tftp_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tftp_anon_write accordingly seboolean: name: tftp_anon_write state: "{{ var_tftp_anon_write }}" persistent: yes tags: - sebool_tftp_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the git_system_use_nfs SELinux Boolean By default, the SELinux boolean git_system_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the git_system_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P git_system_use_nfs off var_git_system_use_nfs="" setsebool -P git_system_use_nfs $var_git_system_use_nfs - name: XCCDF Value var_git_system_use_nfs # promote to variable set_fact: var_git_system_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_system_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_system_use_nfs accordingly seboolean: name: git_system_use_nfs state: "{{ var_git_system_use_nfs }}" persistent: yes tags: - sebool_git_system_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_use_usb SELinux Boolean By default, the SELinux boolean virt_use_usb is enabled. This setting should be disabled. To disable the virt_use_usb SELinux boolean, run the following command: $ sudo setsebool -P virt_use_usb off var_virt_use_usb="" setsebool -P virt_use_usb $var_virt_use_usb - name: XCCDF Value var_virt_use_usb # promote to variable set_fact: var_virt_use_usb: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_usb - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_usb accordingly seboolean: name: virt_use_usb state: "{{ var_virt_use_usb }}" persistent: yes tags: - sebool_virt_use_usb - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the nis_enabled SELinux Boolean By default, the SELinux boolean nis_enabled is disabled. If this setting is enabled, it should be disabled. To disable the nis_enabled SELinux boolean, run the following command: $ sudo setsebool -P nis_enabled off var_nis_enabled="" setsebool -P nis_enabled $var_nis_enabled - name: XCCDF Value var_nis_enabled # promote to variable set_fact: var_nis_enabled: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nis_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nis_enabled accordingly seboolean: name: nis_enabled state: "{{ var_nis_enabled }}" persistent: yes tags: - sebool_nis_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the selinuxuser_mysql_connect_enabled SELinux Boolean By default, the SELinux boolean selinuxuser_mysql_connect_enabled is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_mysql_connect_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_mysql_connect_enabled off var_selinuxuser_mysql_connect_enabled="" setsebool -P selinuxuser_mysql_connect_enabled $var_selinuxuser_mysql_connect_enabled - name: XCCDF Value var_selinuxuser_mysql_connect_enabled # promote to variable set_fact: var_selinuxuser_mysql_connect_enabled: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_mysql_connect_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_mysql_connect_enabled accordingly seboolean: name: selinuxuser_mysql_connect_enabled state: "{{ var_selinuxuser_mysql_connect_enabled }}" persistent: yes tags: - sebool_selinuxuser_mysql_connect_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the samba_share_fusefs SELinux Boolean By default, the SELinux boolean samba_share_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the samba_share_fusefs SELinux boolean, run the following command: $ sudo setsebool -P samba_share_fusefs off var_samba_share_fusefs="" setsebool -P samba_share_fusefs $var_samba_share_fusefs - name: XCCDF Value var_samba_share_fusefs # promote to variable set_fact: var_samba_share_fusefs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_share_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_share_fusefs accordingly seboolean: name: samba_share_fusefs state: "{{ var_samba_share_fusefs }}" persistent: yes tags: - sebool_samba_share_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_enable_ftp_server SELinux Boolean By default, the SELinux boolean httpd_enable_ftp_server is disabled. If this setting is enabled, it should be disabled. To disable the httpd_enable_ftp_server SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_ftp_server off var_httpd_enable_ftp_server="" setsebool -P httpd_enable_ftp_server $var_httpd_enable_ftp_server - name: XCCDF Value var_httpd_enable_ftp_server # promote to variable set_fact: var_httpd_enable_ftp_server: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_enable_ftp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_enable_ftp_server accordingly seboolean: name: httpd_enable_ftp_server state: "{{ var_httpd_enable_ftp_server }}" persistent: yes tags: - sebool_httpd_enable_ftp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the pppd_for_user SELinux Boolean By default, the SELinux boolean pppd_for_user is disabled. If this setting is enabled, it should be disabled. To disable the pppd_for_user SELinux boolean, run the following command: $ sudo setsebool -P pppd_for_user off var_pppd_for_user="" setsebool -P pppd_for_user $var_pppd_for_user - name: XCCDF Value var_pppd_for_user # promote to variable set_fact: var_pppd_for_user: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_pppd_for_user - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean pppd_for_user accordingly seboolean: name: pppd_for_user state: "{{ var_pppd_for_user }}" persistent: yes tags: - sebool_pppd_for_user - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_sandbox_use_all_caps SELinux Boolean By default, the SELinux boolean virt_sandbox_use_all_caps is enabled. This setting is disabled as containers should not run with privileges. To disable the virt_sandbox_use_all_caps SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_all_caps off var_virt_sandbox_use_all_caps="" setsebool -P virt_sandbox_use_all_caps $var_virt_sandbox_use_all_caps - name: XCCDF Value var_virt_sandbox_use_all_caps # promote to variable set_fact: var_virt_sandbox_use_all_caps: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_sandbox_use_all_caps - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_sandbox_use_all_caps accordingly seboolean: name: virt_sandbox_use_all_caps state: "{{ var_virt_sandbox_use_all_caps }}" persistent: yes tags: - sebool_virt_sandbox_use_all_caps - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mozilla_plugin_use_gps SELinux Boolean By default, the SELinux boolean mozilla_plugin_use_gps is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_gps SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_gps off var_mozilla_plugin_use_gps="" setsebool -P mozilla_plugin_use_gps $var_mozilla_plugin_use_gps - name: XCCDF Value var_mozilla_plugin_use_gps # promote to variable set_fact: var_mozilla_plugin_use_gps: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_plugin_use_gps - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_plugin_use_gps accordingly seboolean: name: mozilla_plugin_use_gps state: "{{ var_mozilla_plugin_use_gps }}" persistent: yes tags: - sebool_mozilla_plugin_use_gps - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the samba_domain_controller SELinux Boolean By default, the SELinux boolean samba_domain_controller is disabled. If this setting is enabled, it should be disabled. To disable the samba_domain_controller SELinux boolean, run the following command: $ sudo setsebool -P samba_domain_controller off var_samba_domain_controller="" setsebool -P samba_domain_controller $var_samba_domain_controller - name: XCCDF Value var_samba_domain_controller # promote to variable set_fact: var_samba_domain_controller: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_domain_controller - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_domain_controller accordingly seboolean: name: samba_domain_controller state: "{{ var_samba_domain_controller }}" persistent: yes tags: - sebool_samba_domain_controller - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the boinc_execmem SELinux Boolean By default, the SELinux boolean boinc_execmem is enabled. This setting should be disabled. To disable the boinc_execmem SELinux boolean, run the following command: $ sudo setsebool -P boinc_execmem off 3.7.2 CCE-80429-4 var_boinc_execmem="" setsebool -P boinc_execmem $var_boinc_execmem - name: XCCDF Value var_boinc_execmem # promote to variable set_fact: var_boinc_execmem: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_boinc_execmem - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80429-4 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean boinc_execmem accordingly seboolean: name: boinc_execmem state: "{{ var_boinc_execmem }}" persistent: yes tags: - sebool_boinc_execmem - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80429-4 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the use_fusefs_home_dirs SELinux Boolean By default, the SELinux boolean use_fusefs_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_fusefs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_fusefs_home_dirs off var_use_fusefs_home_dirs="" setsebool -P use_fusefs_home_dirs $var_use_fusefs_home_dirs - name: XCCDF Value var_use_fusefs_home_dirs # promote to variable set_fact: var_use_fusefs_home_dirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_use_fusefs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean use_fusefs_home_dirs accordingly seboolean: name: use_fusefs_home_dirs state: "{{ var_use_fusefs_home_dirs }}" persistent: yes tags: - sebool_use_fusefs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the tmpreaper_use_nfs SELinux Boolean By default, the SELinux boolean tmpreaper_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the tmpreaper_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P tmpreaper_use_nfs off var_tmpreaper_use_nfs="" setsebool -P tmpreaper_use_nfs $var_tmpreaper_use_nfs - name: XCCDF Value var_tmpreaper_use_nfs # promote to variable set_fact: var_tmpreaper_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tmpreaper_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tmpreaper_use_nfs accordingly seboolean: name: tmpreaper_use_nfs state: "{{ var_tmpreaper_use_nfs }}" persistent: yes tags: - sebool_tmpreaper_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the sanlock_use_fusefs SELinux Boolean By default, the SELinux boolean sanlock_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the sanlock_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_fusefs off var_sanlock_use_fusefs="" setsebool -P sanlock_use_fusefs $var_sanlock_use_fusefs - name: XCCDF Value var_sanlock_use_fusefs # promote to variable set_fact: var_sanlock_use_fusefs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sanlock_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sanlock_use_fusefs accordingly seboolean: name: sanlock_use_fusefs state: "{{ var_sanlock_use_fusefs }}" persistent: yes tags: - sebool_sanlock_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ssh_keysign SELinux Boolean By default, the SELinux boolean ssh_keysign is disabled. If this setting is enabled, it should be disabled. To disable the ssh_keysign SELinux boolean, run the following command: $ sudo setsebool -P ssh_keysign off var_ssh_keysign="" setsebool -P ssh_keysign $var_ssh_keysign - name: XCCDF Value var_ssh_keysign # promote to variable set_fact: var_ssh_keysign: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ssh_keysign - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ssh_keysign accordingly seboolean: name: ssh_keysign state: "{{ var_ssh_keysign }}" persistent: yes tags: - sebool_ssh_keysign - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_tmp_exec SELinux Boolean By default, the SELinux boolean httpd_tmp_exec is disabled. If this setting is enabled, it should be disabled. To disable the httpd_tmp_exec SELinux boolean, run the following command: $ sudo setsebool -P httpd_tmp_exec off var_httpd_tmp_exec="" setsebool -P httpd_tmp_exec $var_httpd_tmp_exec - name: XCCDF Value var_httpd_tmp_exec # promote to variable set_fact: var_httpd_tmp_exec: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_tmp_exec - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_tmp_exec accordingly seboolean: name: httpd_tmp_exec state: "{{ var_httpd_tmp_exec }}" persistent: yes tags: - sebool_httpd_tmp_exec - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_use_fusefs SELinux Boolean By default, the SELinux boolean httpd_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_fusefs off var_httpd_use_fusefs="" setsebool -P httpd_use_fusefs $var_httpd_use_fusefs - name: XCCDF Value var_httpd_use_fusefs # promote to variable set_fact: var_httpd_use_fusefs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_fusefs accordingly seboolean: name: httpd_use_fusefs state: "{{ var_httpd_use_fusefs }}" persistent: yes tags: - sebool_httpd_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the staff_exec_content SELinux Boolean By default, the SELinux boolean staff_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the staff_exec_content SELinux boolean, run the following command: $ sudo setsebool -P staff_exec_content on var_staff_exec_content="" setsebool -P staff_exec_content $var_staff_exec_content - name: XCCDF Value var_staff_exec_content # promote to variable set_fact: var_staff_exec_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_staff_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean staff_exec_content accordingly seboolean: name: staff_exec_content state: "{{ var_staff_exec_content }}" persistent: yes tags: - sebool_staff_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the nscd_use_shm SELinux Boolean By default, the SELinux boolean nscd_use_shm is enabled. If this setting is disabled, it should be enabled to allow nscd to use shared memory. To enable the nscd_use_shm SELinux boolean, run the following command: $ sudo setsebool -P nscd_use_shm on var_nscd_use_shm="" setsebool -P nscd_use_shm $var_nscd_use_shm - name: XCCDF Value var_nscd_use_shm # promote to variable set_fact: var_nscd_use_shm: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nscd_use_shm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nscd_use_shm accordingly seboolean: name: nscd_use_shm state: "{{ var_nscd_use_shm }}" persistent: yes tags: - sebool_nscd_use_shm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the global_ssp SELinux Boolean By default, the SELinux boolean global_ssp is disabled. If this setting is enabled, it should be disabled. To disable the global_ssp SELinux boolean, run the following command: $ sudo setsebool -P global_ssp off var_global_ssp="" setsebool -P global_ssp $var_global_ssp - name: XCCDF Value var_global_ssp # promote to variable set_fact: var_global_ssp: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_global_ssp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean global_ssp accordingly seboolean: name: global_ssp state: "{{ var_global_ssp }}" persistent: yes tags: - sebool_global_ssp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_use_fusefs SELinux Boolean By default, the SELinux boolean virt_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P virt_use_fusefs off var_virt_use_fusefs="" setsebool -P virt_use_fusefs $var_virt_use_fusefs - name: XCCDF Value var_virt_use_fusefs # promote to variable set_fact: var_virt_use_fusefs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_fusefs accordingly seboolean: name: virt_use_fusefs state: "{{ var_virt_use_fusefs }}" persistent: yes tags: - sebool_virt_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the gluster_anon_write SELinux Boolean By default, the SELinux boolean gluster_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the gluster_anon_write SELinux boolean, run the following command: $ sudo setsebool -P gluster_anon_write off var_gluster_anon_write="" setsebool -P gluster_anon_write $var_gluster_anon_write - name: XCCDF Value var_gluster_anon_write # promote to variable set_fact: var_gluster_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gluster_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gluster_anon_write accordingly seboolean: name: gluster_anon_write state: "{{ var_gluster_anon_write }}" persistent: yes tags: - sebool_gluster_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the wine_mmap_zero_ignore SELinux Boolean By default, the SELinux boolean wine_mmap_zero_ignore is disabled. If this setting is enabled, it should be disabled. To disable the wine_mmap_zero_ignore SELinux boolean, run the following command: $ sudo setsebool -P wine_mmap_zero_ignore off var_wine_mmap_zero_ignore="" setsebool -P wine_mmap_zero_ignore $var_wine_mmap_zero_ignore - name: XCCDF Value var_wine_mmap_zero_ignore # promote to variable set_fact: var_wine_mmap_zero_ignore: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_wine_mmap_zero_ignore - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean wine_mmap_zero_ignore accordingly seboolean: name: wine_mmap_zero_ignore state: "{{ var_wine_mmap_zero_ignore }}" persistent: yes tags: - sebool_wine_mmap_zero_ignore - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the fenced_can_network_connect SELinux Boolean By default, the SELinux boolean fenced_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the fenced_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P fenced_can_network_connect off var_fenced_can_network_connect="" setsebool -P fenced_can_network_connect $var_fenced_can_network_connect - name: XCCDF Value var_fenced_can_network_connect # promote to variable set_fact: var_fenced_can_network_connect: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_fenced_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean fenced_can_network_connect accordingly seboolean: name: fenced_can_network_connect state: "{{ var_fenced_can_network_connect }}" persistent: yes tags: - sebool_fenced_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the zabbix_can_network SELinux Boolean By default, the SELinux boolean zabbix_can_network is disabled. If this setting is enabled, it should be disabled. To disable the zabbix_can_network SELinux boolean, run the following command: $ sudo setsebool -P zabbix_can_network off var_zabbix_can_network="" setsebool -P zabbix_can_network $var_zabbix_can_network - name: XCCDF Value var_zabbix_can_network # promote to variable set_fact: var_zabbix_can_network: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_zabbix_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean zabbix_can_network accordingly seboolean: name: zabbix_can_network state: "{{ var_zabbix_can_network }}" persistent: yes tags: - sebool_zabbix_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_use_nfs SELinux Boolean By default, the SELinux boolean virt_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P virt_use_nfs off var_virt_use_nfs="" setsebool -P virt_use_nfs $var_virt_use_nfs - name: XCCDF Value var_virt_use_nfs # promote to variable set_fact: var_virt_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_nfs accordingly seboolean: name: virt_use_nfs state: "{{ var_virt_use_nfs }}" persistent: yes tags: - sebool_virt_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the prosody_bind_http_port SELinux Boolean By default, the SELinux boolean prosody_bind_http_port is disabled. If this setting is enabled, it should be disabled. To disable the prosody_bind_http_port SELinux boolean, run the following command: $ sudo setsebool -P prosody_bind_http_port off var_prosody_bind_http_port="" setsebool -P prosody_bind_http_port $var_prosody_bind_http_port - name: XCCDF Value var_prosody_bind_http_port # promote to variable set_fact: var_prosody_bind_http_port: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_prosody_bind_http_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean prosody_bind_http_port accordingly seboolean: name: prosody_bind_http_port state: "{{ var_prosody_bind_http_port }}" persistent: yes tags: - sebool_prosody_bind_http_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the use_samba_home_dirs SELinux Boolean By default, the SELinux boolean use_samba_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_samba_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_samba_home_dirs off var_use_samba_home_dirs="" setsebool -P use_samba_home_dirs $var_use_samba_home_dirs - name: XCCDF Value var_use_samba_home_dirs # promote to variable set_fact: var_use_samba_home_dirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_use_samba_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean use_samba_home_dirs accordingly seboolean: name: use_samba_home_dirs state: "{{ var_use_samba_home_dirs }}" persistent: yes tags: - sebool_use_samba_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the cron_userdomain_transition SELinux Boolean By default, the SELinux boolean cron_userdomain_transition is enabled. This setting should be enabled as end user cron jobs run in their default associated user domain(s) instead of the general cronjob domain. To enable the cron_userdomain_transition SELinux boolean, run the following command: $ sudo setsebool -P cron_userdomain_transition on var_cron_userdomain_transition="" setsebool -P cron_userdomain_transition $var_cron_userdomain_transition - name: XCCDF Value var_cron_userdomain_transition # promote to variable set_fact: var_cron_userdomain_transition: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cron_userdomain_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cron_userdomain_transition accordingly seboolean: name: cron_userdomain_transition state: "{{ var_cron_userdomain_transition }}" persistent: yes tags: - sebool_cron_userdomain_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the spamassassin_can_network SELinux Boolean By default, the SELinux boolean spamassassin_can_network is disabled. If this setting is enabled, it should be disabled. To disable the spamassassin_can_network SELinux boolean, run the following command: $ sudo setsebool -P spamassassin_can_network off var_spamassassin_can_network="" setsebool -P spamassassin_can_network $var_spamassassin_can_network - name: XCCDF Value var_spamassassin_can_network # promote to variable set_fact: var_spamassassin_can_network: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_spamassassin_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean spamassassin_can_network accordingly seboolean: name: spamassassin_can_network state: "{{ var_spamassassin_can_network }}" persistent: yes tags: - sebool_spamassassin_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the git_cgi_use_nfs SELinux Boolean By default, the SELinux boolean git_cgi_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the git_cgi_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_use_nfs off var_git_cgi_use_nfs="" setsebool -P git_cgi_use_nfs $var_git_cgi_use_nfs - name: XCCDF Value var_git_cgi_use_nfs # promote to variable set_fact: var_git_cgi_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_cgi_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_cgi_use_nfs accordingly seboolean: name: git_cgi_use_nfs state: "{{ var_git_cgi_use_nfs }}" persistent: yes tags: - sebool_git_cgi_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the secure_mode_insmod SELinux Boolean By default, the SELinux boolean secure_mode_insmod is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode_insmod SELinux boolean, run the following command: $ sudo setsebool -P secure_mode_insmod off var_secure_mode_insmod="" setsebool -P secure_mode_insmod $var_secure_mode_insmod - name: XCCDF Value var_secure_mode_insmod # promote to variable set_fact: var_secure_mode_insmod: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_secure_mode_insmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean secure_mode_insmod accordingly seboolean: name: secure_mode_insmod state: "{{ var_secure_mode_insmod }}" persistent: yes tags: - sebool_secure_mode_insmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mysql_connect_any SELinux Boolean By default, the SELinux boolean mysql_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the mysql_connect_any SELinux boolean, run the following command: $ sudo setsebool -P mysql_connect_any off var_mysql_connect_any="" setsebool -P mysql_connect_any $var_mysql_connect_any - name: XCCDF Value var_mysql_connect_any # promote to variable set_fact: var_mysql_connect_any: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mysql_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mysql_connect_any accordingly seboolean: name: mysql_connect_any state: "{{ var_mysql_connect_any }}" persistent: yes tags: - sebool_mysql_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the samba_load_libgfapi SELinux Boolean By default, the SELinux boolean samba_load_libgfapi is disabled. If this setting is enabled, it should be disabled. To disable the samba_load_libgfapi SELinux boolean, run the following command: $ sudo setsebool -P samba_load_libgfapi off var_samba_load_libgfapi="" setsebool -P samba_load_libgfapi $var_samba_load_libgfapi - name: XCCDF Value var_samba_load_libgfapi # promote to variable set_fact: var_samba_load_libgfapi: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_load_libgfapi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_load_libgfapi accordingly seboolean: name: samba_load_libgfapi state: "{{ var_samba_load_libgfapi }}" persistent: yes tags: - sebool_samba_load_libgfapi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the samba_portmapper SELinux Boolean By default, the SELinux boolean samba_portmapper is disabled. If this setting is enabled, it should be disabled. To disable the samba_portmapper SELinux boolean, run the following command: $ sudo setsebool -P samba_portmapper off var_samba_portmapper="" setsebool -P samba_portmapper $var_samba_portmapper - name: XCCDF Value var_samba_portmapper # promote to variable set_fact: var_samba_portmapper: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_portmapper - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_portmapper accordingly seboolean: name: samba_portmapper state: "{{ var_samba_portmapper }}" persistent: yes tags: - sebool_samba_portmapper - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_run_preupgrade SELinux Boolean By default, the SELinux boolean httpd_run_preupgrade is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_preupgrade SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_preupgrade off var_httpd_run_preupgrade="" setsebool -P httpd_run_preupgrade $var_httpd_run_preupgrade - name: XCCDF Value var_httpd_run_preupgrade # promote to variable set_fact: var_httpd_run_preupgrade: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_run_preupgrade - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_run_preupgrade accordingly seboolean: name: httpd_run_preupgrade state: "{{ var_httpd_run_preupgrade }}" persistent: yes tags: - sebool_httpd_run_preupgrade - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_use_xserver SELinux Boolean By default, the SELinux boolean virt_use_xserver is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_xserver SELinux boolean, run the following command: $ sudo setsebool -P virt_use_xserver off var_virt_use_xserver="" setsebool -P virt_use_xserver $var_virt_use_xserver - name: XCCDF Value var_virt_use_xserver # promote to variable set_fact: var_virt_use_xserver: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_xserver - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_xserver accordingly seboolean: name: virt_use_xserver state: "{{ var_virt_use_xserver }}" persistent: yes tags: - sebool_virt_use_xserver - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mplayer_execstack SELinux Boolean By default, the SELinux boolean mplayer_execstack is disabled. If this setting is enabled, it should be disabled. To disable the mplayer_execstack SELinux boolean, run the following command: $ sudo setsebool -P mplayer_execstack off var_mplayer_execstack="" setsebool -P mplayer_execstack $var_mplayer_execstack - name: XCCDF Value var_mplayer_execstack # promote to variable set_fact: var_mplayer_execstack: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mplayer_execstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mplayer_execstack accordingly seboolean: name: mplayer_execstack state: "{{ var_mplayer_execstack }}" persistent: yes tags: - sebool_mplayer_execstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the selinuxuser_rw_noexattrfile SELinux Boolean By default, the SELinux boolean selinuxuser_rw_noexattrfile is enabled. This setting should be disabled as users should not be able to read/write files on filesystems that do not have extended attributes e.g. FAT, CDROM, FLOPPY, etc. To disable the selinuxuser_rw_noexattrfile SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_rw_noexattrfile off var_selinuxuser_rw_noexattrfile="" setsebool -P selinuxuser_rw_noexattrfile $var_selinuxuser_rw_noexattrfile - name: XCCDF Value var_selinuxuser_rw_noexattrfile # promote to variable set_fact: var_selinuxuser_rw_noexattrfile: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_rw_noexattrfile - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_rw_noexattrfile accordingly seboolean: name: selinuxuser_rw_noexattrfile state: "{{ var_selinuxuser_rw_noexattrfile }}" persistent: yes tags: - sebool_selinuxuser_rw_noexattrfile - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the neutron_can_network SELinux Boolean By default, the SELinux boolean neutron_can_network is disabled. If this setting is enabled, it should be disabled. To disable the neutron_can_network SELinux boolean, run the following command: $ sudo setsebool -P neutron_can_network off var_neutron_can_network="" setsebool -P neutron_can_network $var_neutron_can_network - name: XCCDF Value var_neutron_can_network # promote to variable set_fact: var_neutron_can_network: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_neutron_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean neutron_can_network accordingly seboolean: name: neutron_can_network state: "{{ var_neutron_can_network }}" persistent: yes tags: - sebool_neutron_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ftpd_full_access SELinux Boolean By default, the SELinux boolean ftpd_full_access is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_full_access SELinux boolean, run the following command: $ sudo setsebool -P ftpd_full_access off var_ftpd_full_access="" setsebool -P ftpd_full_access $var_ftpd_full_access - name: XCCDF Value var_ftpd_full_access # promote to variable set_fact: var_ftpd_full_access: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_full_access - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_full_access accordingly seboolean: name: ftpd_full_access state: "{{ var_ftpd_full_access }}" persistent: yes tags: - sebool_ftpd_full_access - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ftpd_use_fusefs SELinux Boolean By default, the SELinux boolean ftpd_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_fusefs off var_ftpd_use_fusefs="" setsebool -P ftpd_use_fusefs $var_ftpd_use_fusefs - name: XCCDF Value var_ftpd_use_fusefs # promote to variable set_fact: var_ftpd_use_fusefs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_use_fusefs accordingly seboolean: name: ftpd_use_fusefs state: "{{ var_ftpd_use_fusefs }}" persistent: yes tags: - sebool_ftpd_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the deny_execmem SELinux Boolean By default, the SELinux boolean deny_execmem is disabled. If this setting is enabled, it should be disabled. To disable the deny_execmem SELinux boolean, run the following command: $ sudo setsebool -P deny_execmem off var_deny_execmem="" setsebool -P deny_execmem $var_deny_execmem - name: XCCDF Value var_deny_execmem # promote to variable set_fact: var_deny_execmem: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_deny_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean deny_execmem accordingly seboolean: name: deny_execmem state: "{{ var_deny_execmem }}" persistent: yes tags: - sebool_deny_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ssh_chroot_rw_homedirs SELinux Boolean By default, the SELinux boolean ssh_chroot_rw_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the ssh_chroot_rw_homedirs SELinux boolean, run the following command: $ sudo setsebool -P ssh_chroot_rw_homedirs off var_ssh_chroot_rw_homedirs="" setsebool -P ssh_chroot_rw_homedirs $var_ssh_chroot_rw_homedirs - name: XCCDF Value var_ssh_chroot_rw_homedirs # promote to variable set_fact: var_ssh_chroot_rw_homedirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ssh_chroot_rw_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ssh_chroot_rw_homedirs accordingly seboolean: name: ssh_chroot_rw_homedirs state: "{{ var_ssh_chroot_rw_homedirs }}" persistent: yes tags: - sebool_ssh_chroot_rw_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_mod_auth_pam SELinux Boolean By default, the SELinux boolean httpd_mod_auth_pam is disabled. If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_pam SELinux boolean, run the following command: $ sudo setsebool -P httpd_mod_auth_pam off var_httpd_mod_auth_pam="" setsebool -P httpd_mod_auth_pam $var_httpd_mod_auth_pam - name: XCCDF Value var_httpd_mod_auth_pam # promote to variable set_fact: var_httpd_mod_auth_pam: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_mod_auth_pam - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_mod_auth_pam accordingly seboolean: name: httpd_mod_auth_pam state: "{{ var_httpd_mod_auth_pam }}" persistent: yes tags: - sebool_httpd_mod_auth_pam - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the authlogin_yubikey SELinux Boolean By default, the SELinux boolean authlogin_yubikey is disabled. If this setting is enabled, it should be disabled. To disable the authlogin_yubikey SELinux boolean, run the following command: $ sudo setsebool -P authlogin_yubikey off 3.7.2 CCE-80427-8 var_authlogin_yubikey="" setsebool -P authlogin_yubikey $var_authlogin_yubikey - name: XCCDF Value var_authlogin_yubikey # promote to variable set_fact: var_authlogin_yubikey: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_authlogin_yubikey - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80427-8 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean authlogin_yubikey accordingly seboolean: name: authlogin_yubikey state: "{{ var_authlogin_yubikey }}" persistent: yes tags: - sebool_authlogin_yubikey - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80427-8 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_use_samba SELinux Boolean By default, the SELinux boolean virt_use_samba is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_samba SELinux boolean, run the following command: $ sudo setsebool -P virt_use_samba off var_virt_use_samba="" setsebool -P virt_use_samba $var_virt_use_samba - name: XCCDF Value var_virt_use_samba # promote to variable set_fact: var_virt_use_samba: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_samba accordingly seboolean: name: virt_use_samba state: "{{ var_virt_use_samba }}" persistent: yes tags: - sebool_virt_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_can_connect_ftp SELinux Boolean By default, the SELinux boolean httpd_can_connect_ftp is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ftp SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_ftp off var_httpd_can_connect_ftp="" setsebool -P httpd_can_connect_ftp $var_httpd_can_connect_ftp - name: XCCDF Value var_httpd_can_connect_ftp # promote to variable set_fact: var_httpd_can_connect_ftp: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_connect_ftp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_connect_ftp accordingly seboolean: name: httpd_can_connect_ftp state: "{{ var_httpd_can_connect_ftp }}" persistent: yes tags: - sebool_httpd_can_connect_ftp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the abrt_anon_write SELinux Boolean By default, the SELinux boolean abrt_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the abrt_anon_write SELinux boolean, run the following command: $ sudo setsebool -P abrt_anon_write off 3.7.2 CCE-80419-5 var_abrt_anon_write="" setsebool -P abrt_anon_write $var_abrt_anon_write - name: XCCDF Value var_abrt_anon_write # promote to variable set_fact: var_abrt_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_abrt_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80419-5 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean abrt_anon_write accordingly seboolean: name: abrt_anon_write state: "{{ var_abrt_anon_write }}" persistent: yes tags: - sebool_abrt_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80419-5 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the named_tcp_bind_http_port SELinux Boolean By default, the SELinux boolean named_tcp_bind_http_port is disabled. If this setting is enabled, it should be disabled. To disable the named_tcp_bind_http_port SELinux boolean, run the following command: $ sudo setsebool -P named_tcp_bind_http_port off var_named_tcp_bind_http_port="" setsebool -P named_tcp_bind_http_port $var_named_tcp_bind_http_port - name: XCCDF Value var_named_tcp_bind_http_port # promote to variable set_fact: var_named_tcp_bind_http_port: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_named_tcp_bind_http_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean named_tcp_bind_http_port accordingly seboolean: name: named_tcp_bind_http_port state: "{{ var_named_tcp_bind_http_port }}" persistent: yes tags: - sebool_named_tcp_bind_http_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the squid_use_tproxy SELinux Boolean By default, the SELinux boolean squid_use_tproxy is disabled. If this setting is enabled, it should be disabled. To disable the squid_use_tproxy SELinux boolean, run the following command: $ sudo setsebool -P squid_use_tproxy off var_squid_use_tproxy="" setsebool -P squid_use_tproxy $var_squid_use_tproxy - name: XCCDF Value var_squid_use_tproxy # promote to variable set_fact: var_squid_use_tproxy: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_squid_use_tproxy - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean squid_use_tproxy accordingly seboolean: name: squid_use_tproxy state: "{{ var_squid_use_tproxy }}" persistent: yes tags: - sebool_squid_use_tproxy - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the dhcpd_use_ldap SELinux Boolean By default, the SELinux boolean dhcpd_use_ldap is disabled. If this setting is enabled, it should be disabled. To disable the dhcpd_use_ldap SELinux boolean, run the following command: $ sudo setsebool -P dhcpd_use_ldap off var_dhcpd_use_ldap="" setsebool -P dhcpd_use_ldap $var_dhcpd_use_ldap - name: XCCDF Value var_dhcpd_use_ldap # promote to variable set_fact: var_dhcpd_use_ldap: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_dhcpd_use_ldap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean dhcpd_use_ldap accordingly seboolean: name: dhcpd_use_ldap state: "{{ var_dhcpd_use_ldap }}" persistent: yes tags: - sebool_dhcpd_use_ldap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the tftp_home_dir SELinux Boolean By default, the SELinux boolean tftp_home_dir is disabled. If this setting is enabled, it should be disabled. To disable the tftp_home_dir SELinux boolean, run the following command: $ sudo setsebool -P tftp_home_dir off var_tftp_home_dir="" setsebool -P tftp_home_dir $var_tftp_home_dir - name: XCCDF Value var_tftp_home_dir # promote to variable set_fact: var_tftp_home_dir: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tftp_home_dir - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tftp_home_dir accordingly seboolean: name: tftp_home_dir state: "{{ var_tftp_home_dir }}" persistent: yes tags: - sebool_tftp_home_dir - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the awstats_purge_apache_log_files SELinux Boolean By default, the SELinux boolean awstats_purge_apache_log_files is disabled. If this setting is enabled, it should be disabled. To disable the awstats_purge_apache_log_files SELinux boolean, run the following command: $ sudo setsebool -P awstats_purge_apache_log_files off 3.7.2 CCE-80428-6 var_awstats_purge_apache_log_files="" setsebool -P awstats_purge_apache_log_files $var_awstats_purge_apache_log_files - name: XCCDF Value var_awstats_purge_apache_log_files # promote to variable set_fact: var_awstats_purge_apache_log_files: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_awstats_purge_apache_log_files - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80428-6 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean awstats_purge_apache_log_files accordingly seboolean: name: awstats_purge_apache_log_files state: "{{ var_awstats_purge_apache_log_files }}" persistent: yes tags: - sebool_awstats_purge_apache_log_files - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80428-6 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the samba_share_nfs SELinux Boolean By default, the SELinux boolean samba_share_nfs is disabled. If this setting is enabled, it should be disabled. To disable the samba_share_nfs SELinux boolean, run the following command: $ sudo setsebool -P samba_share_nfs off var_samba_share_nfs="" setsebool -P samba_share_nfs $var_samba_share_nfs - name: XCCDF Value var_samba_share_nfs # promote to variable set_fact: var_samba_share_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_share_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_share_nfs accordingly seboolean: name: samba_share_nfs state: "{{ var_samba_share_nfs }}" persistent: yes tags: - sebool_samba_share_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the glance_use_fusefs SELinux Boolean By default, the SELinux boolean glance_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the glance_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P glance_use_fusefs off var_glance_use_fusefs="" setsebool -P glance_use_fusefs $var_glance_use_fusefs - name: XCCDF Value var_glance_use_fusefs # promote to variable set_fact: var_glance_use_fusefs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_glance_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean glance_use_fusefs accordingly seboolean: name: glance_use_fusefs state: "{{ var_glance_use_fusefs }}" persistent: yes tags: - sebool_glance_use_fusefs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the sanlock_use_nfs SELinux Boolean By default, the SELinux boolean sanlock_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the sanlock_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_nfs off var_sanlock_use_nfs="" setsebool -P sanlock_use_nfs $var_sanlock_use_nfs - name: XCCDF Value var_sanlock_use_nfs # promote to variable set_fact: var_sanlock_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sanlock_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sanlock_use_nfs accordingly seboolean: name: sanlock_use_nfs state: "{{ var_sanlock_use_nfs }}" persistent: yes tags: - sebool_sanlock_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure the gluster_export_all_rw SELinux Boolean By default, the SELinux boolean gluster_export_all_rw is enabled. If GlusterFS is in use, this setting should be enabled. Otherwise, disable it. To disable the gluster_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P gluster_export_all_rw off var_gluster_export_all_rw="" setsebool -P gluster_export_all_rw $var_gluster_export_all_rw - name: XCCDF Value var_gluster_export_all_rw # promote to variable set_fact: var_gluster_export_all_rw: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gluster_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gluster_export_all_rw accordingly seboolean: name: gluster_export_all_rw state: "{{ var_gluster_export_all_rw }}" persistent: yes tags: - sebool_gluster_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean By default, the SELinux boolean mozilla_plugin_bind_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_bind_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_bind_unreserved_ports off var_mozilla_plugin_bind_unreserved_ports="" setsebool -P mozilla_plugin_bind_unreserved_ports $var_mozilla_plugin_bind_unreserved_ports - name: XCCDF Value var_mozilla_plugin_bind_unreserved_ports # promote to variable set_fact: var_mozilla_plugin_bind_unreserved_ports: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_plugin_bind_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_plugin_bind_unreserved_ports accordingly seboolean: name: mozilla_plugin_bind_unreserved_ports state: "{{ var_mozilla_plugin_bind_unreserved_ports }}" persistent: yes tags: - sebool_mozilla_plugin_bind_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the logging_syslogd_use_tty SELinux Boolean By default, the SELinux boolean logging_syslogd_use_tty is enabled. If this setting is disabled, it should be enabled as it allows syslog the ability to read/write to terminal. To enable the logging_syslogd_use_tty SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_use_tty on var_logging_syslogd_use_tty="" setsebool -P logging_syslogd_use_tty $var_logging_syslogd_use_tty - name: XCCDF Value var_logging_syslogd_use_tty # promote to variable set_fact: var_logging_syslogd_use_tty: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logging_syslogd_use_tty - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logging_syslogd_use_tty accordingly seboolean: name: logging_syslogd_use_tty state: "{{ var_logging_syslogd_use_tty }}" persistent: yes tags: - sebool_logging_syslogd_use_tty - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the login_console_enabled SELinux Boolean By default, the SELinux boolean login_console_enabled is enabled. If this setting is disabled, it should be enabled as it allows login from /dev/console to a console session. To enable the login_console_enabled SELinux boolean, run the following command: $ sudo setsebool -P login_console_enabled on var_login_console_enabled="" setsebool -P login_console_enabled $var_login_console_enabled - name: XCCDF Value var_login_console_enabled # promote to variable set_fact: var_login_console_enabled: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_login_console_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean login_console_enabled accordingly seboolean: name: login_console_enabled state: "{{ var_login_console_enabled }}" persistent: yes tags: - sebool_login_console_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the glance_api_can_network SELinux Boolean By default, the SELinux boolean glance_api_can_network is disabled. If this setting is enabled, it should be disabled. To disable the glance_api_can_network SELinux boolean, run the following command: $ sudo setsebool -P glance_api_can_network off var_glance_api_can_network="" setsebool -P glance_api_can_network $var_glance_api_can_network - name: XCCDF Value var_glance_api_can_network # promote to variable set_fact: var_glance_api_can_network: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_glance_api_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean glance_api_can_network accordingly seboolean: name: glance_api_can_network state: "{{ var_glance_api_can_network }}" persistent: yes tags: - sebool_glance_api_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the abrt_handle_event SELinux Boolean By default, the SELinux boolean abrt_handle_event is disabled. If this setting is enabled, it should be disabled. To disable the abrt_handle_event SELinux boolean, run the following command: $ sudo setsebool -P abrt_handle_event off 3.7.2 CCE-80420-3 var_abrt_handle_event="" setsebool -P abrt_handle_event $var_abrt_handle_event - name: XCCDF Value var_abrt_handle_event # promote to variable set_fact: var_abrt_handle_event: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_abrt_handle_event - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80420-3 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean abrt_handle_event accordingly seboolean: name: abrt_handle_event state: "{{ var_abrt_handle_event }}" persistent: yes tags: - sebool_abrt_handle_event - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80420-3 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the gluster_export_all_ro SELinux Boolean By default, the SELinux boolean gluster_export_all_ro is disabled. If this setting is enabled, it should be disabled. To disable the gluster_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P gluster_export_all_ro off var_gluster_export_all_ro="" setsebool -P gluster_export_all_ro $var_gluster_export_all_ro - name: XCCDF Value var_gluster_export_all_ro # promote to variable set_fact: var_gluster_export_all_ro: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gluster_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gluster_export_all_ro accordingly seboolean: name: gluster_export_all_ro state: "{{ var_gluster_export_all_ro }}" persistent: yes tags: - sebool_gluster_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ksmtuned_use_nfs SELinux Boolean By default, the SELinux boolean ksmtuned_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the ksmtuned_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P ksmtuned_use_nfs off var_ksmtuned_use_nfs="" setsebool -P ksmtuned_use_nfs $var_ksmtuned_use_nfs - name: XCCDF Value var_ksmtuned_use_nfs # promote to variable set_fact: var_ksmtuned_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ksmtuned_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ksmtuned_use_nfs accordingly seboolean: name: ksmtuned_use_nfs state: "{{ var_ksmtuned_use_nfs }}" persistent: yes tags: - sebool_ksmtuned_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the puppetagent_manage_all_files SELinux Boolean By default, the SELinux boolean puppetagent_manage_all_files is disabled. If this setting is enabled, it should be disabled. To disable the puppetagent_manage_all_files SELinux boolean, run the following command: $ sudo setsebool -P puppetagent_manage_all_files off var_puppetagent_manage_all_files="" setsebool -P puppetagent_manage_all_files $var_puppetagent_manage_all_files - name: XCCDF Value var_puppetagent_manage_all_files # promote to variable set_fact: var_puppetagent_manage_all_files: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_puppetagent_manage_all_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean puppetagent_manage_all_files accordingly seboolean: name: puppetagent_manage_all_files state: "{{ var_puppetagent_manage_all_files }}" persistent: yes tags: - sebool_puppetagent_manage_all_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_dontaudit_search_dirs SELinux Boolean By default, the SELinux boolean httpd_dontaudit_search_dirs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dontaudit_search_dirs SELinux boolean, run the following command: $ sudo setsebool -P httpd_dontaudit_search_dirs off var_httpd_dontaudit_search_dirs="" setsebool -P httpd_dontaudit_search_dirs $var_httpd_dontaudit_search_dirs - name: XCCDF Value var_httpd_dontaudit_search_dirs # promote to variable set_fact: var_httpd_dontaudit_search_dirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_dontaudit_search_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_dontaudit_search_dirs accordingly seboolean: name: httpd_dontaudit_search_dirs state: "{{ var_httpd_dontaudit_search_dirs }}" persistent: yes tags: - sebool_httpd_dontaudit_search_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the smbd_anon_write SELinux Boolean By default, the SELinux boolean smbd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the smbd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P smbd_anon_write off var_smbd_anon_write="" setsebool -P smbd_anon_write $var_smbd_anon_write - name: XCCDF Value var_smbd_anon_write # promote to variable set_fact: var_smbd_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_smbd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean smbd_anon_write accordingly seboolean: name: smbd_anon_write state: "{{ var_smbd_anon_write }}" persistent: yes tags: - sebool_smbd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cron_system_cronjob_use_shares SELinux Boolean By default, the SELinux boolean cron_system_cronjob_use_shares is disabled. If this setting is enabled, it should be disabled. To disable the cron_system_cronjob_use_shares SELinux boolean, run the following command: $ sudo setsebool -P cron_system_cronjob_use_shares off var_cron_system_cronjob_use_shares="" setsebool -P cron_system_cronjob_use_shares $var_cron_system_cronjob_use_shares - name: XCCDF Value var_cron_system_cronjob_use_shares # promote to variable set_fact: var_cron_system_cronjob_use_shares: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cron_system_cronjob_use_shares - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cron_system_cronjob_use_shares accordingly seboolean: name: cron_system_cronjob_use_shares state: "{{ var_cron_system_cronjob_use_shares }}" persistent: yes tags: - sebool_cron_system_cronjob_use_shares - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mozilla_plugin_use_bluejeans SELinux Boolean By default, the SELinux boolean mozilla_plugin_use_bluejeans is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_bluejeans SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_bluejeans off var_mozilla_plugin_use_bluejeans="" setsebool -P mozilla_plugin_use_bluejeans $var_mozilla_plugin_use_bluejeans - name: XCCDF Value var_mozilla_plugin_use_bluejeans # promote to variable set_fact: var_mozilla_plugin_use_bluejeans: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mozilla_plugin_use_bluejeans - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mozilla_plugin_use_bluejeans accordingly seboolean: name: mozilla_plugin_use_bluejeans state: "{{ var_mozilla_plugin_use_bluejeans }}" persistent: yes tags: - sebool_mozilla_plugin_use_bluejeans - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the openvpn_enable_homedirs SELinux Boolean By default, the SELinux boolean openvpn_enable_homedirs is enabled. This setting should be disabled. To disable the openvpn_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P openvpn_enable_homedirs off var_openvpn_enable_homedirs="" setsebool -P openvpn_enable_homedirs $var_openvpn_enable_homedirs - name: XCCDF Value var_openvpn_enable_homedirs # promote to variable set_fact: var_openvpn_enable_homedirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_openvpn_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean openvpn_enable_homedirs accordingly seboolean: name: openvpn_enable_homedirs state: "{{ var_openvpn_enable_homedirs }}" persistent: yes tags: - sebool_openvpn_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mcelog_server SELinux Boolean By default, the SELinux boolean mcelog_server is disabled. If this setting is enabled, it should be disabled. To disable the mcelog_server SELinux boolean, run the following command: $ sudo setsebool -P mcelog_server off var_mcelog_server="" setsebool -P mcelog_server $var_mcelog_server - name: XCCDF Value var_mcelog_server # promote to variable set_fact: var_mcelog_server: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mcelog_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mcelog_server accordingly seboolean: name: mcelog_server state: "{{ var_mcelog_server }}" persistent: yes tags: - sebool_mcelog_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the mcelog_exec_scripts SELinux Boolean By default, the SELinux boolean mcelog_exec_scripts is enabled. If this setting is disabled, it should be enabled. To enable the mcelog_exec_scripts SELinux boolean, run the following command: $ sudo setsebool -P mcelog_exec_scripts on var_mcelog_exec_scripts="" setsebool -P mcelog_exec_scripts $var_mcelog_exec_scripts - name: XCCDF Value var_mcelog_exec_scripts # promote to variable set_fact: var_mcelog_exec_scripts: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mcelog_exec_scripts - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mcelog_exec_scripts accordingly seboolean: name: mcelog_exec_scripts state: "{{ var_mcelog_exec_scripts }}" persistent: yes tags: - sebool_mcelog_exec_scripts - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the sge_use_nfs SELinux Boolean By default, the SELinux boolean sge_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the sge_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P sge_use_nfs off var_sge_use_nfs="" setsebool -P sge_use_nfs $var_sge_use_nfs - name: XCCDF Value var_sge_use_nfs # promote to variable set_fact: var_sge_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sge_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sge_use_nfs accordingly seboolean: name: sge_use_nfs state: "{{ var_sge_use_nfs }}" persistent: yes tags: - sebool_sge_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the webadm_read_user_files SELinux Boolean By default, the SELinux boolean webadm_read_user_files is disabled. If this setting is enabled, it should be disabled. To disable the webadm_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P webadm_read_user_files off var_webadm_read_user_files="" setsebool -P webadm_read_user_files $var_webadm_read_user_files - name: XCCDF Value var_webadm_read_user_files # promote to variable set_fact: var_webadm_read_user_files: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_webadm_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean webadm_read_user_files accordingly seboolean: name: webadm_read_user_files state: "{{ var_webadm_read_user_files }}" persistent: yes tags: - sebool_webadm_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the piranha_lvs_can_network_connect SELinux Boolean By default, the SELinux boolean piranha_lvs_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the piranha_lvs_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P piranha_lvs_can_network_connect off var_piranha_lvs_can_network_connect="" setsebool -P piranha_lvs_can_network_connect $var_piranha_lvs_can_network_connect - name: XCCDF Value var_piranha_lvs_can_network_connect # promote to variable set_fact: var_piranha_lvs_can_network_connect: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_piranha_lvs_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean piranha_lvs_can_network_connect accordingly seboolean: name: piranha_lvs_can_network_connect state: "{{ var_piranha_lvs_can_network_connect }}" persistent: yes tags: - sebool_piranha_lvs_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the domain_kernel_load_modules SELinux Boolean By default, the SELinux boolean domain_kernel_load_modules is disabled. If this setting is enabled, it should be disabled. To disable the domain_kernel_load_modules SELinux boolean, run the following command: $ sudo setsebool -P domain_kernel_load_modules off var_domain_kernel_load_modules="" setsebool -P domain_kernel_load_modules $var_domain_kernel_load_modules - name: XCCDF Value var_domain_kernel_load_modules # promote to variable set_fact: var_domain_kernel_load_modules: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_domain_kernel_load_modules - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean domain_kernel_load_modules accordingly seboolean: name: domain_kernel_load_modules state: "{{ var_domain_kernel_load_modules }}" persistent: yes tags: - sebool_domain_kernel_load_modules - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the exim_manage_user_files SELinux Boolean By default, the SELinux boolean exim_manage_user_files is disabled. If this setting is enabled, it should be disabled. To disable the exim_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P exim_manage_user_files off var_exim_manage_user_files="" setsebool -P exim_manage_user_files $var_exim_manage_user_files - name: XCCDF Value var_exim_manage_user_files # promote to variable set_fact: var_exim_manage_user_files: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_exim_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean exim_manage_user_files accordingly seboolean: name: exim_manage_user_files state: "{{ var_exim_manage_user_files }}" persistent: yes tags: - sebool_exim_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_sandbox_use_netlink SELinux Boolean By default, the SELinux boolean virt_sandbox_use_netlink is disabled. If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_netlink SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_netlink off var_virt_sandbox_use_netlink="" setsebool -P virt_sandbox_use_netlink $var_virt_sandbox_use_netlink - name: XCCDF Value var_virt_sandbox_use_netlink # promote to variable set_fact: var_virt_sandbox_use_netlink: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_sandbox_use_netlink - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_sandbox_use_netlink accordingly seboolean: name: virt_sandbox_use_netlink state: "{{ var_virt_sandbox_use_netlink }}" persistent: yes tags: - sebool_virt_sandbox_use_netlink - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the unconfined_chrome_sandbox_transition SELinux Boolean By default, the SELinux boolean unconfined_chrome_sandbox_transition is enabled. If this setting is disabled, it should be enabled. To enable the unconfined_chrome_sandbox_transition SELinux boolean, run the following command: $ sudo setsebool -P unconfined_chrome_sandbox_transition on var_unconfined_chrome_sandbox_transition="" setsebool -P unconfined_chrome_sandbox_transition $var_unconfined_chrome_sandbox_transition - name: XCCDF Value var_unconfined_chrome_sandbox_transition # promote to variable set_fact: var_unconfined_chrome_sandbox_transition: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_unconfined_chrome_sandbox_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean unconfined_chrome_sandbox_transition accordingly seboolean: name: unconfined_chrome_sandbox_transition state: "{{ var_unconfined_chrome_sandbox_transition }}" persistent: yes tags: - sebool_unconfined_chrome_sandbox_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_verify_dns SELinux Boolean By default, the SELinux boolean httpd_verify_dns is disabled. If this setting is enabled, it should be disabled. To disable the httpd_verify_dns SELinux boolean, run the following command: $ sudo setsebool -P httpd_verify_dns off var_httpd_verify_dns="" setsebool -P httpd_verify_dns $var_httpd_verify_dns - name: XCCDF Value var_httpd_verify_dns # promote to variable set_fact: var_httpd_verify_dns: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_verify_dns - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_verify_dns accordingly seboolean: name: httpd_verify_dns state: "{{ var_httpd_verify_dns }}" persistent: yes tags: - sebool_httpd_verify_dns - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_read_qemu_ga_data SELinux Boolean By default, the SELinux boolean virt_read_qemu_ga_data is disabled. If this setting is enabled, it should be disabled. To disable the virt_read_qemu_ga_data SELinux boolean, run the following command: $ sudo setsebool -P virt_read_qemu_ga_data off var_virt_read_qemu_ga_data="" setsebool -P virt_read_qemu_ga_data $var_virt_read_qemu_ga_data - name: XCCDF Value var_virt_read_qemu_ga_data # promote to variable set_fact: var_virt_read_qemu_ga_data: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_read_qemu_ga_data - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_read_qemu_ga_data accordingly seboolean: name: virt_read_qemu_ga_data state: "{{ var_virt_read_qemu_ga_data }}" persistent: yes tags: - sebool_virt_read_qemu_ga_data - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the glance_use_execmem SELinux Boolean By default, the SELinux boolean glance_use_execmem is disabled. If this setting is enabled, it should be disabled. To disable the glance_use_execmem SELinux boolean, run the following command: $ sudo setsebool -P glance_use_execmem off var_glance_use_execmem="" setsebool -P glance_use_execmem $var_glance_use_execmem - name: XCCDF Value var_glance_use_execmem # promote to variable set_fact: var_glance_use_execmem: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_glance_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean glance_use_execmem accordingly seboolean: name: glance_use_execmem state: "{{ var_glance_use_execmem }}" persistent: yes tags: - sebool_glance_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_can_sendmail SELinux Boolean By default, the SELinux boolean httpd_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_sendmail off var_httpd_can_sendmail="" setsebool -P httpd_can_sendmail $var_httpd_can_sendmail - name: XCCDF Value var_httpd_can_sendmail # promote to variable set_fact: var_httpd_can_sendmail: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_sendmail accordingly seboolean: name: httpd_can_sendmail state: "{{ var_httpd_can_sendmail }}" persistent: yes tags: - sebool_httpd_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_enable_homedirs SELinux Boolean By default, the SELinux boolean httpd_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_homedirs off var_httpd_enable_homedirs="" setsebool -P httpd_enable_homedirs $var_httpd_enable_homedirs - name: XCCDF Value var_httpd_enable_homedirs # promote to variable set_fact: var_httpd_enable_homedirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_enable_homedirs accordingly seboolean: name: httpd_enable_homedirs state: "{{ var_httpd_enable_homedirs }}" persistent: yes tags: - sebool_httpd_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cdrecord_read_content SELinux Boolean By default, the SELinux boolean cdrecord_read_content is disabled. If this setting is enabled, it should be disabled. To disable the cdrecord_read_content SELinux boolean, run the following command: $ sudo setsebool -P cdrecord_read_content off var_cdrecord_read_content="" setsebool -P cdrecord_read_content $var_cdrecord_read_content - name: XCCDF Value var_cdrecord_read_content # promote to variable set_fact: var_cdrecord_read_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cdrecord_read_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cdrecord_read_content accordingly seboolean: name: cdrecord_read_content state: "{{ var_cdrecord_read_content }}" persistent: yes tags: - sebool_cdrecord_read_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the unconfined_login SELinux Boolean By default, the SELinux boolean unconfined_login is enabled. If this setting is disabled, it should be enabled. To enable the unconfined_login SELinux boolean, run the following command: $ sudo setsebool -P unconfined_login on var_unconfined_login="" setsebool -P unconfined_login $var_unconfined_login - name: XCCDF Value var_unconfined_login # promote to variable set_fact: var_unconfined_login: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_unconfined_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean unconfined_login accordingly seboolean: name: unconfined_login state: "{{ var_unconfined_login }}" persistent: yes tags: - sebool_unconfined_login - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the logging_syslogd_can_sendmail SELinux Boolean By default, the SELinux boolean logging_syslogd_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the logging_syslogd_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_can_sendmail off var_logging_syslogd_can_sendmail="" setsebool -P logging_syslogd_can_sendmail $var_logging_syslogd_can_sendmail - name: XCCDF Value var_logging_syslogd_can_sendmail # promote to variable set_fact: var_logging_syslogd_can_sendmail: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logging_syslogd_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logging_syslogd_can_sendmail accordingly seboolean: name: logging_syslogd_can_sendmail state: "{{ var_logging_syslogd_can_sendmail }}" persistent: yes tags: - sebool_logging_syslogd_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the gitosis_can_sendmail SELinux Boolean By default, the SELinux boolean gitosis_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the gitosis_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P gitosis_can_sendmail off var_gitosis_can_sendmail="" setsebool -P gitosis_can_sendmail $var_gitosis_can_sendmail - name: XCCDF Value var_gitosis_can_sendmail # promote to variable set_fact: var_gitosis_can_sendmail: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gitosis_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gitosis_can_sendmail accordingly seboolean: name: gitosis_can_sendmail state: "{{ var_gitosis_can_sendmail }}" persistent: yes tags: - sebool_gitosis_can_sendmail - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_use_sasl SELinux Boolean By default, the SELinux boolean httpd_use_sasl is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_sasl SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_sasl off var_httpd_use_sasl="" setsebool -P httpd_use_sasl $var_httpd_use_sasl - name: XCCDF Value var_httpd_use_sasl # promote to variable set_fact: var_httpd_use_sasl: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_sasl - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_sasl accordingly seboolean: name: httpd_use_sasl state: "{{ var_httpd_use_sasl }}" persistent: yes tags: - sebool_httpd_use_sasl - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the git_system_use_cifs SELinux Boolean By default, the SELinux boolean git_system_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the git_system_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P git_system_use_cifs off var_git_system_use_cifs="" setsebool -P git_system_use_cifs $var_git_system_use_cifs - name: XCCDF Value var_git_system_use_cifs # promote to variable set_fact: var_git_system_use_cifs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_system_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_system_use_cifs accordingly seboolean: name: git_system_use_cifs state: "{{ var_git_system_use_cifs }}" persistent: yes tags: - sebool_git_system_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_use_comm SELinux Boolean By default, the SELinux boolean virt_use_comm is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_comm SELinux boolean, run the following command: $ sudo setsebool -P virt_use_comm off var_virt_use_comm="" setsebool -P virt_use_comm $var_virt_use_comm - name: XCCDF Value var_virt_use_comm # promote to variable set_fact: var_virt_use_comm: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_comm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_comm accordingly seboolean: name: virt_use_comm state: "{{ var_virt_use_comm }}" persistent: yes tags: - sebool_virt_use_comm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean By default, the SELinux boolean selinuxuser_postgresql_connect_enabled is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_postgresql_connect_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_postgresql_connect_enabled off var_selinuxuser_postgresql_connect_enabled="" setsebool -P selinuxuser_postgresql_connect_enabled $var_selinuxuser_postgresql_connect_enabled - name: XCCDF Value var_selinuxuser_postgresql_connect_enabled # promote to variable set_fact: var_selinuxuser_postgresql_connect_enabled: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_postgresql_connect_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_postgresql_connect_enabled accordingly seboolean: name: selinuxuser_postgresql_connect_enabled state: "{{ var_selinuxuser_postgresql_connect_enabled }}" persistent: yes tags: - sebool_selinuxuser_postgresql_connect_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the dbadm_manage_user_files SELinux Boolean By default, the SELinux boolean dbadm_manage_user_files is disabled. If this setting is enabled, it should be disabled. To disable the dbadm_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P dbadm_manage_user_files off var_dbadm_manage_user_files="" setsebool -P dbadm_manage_user_files $var_dbadm_manage_user_files - name: XCCDF Value var_dbadm_manage_user_files # promote to variable set_fact: var_dbadm_manage_user_files: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_dbadm_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean dbadm_manage_user_files accordingly seboolean: name: dbadm_manage_user_files state: "{{ var_dbadm_manage_user_files }}" persistent: yes tags: - sebool_dbadm_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_can_network_connect_db SELinux Boolean By default, the SELinux boolean httpd_can_network_connect_db is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_db SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect_db off var_httpd_can_network_connect_db="" setsebool -P httpd_can_network_connect_db $var_httpd_can_network_connect_db - name: XCCDF Value var_httpd_can_network_connect_db # promote to variable set_fact: var_httpd_can_network_connect_db: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_network_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_network_connect_db accordingly seboolean: name: httpd_can_network_connect_db state: "{{ var_httpd_can_network_connect_db }}" persistent: yes tags: - sebool_httpd_can_network_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure the httpd_enable_cgi SELinux Boolean By default, the SELinux boolean httpd_enable_cgi is enabled. This setting should be disabled unless httpd is used with CGI scripting. To disable the httpd_enable_cgi SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_cgi off var_httpd_enable_cgi="" setsebool -P httpd_enable_cgi $var_httpd_enable_cgi - name: XCCDF Value var_httpd_enable_cgi # promote to variable set_fact: var_httpd_enable_cgi: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_enable_cgi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_enable_cgi accordingly seboolean: name: httpd_enable_cgi state: "{{ var_httpd_enable_cgi }}" persistent: yes tags: - sebool_httpd_enable_cgi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the antivirus_can_scan_system SELinux Boolean By default, the SELinux boolean antivirus_can_scan_system is disabled. This setting should be enabled as it allows antivirus programs to read non-security files on a system. To enable the antivirus_can_scan_system SELinux boolean, run the following command: $ sudo setsebool -P antivirus_can_scan_system on 3.7.2 CCE-80422-9 var_antivirus_can_scan_system="" setsebool -P antivirus_can_scan_system $var_antivirus_can_scan_system - name: XCCDF Value var_antivirus_can_scan_system # promote to variable set_fact: var_antivirus_can_scan_system: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_antivirus_can_scan_system - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80422-9 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean antivirus_can_scan_system accordingly seboolean: name: antivirus_can_scan_system state: "{{ var_antivirus_can_scan_system }}" persistent: yes tags: - sebool_antivirus_can_scan_system - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80422-9 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the zarafa_setrlimit SELinux Boolean By default, the SELinux boolean zarafa_setrlimit is disabled. If this setting is enabled, it should be disabled. To disable the zarafa_setrlimit SELinux boolean, run the following command: $ sudo setsebool -P zarafa_setrlimit off var_zarafa_setrlimit="" setsebool -P zarafa_setrlimit $var_zarafa_setrlimit - name: XCCDF Value var_zarafa_setrlimit # promote to variable set_fact: var_zarafa_setrlimit: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_zarafa_setrlimit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean zarafa_setrlimit accordingly seboolean: name: zarafa_setrlimit state: "{{ var_zarafa_setrlimit }}" persistent: yes tags: - sebool_zarafa_setrlimit - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the samba_export_all_ro SELinux Boolean By default, the SELinux boolean samba_export_all_ro is disabled. If this setting is enabled, it should be disabled. To disable the samba_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P samba_export_all_ro off var_samba_export_all_ro="" setsebool -P samba_export_all_ro $var_samba_export_all_ro - name: XCCDF Value var_samba_export_all_ro # promote to variable set_fact: var_samba_export_all_ro: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_export_all_ro accordingly seboolean: name: samba_export_all_ro state: "{{ var_samba_export_all_ro }}" persistent: yes tags: - sebool_samba_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the zoneminder_anon_write SELinux Boolean By default, the SELinux boolean zoneminder_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the zoneminder_anon_write SELinux boolean, run the following command: $ sudo setsebool -P zoneminder_anon_write off var_zoneminder_anon_write="" setsebool -P zoneminder_anon_write $var_zoneminder_anon_write - name: XCCDF Value var_zoneminder_anon_write # promote to variable set_fact: var_zoneminder_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_zoneminder_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean zoneminder_anon_write accordingly seboolean: name: zoneminder_anon_write state: "{{ var_zoneminder_anon_write }}" persistent: yes tags: - sebool_zoneminder_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the daemons_enable_cluster_mode SELinux Boolean By default, the SELinux boolean daemons_enable_cluster_mode is disabled. If this setting is enabled, it should be disabled. To disable the daemons_enable_cluster_mode SELinux boolean, run the following command: $ sudo setsebool -P daemons_enable_cluster_mode off var_daemons_enable_cluster_mode="" setsebool -P daemons_enable_cluster_mode $var_daemons_enable_cluster_mode - name: XCCDF Value var_daemons_enable_cluster_mode # promote to variable set_fact: var_daemons_enable_cluster_mode: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_daemons_enable_cluster_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean daemons_enable_cluster_mode accordingly seboolean: name: daemons_enable_cluster_mode state: "{{ var_daemons_enable_cluster_mode }}" persistent: yes tags: - sebool_daemons_enable_cluster_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_can_connect_mythtv SELinux Boolean By default, the SELinux boolean httpd_can_connect_mythtv is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_mythtv SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_mythtv off var_httpd_can_connect_mythtv="" setsebool -P httpd_can_connect_mythtv $var_httpd_can_connect_mythtv - name: XCCDF Value var_httpd_can_connect_mythtv # promote to variable set_fact: var_httpd_can_connect_mythtv: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_connect_mythtv - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_connect_mythtv accordingly seboolean: name: httpd_can_connect_mythtv state: "{{ var_httpd_can_connect_mythtv }}" persistent: yes tags: - sebool_httpd_can_connect_mythtv - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the squid_connect_any SELinux Boolean By default, the SELinux boolean squid_connect_any is enabled. This setting should be disabled as squid should only connect on specified ports. To disable the squid_connect_any SELinux boolean, run the following command: $ sudo setsebool -P squid_connect_any off var_squid_connect_any="" setsebool -P squid_connect_any $var_squid_connect_any - name: XCCDF Value var_squid_connect_any # promote to variable set_fact: var_squid_connect_any: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_squid_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean squid_connect_any accordingly seboolean: name: squid_connect_any state: "{{ var_squid_connect_any }}" persistent: yes tags: - sebool_squid_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the varnishd_connect_any SELinux Boolean By default, the SELinux boolean varnishd_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the varnishd_connect_any SELinux boolean, run the following command: $ sudo setsebool -P varnishd_connect_any off var_varnishd_connect_any="" setsebool -P varnishd_connect_any $var_varnishd_connect_any - name: XCCDF Value var_varnishd_connect_any # promote to variable set_fact: var_varnishd_connect_any: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_varnishd_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean varnishd_connect_any accordingly seboolean: name: varnishd_connect_any state: "{{ var_varnishd_connect_any }}" persistent: yes tags: - sebool_varnishd_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the privoxy_connect_any SELinux Boolean By default, the SELinux boolean privoxy_connect_any is enabled. This setting should be disabled. To disable the privoxy_connect_any SELinux boolean, run the following command: $ sudo setsebool -P privoxy_connect_any off var_privoxy_connect_any="" setsebool -P privoxy_connect_any $var_privoxy_connect_any - name: XCCDF Value var_privoxy_connect_any # promote to variable set_fact: var_privoxy_connect_any: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_privoxy_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean privoxy_connect_any accordingly seboolean: name: privoxy_connect_any state: "{{ var_privoxy_connect_any }}" persistent: yes tags: - sebool_privoxy_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the xend_run_qemu SELinux Boolean By default, the SELinux boolean xend_run_qemu is enabled. If this setting is disabled, it should be enabled. To enable the xend_run_qemu SELinux boolean, run the following command: $ sudo setsebool -P xend_run_qemu on var_xend_run_qemu="" setsebool -P xend_run_qemu $var_xend_run_qemu - name: XCCDF Value var_xend_run_qemu # promote to variable set_fact: var_xend_run_qemu: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xend_run_qemu - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xend_run_qemu accordingly seboolean: name: xend_run_qemu state: "{{ var_xend_run_qemu }}" persistent: yes tags: - sebool_xend_run_qemu - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the abrt_upload_watch_anon_write SELinux Boolean By default, the SELinux boolean abrt_upload_watch_anon_write is enabled. This setting should be disabled as it allows the Automatic Bug Report Tool (ABRT) to modify public files used for public file transfer services. To disable the abrt_upload_watch_anon_write SELinux boolean, run the following command: $ sudo setsebool -P abrt_upload_watch_anon_write off 3.7.2 CCE-80421-1 var_abrt_upload_watch_anon_write="" setsebool -P abrt_upload_watch_anon_write $var_abrt_upload_watch_anon_write - name: XCCDF Value var_abrt_upload_watch_anon_write # promote to variable set_fact: var_abrt_upload_watch_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_abrt_upload_watch_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80421-1 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean abrt_upload_watch_anon_write accordingly seboolean: name: abrt_upload_watch_anon_write state: "{{ var_abrt_upload_watch_anon_write }}" persistent: yes tags: - sebool_abrt_upload_watch_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80421-1 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the openshift_use_nfs SELinux Boolean By default, the SELinux boolean openshift_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the openshift_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P openshift_use_nfs off var_openshift_use_nfs="" setsebool -P openshift_use_nfs $var_openshift_use_nfs - name: XCCDF Value var_openshift_use_nfs # promote to variable set_fact: var_openshift_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_openshift_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean openshift_use_nfs accordingly seboolean: name: openshift_use_nfs state: "{{ var_openshift_use_nfs }}" persistent: yes tags: - sebool_openshift_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the unconfined_mozilla_plugin_transition SELinux Boolean By default, the SELinux boolean unconfined_mozilla_plugin_transition is enabled. If this setting is disabled, it should be enabled. To enable the unconfined_mozilla_plugin_transition SELinux boolean, run the following command: $ sudo setsebool -P unconfined_mozilla_plugin_transition on var_unconfined_mozilla_plugin_transition="" setsebool -P unconfined_mozilla_plugin_transition $var_unconfined_mozilla_plugin_transition - name: XCCDF Value var_unconfined_mozilla_plugin_transition # promote to variable set_fact: var_unconfined_mozilla_plugin_transition: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_unconfined_mozilla_plugin_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean unconfined_mozilla_plugin_transition accordingly seboolean: name: unconfined_mozilla_plugin_transition state: "{{ var_unconfined_mozilla_plugin_transition }}" persistent: yes tags: - sebool_unconfined_mozilla_plugin_transition - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the conman_can_network SELinux Boolean By default, the SELinux boolean conman_can_network is disabled. If this setting is enabled, it should be disabled. To disable the conman_can_network SELinux boolean, run the following command: $ sudo setsebool -P conman_can_network off var_conman_can_network="" setsebool -P conman_can_network $var_conman_can_network - name: XCCDF Value var_conman_can_network # promote to variable set_fact: var_conman_can_network: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_conman_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean conman_can_network accordingly seboolean: name: conman_can_network state: "{{ var_conman_can_network }}" persistent: yes tags: - sebool_conman_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cobbler_can_network_connect SELinux Boolean By default, the SELinux boolean cobbler_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P cobbler_can_network_connect off var_cobbler_can_network_connect="" setsebool -P cobbler_can_network_connect $var_cobbler_can_network_connect - name: XCCDF Value var_cobbler_can_network_connect # promote to variable set_fact: var_cobbler_can_network_connect: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cobbler_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cobbler_can_network_connect accordingly seboolean: name: cobbler_can_network_connect state: "{{ var_cobbler_can_network_connect }}" persistent: yes tags: - sebool_cobbler_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the daemons_use_tty SELinux Boolean By default, the SELinux boolean daemons_use_tty is disabled. If this setting is enabled, it should be disabled. To disable the daemons_use_tty SELinux boolean, run the following command: $ sudo setsebool -P daemons_use_tty off var_daemons_use_tty="" setsebool -P daemons_use_tty $var_daemons_use_tty - name: XCCDF Value var_daemons_use_tty # promote to variable set_fact: var_daemons_use_tty: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_daemons_use_tty - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean daemons_use_tty accordingly seboolean: name: daemons_use_tty state: "{{ var_daemons_use_tty }}" persistent: yes tags: - sebool_daemons_use_tty - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the zoneminder_run_sudo SELinux Boolean By default, the SELinux boolean zoneminder_run_sudo is disabled. If this setting is enabled, it should be disabled. To disable the zoneminder_run_sudo SELinux boolean, run the following command: $ sudo setsebool -P zoneminder_run_sudo off var_zoneminder_run_sudo="" setsebool -P zoneminder_run_sudo $var_zoneminder_run_sudo - name: XCCDF Value var_zoneminder_run_sudo # promote to variable set_fact: var_zoneminder_run_sudo: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_zoneminder_run_sudo - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean zoneminder_run_sudo accordingly seboolean: name: zoneminder_run_sudo state: "{{ var_zoneminder_run_sudo }}" persistent: yes tags: - sebool_zoneminder_run_sudo - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean By default, the SELinux boolean postgresql_selinux_unconfined_dbadm is enabled. If this setting is disabled, it should be enabled as it allows Database Administrators to execute Data Manipulation Language (DML) statements. To enable the postgresql_selinux_unconfined_dbadm SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_unconfined_dbadm on var_postgresql_selinux_unconfined_dbadm="" setsebool -P postgresql_selinux_unconfined_dbadm $var_postgresql_selinux_unconfined_dbadm - name: XCCDF Value var_postgresql_selinux_unconfined_dbadm # promote to variable set_fact: var_postgresql_selinux_unconfined_dbadm: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_postgresql_selinux_unconfined_dbadm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean postgresql_selinux_unconfined_dbadm accordingly seboolean: name: postgresql_selinux_unconfined_dbadm state: "{{ var_postgresql_selinux_unconfined_dbadm }}" persistent: yes tags: - sebool_postgresql_selinux_unconfined_dbadm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the samba_export_all_rw SELinux Boolean By default, the SELinux boolean samba_export_all_rw is disabled. If this setting is enabled, it should be disabled. To disable the samba_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P samba_export_all_rw off var_samba_export_all_rw="" setsebool -P samba_export_all_rw $var_samba_export_all_rw - name: XCCDF Value var_samba_export_all_rw # promote to variable set_fact: var_samba_export_all_rw: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_export_all_rw accordingly seboolean: name: samba_export_all_rw state: "{{ var_samba_export_all_rw }}" persistent: yes tags: - sebool_samba_export_all_rw - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the httpd_graceful_shutdown SELinux Boolean By default, the SELinux boolean httpd_graceful_shutdown is enabled. If this setting is disabled, it should be enabled. To enable the httpd_graceful_shutdown SELinux boolean, run the following command: $ sudo setsebool -P httpd_graceful_shutdown on var_httpd_graceful_shutdown="" setsebool -P httpd_graceful_shutdown $var_httpd_graceful_shutdown - name: XCCDF Value var_httpd_graceful_shutdown # promote to variable set_fact: var_httpd_graceful_shutdown: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_graceful_shutdown - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_graceful_shutdown accordingly seboolean: name: httpd_graceful_shutdown state: "{{ var_httpd_graceful_shutdown }}" persistent: yes tags: - sebool_httpd_graceful_shutdown - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the pppd_can_insmod SELinux Boolean By default, the SELinux boolean pppd_can_insmod is disabled. If this setting is enabled, it should be disabled. To disable the pppd_can_insmod SELinux boolean, run the following command: $ sudo setsebool -P pppd_can_insmod off var_pppd_can_insmod="" setsebool -P pppd_can_insmod $var_pppd_can_insmod - name: XCCDF Value var_pppd_can_insmod # promote to variable set_fact: var_pppd_can_insmod: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_pppd_can_insmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean pppd_can_insmod accordingly seboolean: name: pppd_can_insmod state: "{{ var_pppd_can_insmod }}" persistent: yes tags: - sebool_pppd_can_insmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the webadm_manage_user_files SELinux Boolean By default, the SELinux boolean webadm_manage_user_files is disabled. If this setting is enabled, it should be disabled. To disable the webadm_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P webadm_manage_user_files off var_webadm_manage_user_files="" setsebool -P webadm_manage_user_files $var_webadm_manage_user_files - name: XCCDF Value var_webadm_manage_user_files # promote to variable set_fact: var_webadm_manage_user_files: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_webadm_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean webadm_manage_user_files accordingly seboolean: name: webadm_manage_user_files state: "{{ var_webadm_manage_user_files }}" persistent: yes tags: - sebool_webadm_manage_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the secure_mode SELinux Boolean By default, the SELinux boolean secure_mode is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode SELinux boolean, run the following command: $ sudo setsebool -P secure_mode off var_secure_mode="" setsebool -P secure_mode $var_secure_mode - name: XCCDF Value var_secure_mode # promote to variable set_fact: var_secure_mode: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_secure_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean secure_mode accordingly seboolean: name: secure_mode state: "{{ var_secure_mode }}" persistent: yes tags: - sebool_secure_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cluster_use_execmem SELinux Boolean By default, the SELinux boolean cluster_use_execmem is disabled. If this setting is enabled, it should be disabled. To disable the cluster_use_execmem SELinux boolean, run the following command: $ sudo setsebool -P cluster_use_execmem off var_cluster_use_execmem="" setsebool -P cluster_use_execmem $var_cluster_use_execmem - name: XCCDF Value var_cluster_use_execmem # promote to variable set_fact: var_cluster_use_execmem: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cluster_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cluster_use_execmem accordingly seboolean: name: cluster_use_execmem state: "{{ var_cluster_use_execmem }}" persistent: yes tags: - sebool_cluster_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_serve_cobbler_files SELinux Boolean By default, the SELinux boolean httpd_serve_cobbler_files is disabled. If this setting is enabled, it should be disabled. To disable the httpd_serve_cobbler_files SELinux boolean, run the following command: $ sudo setsebool -P httpd_serve_cobbler_files off var_httpd_serve_cobbler_files="" setsebool -P httpd_serve_cobbler_files $var_httpd_serve_cobbler_files - name: XCCDF Value var_httpd_serve_cobbler_files # promote to variable set_fact: var_httpd_serve_cobbler_files: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_serve_cobbler_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_serve_cobbler_files accordingly seboolean: name: httpd_serve_cobbler_files state: "{{ var_httpd_serve_cobbler_files }}" persistent: yes tags: - sebool_httpd_serve_cobbler_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the irssi_use_full_network SELinux Boolean By default, the SELinux boolean irssi_use_full_network is disabled. If this setting is enabled, it should be disabled. To disable the irssi_use_full_network SELinux boolean, run the following command: $ sudo setsebool -P irssi_use_full_network off var_irssi_use_full_network="" setsebool -P irssi_use_full_network $var_irssi_use_full_network - name: XCCDF Value var_irssi_use_full_network # promote to variable set_fact: var_irssi_use_full_network: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_irssi_use_full_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean irssi_use_full_network accordingly seboolean: name: irssi_use_full_network state: "{{ var_irssi_use_full_network }}" persistent: yes tags: - sebool_irssi_use_full_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xdm_bind_vnc_tcp_port SELinux Boolean By default, the SELinux boolean xdm_bind_vnc_tcp_port is disabled. If this setting is enabled, it should be disabled. To disable the xdm_bind_vnc_tcp_port SELinux boolean, run the following command: $ sudo setsebool -P xdm_bind_vnc_tcp_port off var_xdm_bind_vnc_tcp_port="" setsebool -P xdm_bind_vnc_tcp_port $var_xdm_bind_vnc_tcp_port - name: XCCDF Value var_xdm_bind_vnc_tcp_port # promote to variable set_fact: var_xdm_bind_vnc_tcp_port: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xdm_bind_vnc_tcp_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xdm_bind_vnc_tcp_port accordingly seboolean: name: xdm_bind_vnc_tcp_port state: "{{ var_xdm_bind_vnc_tcp_port }}" persistent: yes tags: - sebool_xdm_bind_vnc_tcp_port - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure the selinuxuser_direct_dri_enabled SELinux Boolean By default, the SELinux boolean selinuxuser_direct_dri_enabled is enabled. If XWindows is not installed or used on the system, this setting should be disabled. Otherwise, enable it. To disable the selinuxuser_direct_dri_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_direct_dri_enabled off var_selinuxuser_direct_dri_enabled="" setsebool -P selinuxuser_direct_dri_enabled $var_selinuxuser_direct_dri_enabled - name: XCCDF Value var_selinuxuser_direct_dri_enabled # promote to variable set_fact: var_selinuxuser_direct_dri_enabled: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_direct_dri_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_direct_dri_enabled accordingly seboolean: name: selinuxuser_direct_dri_enabled state: "{{ var_selinuxuser_direct_dri_enabled }}" persistent: yes tags: - sebool_selinuxuser_direct_dri_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the swift_can_network SELinux Boolean By default, the SELinux boolean swift_can_network is disabled. If this setting is enabled, it should be disabled. To disable the swift_can_network SELinux boolean, run the following command: $ sudo setsebool -P swift_can_network off var_swift_can_network="" setsebool -P swift_can_network $var_swift_can_network - name: XCCDF Value var_swift_can_network # promote to variable set_fact: var_swift_can_network: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_swift_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean swift_can_network accordingly seboolean: name: swift_can_network state: "{{ var_swift_can_network }}" persistent: yes tags: - sebool_swift_can_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_can_connect_zabbix SELinux Boolean By default, the SELinux boolean httpd_can_connect_zabbix is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_zabbix SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_zabbix off var_httpd_can_connect_zabbix="" setsebool -P httpd_can_connect_zabbix $var_httpd_can_connect_zabbix - name: XCCDF Value var_httpd_can_connect_zabbix # promote to variable set_fact: var_httpd_can_connect_zabbix: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_connect_zabbix - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_connect_zabbix accordingly seboolean: name: httpd_can_connect_zabbix state: "{{ var_httpd_can_connect_zabbix }}" persistent: yes tags: - sebool_httpd_can_connect_zabbix - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mcelog_foreground SELinux Boolean By default, the SELinux boolean mcelog_foreground is disabled. If this setting is enabled, it should be disabled. To disable the mcelog_foreground SELinux boolean, run the following command: $ sudo setsebool -P mcelog_foreground off var_mcelog_foreground="" setsebool -P mcelog_foreground $var_mcelog_foreground - name: XCCDF Value var_mcelog_foreground # promote to variable set_fact: var_mcelog_foreground: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mcelog_foreground - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mcelog_foreground accordingly seboolean: name: mcelog_foreground state: "{{ var_mcelog_foreground }}" persistent: yes tags: - sebool_mcelog_foreground - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cobbler_use_cifs SELinux Boolean By default, the SELinux boolean cobbler_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P cobbler_use_cifs off var_cobbler_use_cifs="" setsebool -P cobbler_use_cifs $var_cobbler_use_cifs - name: XCCDF Value var_cobbler_use_cifs # promote to variable set_fact: var_cobbler_use_cifs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cobbler_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cobbler_use_cifs accordingly seboolean: name: cobbler_use_cifs state: "{{ var_cobbler_use_cifs }}" persistent: yes tags: - sebool_cobbler_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_sandbox_use_sys_admin SELinux Boolean By default, the SELinux boolean virt_sandbox_use_sys_admin is disabled. If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_sys_admin SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_sys_admin off var_virt_sandbox_use_sys_admin="" setsebool -P virt_sandbox_use_sys_admin $var_virt_sandbox_use_sys_admin - name: XCCDF Value var_virt_sandbox_use_sys_admin # promote to variable set_fact: var_virt_sandbox_use_sys_admin: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_sandbox_use_sys_admin - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_sandbox_use_sys_admin accordingly seboolean: name: virt_sandbox_use_sys_admin state: "{{ var_virt_sandbox_use_sys_admin }}" persistent: yes tags: - sebool_virt_sandbox_use_sys_admin - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_use_execmem SELinux Boolean By default, the SELinux boolean virt_use_execmem is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_execmem SELinux boolean, run the following command: $ sudo setsebool -P virt_use_execmem off var_virt_use_execmem="" setsebool -P virt_use_execmem $var_virt_use_execmem - name: XCCDF Value var_virt_use_execmem # promote to variable set_fact: var_virt_use_execmem: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_execmem accordingly seboolean: name: virt_use_execmem state: "{{ var_virt_use_execmem }}" persistent: yes tags: - sebool_virt_use_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the exim_can_connect_db SELinux Boolean By default, the SELinux boolean exim_can_connect_db is disabled. If this setting is enabled, it should be disabled. To disable the exim_can_connect_db SELinux boolean, run the following command: $ sudo setsebool -P exim_can_connect_db off var_exim_can_connect_db="" setsebool -P exim_can_connect_db $var_exim_can_connect_db - name: XCCDF Value var_exim_can_connect_db # promote to variable set_fact: var_exim_can_connect_db: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_exim_can_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean exim_can_connect_db accordingly seboolean: name: exim_can_connect_db state: "{{ var_exim_can_connect_db }}" persistent: yes tags: - sebool_exim_can_connect_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cluster_manage_all_files SELinux Boolean By default, the SELinux boolean cluster_manage_all_files is disabled. If this setting is enabled, it should be disabled. To disable the cluster_manage_all_files SELinux boolean, run the following command: $ sudo setsebool -P cluster_manage_all_files off var_cluster_manage_all_files="" setsebool -P cluster_manage_all_files $var_cluster_manage_all_files - name: XCCDF Value var_cluster_manage_all_files # promote to variable set_fact: var_cluster_manage_all_files: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cluster_manage_all_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cluster_manage_all_files accordingly seboolean: name: cluster_manage_all_files state: "{{ var_cluster_manage_all_files }}" persistent: yes tags: - sebool_cluster_manage_all_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xserver_execmem SELinux Boolean By default, the SELinux boolean xserver_execmem is disabled. If this setting is enabled, it should be disabled. To disable the xserver_execmem SELinux boolean, run the following command: $ sudo setsebool -P xserver_execmem off var_xserver_execmem="" setsebool -P xserver_execmem $var_xserver_execmem - name: XCCDF Value var_xserver_execmem # promote to variable set_fact: var_xserver_execmem: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xserver_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xserver_execmem accordingly seboolean: name: xserver_execmem state: "{{ var_xserver_execmem }}" persistent: yes tags: - sebool_xserver_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cobbler_use_nfs SELinux Boolean By default, the SELinux boolean cobbler_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P cobbler_use_nfs off var_cobbler_use_nfs="" setsebool -P cobbler_use_nfs $var_cobbler_use_nfs - name: XCCDF Value var_cobbler_use_nfs # promote to variable set_fact: var_cobbler_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cobbler_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cobbler_use_nfs accordingly seboolean: name: cobbler_use_nfs state: "{{ var_cobbler_use_nfs }}" persistent: yes tags: - sebool_cobbler_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cups_execmem SELinux Boolean By default, the SELinux boolean cups_execmem is disabled. If this setting is enabled, it should be disabled. To disable the cups_execmem SELinux boolean, run the following command: $ sudo setsebool -P cups_execmem off var_cups_execmem="" setsebool -P cups_execmem $var_cups_execmem - name: XCCDF Value var_cups_execmem # promote to variable set_fact: var_cups_execmem: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cups_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cups_execmem accordingly seboolean: name: cups_execmem state: "{{ var_cups_execmem }}" persistent: yes tags: - sebool_cups_execmem - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the puppetmaster_use_db SELinux Boolean By default, the SELinux boolean puppetmaster_use_db is disabled. If this setting is enabled, it should be disabled. To disable the puppetmaster_use_db SELinux boolean, run the following command: $ sudo setsebool -P puppetmaster_use_db off var_puppetmaster_use_db="" setsebool -P puppetmaster_use_db $var_puppetmaster_use_db - name: XCCDF Value var_puppetmaster_use_db # promote to variable set_fact: var_puppetmaster_use_db: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_puppetmaster_use_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean puppetmaster_use_db accordingly seboolean: name: puppetmaster_use_db state: "{{ var_puppetmaster_use_db }}" persistent: yes tags: - sebool_puppetmaster_use_db - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xserver_clients_write_xshm SELinux Boolean By default, the SELinux boolean xserver_clients_write_xshm is disabled. If this setting is enabled, it should be disabled. To disable the xserver_clients_write_xshm SELinux boolean, run the following command: $ sudo setsebool -P xserver_clients_write_xshm off var_xserver_clients_write_xshm="" setsebool -P xserver_clients_write_xshm $var_xserver_clients_write_xshm - name: XCCDF Value var_xserver_clients_write_xshm # promote to variable set_fact: var_xserver_clients_write_xshm: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xserver_clients_write_xshm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xserver_clients_write_xshm accordingly seboolean: name: xserver_clients_write_xshm state: "{{ var_xserver_clients_write_xshm }}" persistent: yes tags: - sebool_xserver_clients_write_xshm - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the use_ecryptfs_home_dirs SELinux Boolean By default, the SELinux boolean use_ecryptfs_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_ecryptfs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_ecryptfs_home_dirs off var_use_ecryptfs_home_dirs="" setsebool -P use_ecryptfs_home_dirs $var_use_ecryptfs_home_dirs - name: XCCDF Value var_use_ecryptfs_home_dirs # promote to variable set_fact: var_use_ecryptfs_home_dirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_use_ecryptfs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean use_ecryptfs_home_dirs accordingly seboolean: name: use_ecryptfs_home_dirs state: "{{ var_use_ecryptfs_home_dirs }}" persistent: yes tags: - sebool_use_ecryptfs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the dbadm_exec_content SELinux Boolean By default, the SELinux boolean dbadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the dbadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P dbadm_exec_content on var_dbadm_exec_content="" setsebool -P dbadm_exec_content $var_dbadm_exec_content - name: XCCDF Value var_dbadm_exec_content # promote to variable set_fact: var_dbadm_exec_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_dbadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean dbadm_exec_content accordingly seboolean: name: dbadm_exec_content state: "{{ var_dbadm_exec_content }}" persistent: yes tags: - sebool_dbadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the use_nfs_home_dirs SELinux Boolean By default, the SELinux boolean use_nfs_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_nfs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_nfs_home_dirs off var_use_nfs_home_dirs="" setsebool -P use_nfs_home_dirs $var_use_nfs_home_dirs - name: XCCDF Value var_use_nfs_home_dirs # promote to variable set_fact: var_use_nfs_home_dirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_use_nfs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean use_nfs_home_dirs accordingly seboolean: name: use_nfs_home_dirs state: "{{ var_use_nfs_home_dirs }}" persistent: yes tags: - sebool_use_nfs_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the tor_can_network_relay SELinux Boolean By default, the SELinux boolean tor_can_network_relay is disabled. If this setting is enabled, it should be disabled. To disable the tor_can_network_relay SELinux boolean, run the following command: $ sudo setsebool -P tor_can_network_relay off var_tor_can_network_relay="" setsebool -P tor_can_network_relay $var_tor_can_network_relay - name: XCCDF Value var_tor_can_network_relay # promote to variable set_fact: var_tor_can_network_relay: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tor_can_network_relay - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tor_can_network_relay accordingly seboolean: name: tor_can_network_relay state: "{{ var_tor_can_network_relay }}" persistent: yes tags: - sebool_tor_can_network_relay - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_unified SELinux Boolean By default, the SELinux boolean httpd_unified is disabled. If this setting is enabled, it should be disabled. To disable the httpd_unified SELinux boolean, run the following command: $ sudo setsebool -P httpd_unified off var_httpd_unified="" setsebool -P httpd_unified $var_httpd_unified - name: XCCDF Value var_httpd_unified # promote to variable set_fact: var_httpd_unified: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_unified - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_unified accordingly seboolean: name: httpd_unified state: "{{ var_httpd_unified }}" persistent: yes tags: - sebool_httpd_unified - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mock_enable_homedirs SELinux Boolean By default, the SELinux boolean mock_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the mock_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P mock_enable_homedirs off var_mock_enable_homedirs="" setsebool -P mock_enable_homedirs $var_mock_enable_homedirs - name: XCCDF Value var_mock_enable_homedirs # promote to variable set_fact: var_mock_enable_homedirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mock_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mock_enable_homedirs accordingly seboolean: name: mock_enable_homedirs state: "{{ var_mock_enable_homedirs }}" persistent: yes tags: - sebool_mock_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_can_network_relay SELinux Boolean By default, the SELinux boolean httpd_can_network_relay is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_relay SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_relay off var_httpd_can_network_relay="" setsebool -P httpd_can_network_relay $var_httpd_can_network_relay - name: XCCDF Value var_httpd_can_network_relay # promote to variable set_fact: var_httpd_can_network_relay: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_network_relay - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_network_relay accordingly seboolean: name: httpd_can_network_relay state: "{{ var_httpd_can_network_relay }}" persistent: yes tags: - sebool_httpd_can_network_relay - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xguest_exec_content SELinux Boolean By default, the SELinux boolean xguest_exec_content is enabled. This setting should be disabled as guest users should not be able to run executables. To disable the xguest_exec_content SELinux boolean, run the following command: $ sudo setsebool -P xguest_exec_content off var_xguest_exec_content="" setsebool -P xguest_exec_content $var_xguest_exec_content - name: XCCDF Value var_xguest_exec_content # promote to variable set_fact: var_xguest_exec_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xguest_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xguest_exec_content accordingly seboolean: name: xguest_exec_content state: "{{ var_xguest_exec_content }}" persistent: yes tags: - sebool_xguest_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the nagios_run_sudo SELinux Boolean By default, the SELinux boolean nagios_run_sudo is disabled. If this setting is enabled, it should be disabled. To disable the nagios_run_sudo SELinux boolean, run the following command: $ sudo setsebool -P nagios_run_sudo off var_nagios_run_sudo="" setsebool -P nagios_run_sudo $var_nagios_run_sudo - name: XCCDF Value var_nagios_run_sudo # promote to variable set_fact: var_nagios_run_sudo: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nagios_run_sudo - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nagios_run_sudo accordingly seboolean: name: nagios_run_sudo state: "{{ var_nagios_run_sudo }}" persistent: yes tags: - sebool_nagios_run_sudo - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_transition_userdomain SELinux Boolean By default, the SELinux boolean virt_transition_userdomain is disabled. If this setting is enabled, it should be disabled. To disable the virt_transition_userdomain SELinux boolean, run the following command: $ sudo setsebool -P virt_transition_userdomain off var_virt_transition_userdomain="" setsebool -P virt_transition_userdomain $var_virt_transition_userdomain - name: XCCDF Value var_virt_transition_userdomain # promote to variable set_fact: var_virt_transition_userdomain: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_transition_userdomain - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_transition_userdomain accordingly seboolean: name: virt_transition_userdomain state: "{{ var_virt_transition_userdomain }}" persistent: yes tags: - sebool_virt_transition_userdomain - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_ssi_exec SELinux Boolean By default, the SELinux boolean httpd_ssi_exec is disabled. If this setting is enabled, it should be disabled. To disable the httpd_ssi_exec SELinux boolean, run the following command: $ sudo setsebool -P httpd_ssi_exec off var_httpd_ssi_exec="" setsebool -P httpd_ssi_exec $var_httpd_ssi_exec - name: XCCDF Value var_httpd_ssi_exec # promote to variable set_fact: var_httpd_ssi_exec: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_ssi_exec - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_ssi_exec accordingly seboolean: name: httpd_ssi_exec state: "{{ var_httpd_ssi_exec }}" persistent: yes tags: - sebool_httpd_ssi_exec - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ksmtuned_use_cifs SELinux Boolean By default, the SELinux boolean ksmtuned_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the ksmtuned_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P ksmtuned_use_cifs off var_ksmtuned_use_cifs="" setsebool -P ksmtuned_use_cifs $var_ksmtuned_use_cifs - name: XCCDF Value var_ksmtuned_use_cifs # promote to variable set_fact: var_ksmtuned_use_cifs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ksmtuned_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ksmtuned_use_cifs accordingly seboolean: name: ksmtuned_use_cifs state: "{{ var_ksmtuned_use_cifs }}" persistent: yes tags: - sebool_ksmtuned_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mpd_use_cifs SELinux Boolean By default, the SELinux boolean mpd_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the mpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P mpd_use_cifs off var_mpd_use_cifs="" setsebool -P mpd_use_cifs $var_mpd_use_cifs - name: XCCDF Value var_mpd_use_cifs # promote to variable set_fact: var_mpd_use_cifs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mpd_use_cifs accordingly seboolean: name: mpd_use_cifs state: "{{ var_mpd_use_cifs }}" persistent: yes tags: - sebool_mpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the use_lpd_server SELinux Boolean By default, the SELinux boolean use_lpd_server is disabled. If this setting is enabled, it should be disabled. To disable the use_lpd_server SELinux boolean, run the following command: $ sudo setsebool -P use_lpd_server off var_use_lpd_server="" setsebool -P use_lpd_server $var_use_lpd_server - name: XCCDF Value var_use_lpd_server # promote to variable set_fact: var_use_lpd_server: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_use_lpd_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean use_lpd_server accordingly seboolean: name: use_lpd_server state: "{{ var_use_lpd_server }}" persistent: yes tags: - sebool_use_lpd_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the polipo_use_nfs SELinux Boolean By default, the SELinux boolean polipo_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the polipo_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P polipo_use_nfs off var_polipo_use_nfs="" setsebool -P polipo_use_nfs $var_polipo_use_nfs - name: XCCDF Value var_polipo_use_nfs # promote to variable set_fact: var_polipo_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polipo_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polipo_use_nfs accordingly seboolean: name: polipo_use_nfs state: "{{ var_polipo_use_nfs }}" persistent: yes tags: - sebool_polipo_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the lsmd_plugin_connect_any SELinux Boolean By default, the SELinux boolean lsmd_plugin_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the lsmd_plugin_connect_any SELinux boolean, run the following command: $ sudo setsebool -P lsmd_plugin_connect_any off var_lsmd_plugin_connect_any="" setsebool -P lsmd_plugin_connect_any $var_lsmd_plugin_connect_any - name: XCCDF Value var_lsmd_plugin_connect_any # promote to variable set_fact: var_lsmd_plugin_connect_any: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_lsmd_plugin_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean lsmd_plugin_connect_any accordingly seboolean: name: lsmd_plugin_connect_any state: "{{ var_lsmd_plugin_connect_any }}" persistent: yes tags: - sebool_lsmd_plugin_connect_any - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ftpd_connect_all_unreserved SELinux Boolean By default, the SELinux boolean ftpd_connect_all_unreserved is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_connect_all_unreserved SELinux boolean, run the following command: $ sudo setsebool -P ftpd_connect_all_unreserved off var_ftpd_connect_all_unreserved="" setsebool -P ftpd_connect_all_unreserved $var_ftpd_connect_all_unreserved - name: XCCDF Value var_ftpd_connect_all_unreserved # promote to variable set_fact: var_ftpd_connect_all_unreserved: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_connect_all_unreserved - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_connect_all_unreserved accordingly seboolean: name: ftpd_connect_all_unreserved state: "{{ var_ftpd_connect_all_unreserved }}" persistent: yes tags: - sebool_ftpd_connect_all_unreserved - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_use_rawip SELinux Boolean By default, the SELinux boolean virt_use_rawip is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_rawip SELinux boolean, run the following command: $ sudo setsebool -P virt_use_rawip off var_virt_use_rawip="" setsebool -P virt_use_rawip $var_virt_use_rawip - name: XCCDF Value var_virt_use_rawip # promote to variable set_fact: var_virt_use_rawip: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_rawip - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_rawip accordingly seboolean: name: virt_use_rawip state: "{{ var_virt_use_rawip }}" persistent: yes tags: - sebool_virt_use_rawip - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the gpg_web_anon_write SELinux Boolean By default, the SELinux boolean gpg_web_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the gpg_web_anon_write SELinux boolean, run the following command: $ sudo setsebool -P gpg_web_anon_write off var_gpg_web_anon_write="" setsebool -P gpg_web_anon_write $var_gpg_web_anon_write - name: XCCDF Value var_gpg_web_anon_write # promote to variable set_fact: var_gpg_web_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gpg_web_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gpg_web_anon_write accordingly seboolean: name: gpg_web_anon_write state: "{{ var_gpg_web_anon_write }}" persistent: yes tags: - sebool_gpg_web_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the telepathy_connect_all_ports SELinux Boolean By default, the SELinux boolean telepathy_connect_all_ports is disabled. If this setting is enabled, it should be disabled. To disable the telepathy_connect_all_ports SELinux boolean, run the following command: $ sudo setsebool -P telepathy_connect_all_ports off var_telepathy_connect_all_ports="" setsebool -P telepathy_connect_all_ports $var_telepathy_connect_all_ports - name: XCCDF Value var_telepathy_connect_all_ports # promote to variable set_fact: var_telepathy_connect_all_ports: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_telepathy_connect_all_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean telepathy_connect_all_ports accordingly seboolean: name: telepathy_connect_all_ports state: "{{ var_telepathy_connect_all_ports }}" persistent: yes tags: - sebool_telepathy_connect_all_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the tor_bind_all_unreserved_ports SELinux Boolean By default, the SELinux boolean tor_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the tor_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P tor_bind_all_unreserved_ports off var_tor_bind_all_unreserved_ports="" setsebool -P tor_bind_all_unreserved_ports $var_tor_bind_all_unreserved_ports - name: XCCDF Value var_tor_bind_all_unreserved_ports # promote to variable set_fact: var_tor_bind_all_unreserved_ports: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_tor_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean tor_bind_all_unreserved_ports accordingly seboolean: name: tor_bind_all_unreserved_ports state: "{{ var_tor_bind_all_unreserved_ports }}" persistent: yes tags: - sebool_tor_bind_all_unreserved_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the dhcpc_exec_iptables SELinux Boolean By default, the SELinux boolean dhcpc_exec_iptables is disabled. If this setting is enabled, it should be disabled. To disable the dhcpc_exec_iptables SELinux boolean, run the following command: $ sudo setsebool -P dhcpc_exec_iptables off var_dhcpc_exec_iptables="" setsebool -P dhcpc_exec_iptables $var_dhcpc_exec_iptables - name: XCCDF Value var_dhcpc_exec_iptables # promote to variable set_fact: var_dhcpc_exec_iptables: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_dhcpc_exec_iptables - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean dhcpc_exec_iptables accordingly seboolean: name: dhcpc_exec_iptables state: "{{ var_dhcpc_exec_iptables }}" persistent: yes tags: - sebool_dhcpc_exec_iptables - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the domain_fd_use SELinux Boolean By default, the SELinux boolean domain_fd_use is enabled. If this setting is disabled, it should be enabled. To enable the domain_fd_use SELinux boolean, run the following command: $ sudo setsebool -P domain_fd_use on var_domain_fd_use="" setsebool -P domain_fd_use $var_domain_fd_use - name: XCCDF Value var_domain_fd_use # promote to variable set_fact: var_domain_fd_use: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_domain_fd_use - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean domain_fd_use accordingly seboolean: name: domain_fd_use state: "{{ var_domain_fd_use }}" persistent: yes tags: - sebool_domain_fd_use - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the polipo_use_cifs SELinux Boolean By default, the SELinux boolean polipo_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the polipo_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P polipo_use_cifs off var_polipo_use_cifs="" setsebool -P polipo_use_cifs $var_polipo_use_cifs - name: XCCDF Value var_polipo_use_cifs # promote to variable set_fact: var_polipo_use_cifs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polipo_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polipo_use_cifs accordingly seboolean: name: polipo_use_cifs state: "{{ var_polipo_use_cifs }}" persistent: yes tags: - sebool_polipo_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the samba_create_home_dirs SELinux Boolean By default, the SELinux boolean samba_create_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the samba_create_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P samba_create_home_dirs off var_samba_create_home_dirs="" setsebool -P samba_create_home_dirs $var_samba_create_home_dirs - name: XCCDF Value var_samba_create_home_dirs # promote to variable set_fact: var_samba_create_home_dirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_create_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_create_home_dirs accordingly seboolean: name: samba_create_home_dirs state: "{{ var_samba_create_home_dirs }}" persistent: yes tags: - sebool_samba_create_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mmap_low_allowed SELinux Boolean By default, the SELinux boolean mmap_low_allowed is disabled. If this setting is enabled, it should be disabled. To disable the mmap_low_allowed SELinux boolean, run the following command: $ sudo setsebool -P mmap_low_allowed off var_mmap_low_allowed="" setsebool -P mmap_low_allowed $var_mmap_low_allowed - name: XCCDF Value var_mmap_low_allowed # promote to variable set_fact: var_mmap_low_allowed: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mmap_low_allowed - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mmap_low_allowed accordingly seboolean: name: mmap_low_allowed state: "{{ var_mmap_low_allowed }}" persistent: yes tags: - sebool_mmap_low_allowed - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the selinuxuser_share_music SELinux Boolean By default, the SELinux boolean selinuxuser_share_music is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_share_music SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_share_music off var_selinuxuser_share_music="" setsebool -P selinuxuser_share_music $var_selinuxuser_share_music - name: XCCDF Value var_selinuxuser_share_music # promote to variable set_fact: var_selinuxuser_share_music: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_share_music - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_share_music accordingly seboolean: name: selinuxuser_share_music state: "{{ var_selinuxuser_share_music }}" persistent: yes tags: - sebool_selinuxuser_share_music - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ftpd_use_cifs SELinux Boolean By default, the SELinux boolean ftpd_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_cifs off var_ftpd_use_cifs="" setsebool -P ftpd_use_cifs $var_ftpd_use_cifs - name: XCCDF Value var_ftpd_use_cifs # promote to variable set_fact: var_ftpd_use_cifs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_use_cifs accordingly seboolean: name: ftpd_use_cifs state: "{{ var_ftpd_use_cifs }}" persistent: yes tags: - sebool_ftpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the xend_run_blktap SELinux Boolean By default, the SELinux boolean xend_run_blktap is enabled. If this setting is disabled, it should be enabled. To enable the xend_run_blktap SELinux boolean, run the following command: $ sudo setsebool -P xend_run_blktap on var_xend_run_blktap="" setsebool -P xend_run_blktap $var_xend_run_blktap - name: XCCDF Value var_xend_run_blktap # promote to variable set_fact: var_xend_run_blktap: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xend_run_blktap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xend_run_blktap accordingly seboolean: name: xend_run_blktap state: "{{ var_xend_run_blktap }}" persistent: yes tags: - sebool_xend_run_blktap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mcelog_client SELinux Boolean By default, the SELinux boolean mcelog_client is disabled. If this setting is enabled, it should be disabled. To disable the mcelog_client SELinux boolean, run the following command: $ sudo setsebool -P mcelog_client off var_mcelog_client="" setsebool -P mcelog_client $var_mcelog_client - name: XCCDF Value var_mcelog_client # promote to variable set_fact: var_mcelog_client: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mcelog_client - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mcelog_client accordingly seboolean: name: mcelog_client state: "{{ var_mcelog_client }}" persistent: yes tags: - sebool_mcelog_client - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cluster_can_network_connect SELinux Boolean By default, the SELinux boolean cluster_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the cluster_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P cluster_can_network_connect off var_cluster_can_network_connect="" setsebool -P cluster_can_network_connect $var_cluster_can_network_connect - name: XCCDF Value var_cluster_can_network_connect # promote to variable set_fact: var_cluster_can_network_connect: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cluster_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cluster_can_network_connect accordingly seboolean: name: cluster_can_network_connect state: "{{ var_cluster_can_network_connect }}" persistent: yes tags: - sebool_cluster_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the selinuxuser_execmod SELinux Boolean By default, the SELinux boolean selinuxuser_execmod is enabled. If this setting is disabled, it should be enabled. To enable the selinuxuser_execmod SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_execmod on 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) var_selinuxuser_execmod="" setsebool -P selinuxuser_execmod $var_selinuxuser_execmod - name: XCCDF Value var_selinuxuser_execmod # promote to variable set_fact: var_selinuxuser_execmod: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_execmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_execmod accordingly seboolean: name: selinuxuser_execmod state: "{{ var_selinuxuser_execmod }}" persistent: yes tags: - sebool_selinuxuser_execmod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_use_nfs SELinux Boolean By default, the SELinux boolean httpd_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_nfs off var_httpd_use_nfs="" setsebool -P httpd_use_nfs $var_httpd_use_nfs - name: XCCDF Value var_httpd_use_nfs # promote to variable set_fact: var_httpd_use_nfs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_nfs accordingly seboolean: name: httpd_use_nfs state: "{{ var_httpd_use_nfs }}" persistent: yes tags: - sebool_httpd_use_nfs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cobbler_anon_write SELinux Boolean By default, the SELinux boolean cobbler_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_anon_write SELinux boolean, run the following command: $ sudo setsebool -P cobbler_anon_write off var_cobbler_anon_write="" setsebool -P cobbler_anon_write $var_cobbler_anon_write - name: XCCDF Value var_cobbler_anon_write # promote to variable set_fact: var_cobbler_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cobbler_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cobbler_anon_write accordingly seboolean: name: cobbler_anon_write state: "{{ var_cobbler_anon_write }}" persistent: yes tags: - sebool_cobbler_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the selinuxuser_udp_server SELinux Boolean By default, the SELinux boolean selinuxuser_udp_server is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_udp_server SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_udp_server off var_selinuxuser_udp_server="" setsebool -P selinuxuser_udp_server $var_selinuxuser_udp_server - name: XCCDF Value var_selinuxuser_udp_server # promote to variable set_fact: var_selinuxuser_udp_server: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_udp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_udp_server accordingly seboolean: name: selinuxuser_udp_server state: "{{ var_selinuxuser_udp_server }}" persistent: yes tags: - sebool_selinuxuser_udp_server - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the gssd_read_tmp SELinux Boolean By default, the SELinux boolean gssd_read_tmp is enabled. This setting allows gssd processes to access Kerberos to read TGTs in the temp directory. If this setting is disabled, it should be enabled. To enable the gssd_read_tmp SELinux boolean, run the following command: $ sudo setsebool -P gssd_read_tmp on var_gssd_read_tmp="" setsebool -P gssd_read_tmp $var_gssd_read_tmp - name: XCCDF Value var_gssd_read_tmp # promote to variable set_fact: var_gssd_read_tmp: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_gssd_read_tmp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean gssd_read_tmp accordingly seboolean: name: gssd_read_tmp state: "{{ var_gssd_read_tmp }}" persistent: yes tags: - sebool_gssd_read_tmp - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the kdumpgui_run_bootloader SELinux Boolean By default, the SELinux boolean kdumpgui_run_bootloader is disabled. If this setting is enabled, it should be disabled. To disable the kdumpgui_run_bootloader SELinux boolean, run the following command: $ sudo setsebool -P kdumpgui_run_bootloader off var_kdumpgui_run_bootloader="" setsebool -P kdumpgui_run_bootloader $var_kdumpgui_run_bootloader - name: XCCDF Value var_kdumpgui_run_bootloader # promote to variable set_fact: var_kdumpgui_run_bootloader: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_kdumpgui_run_bootloader - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean kdumpgui_run_bootloader accordingly seboolean: name: kdumpgui_run_bootloader state: "{{ var_kdumpgui_run_bootloader }}" persistent: yes tags: - sebool_kdumpgui_run_bootloader - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean By default, the SELinux boolean telepathy_tcp_connect_generic_network_ports is enabled. This setting should be disabled as telepathy should not connect to any generic network ports. To disable the telepathy_tcp_connect_generic_network_ports SELinux boolean, run the following command: $ sudo setsebool -P telepathy_tcp_connect_generic_network_ports off var_telepathy_tcp_connect_generic_network_ports="" setsebool -P telepathy_tcp_connect_generic_network_ports $var_telepathy_tcp_connect_generic_network_ports - name: XCCDF Value var_telepathy_tcp_connect_generic_network_ports # promote to variable set_fact: var_telepathy_tcp_connect_generic_network_ports: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_telepathy_tcp_connect_generic_network_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean telepathy_tcp_connect_generic_network_ports accordingly seboolean: name: telepathy_tcp_connect_generic_network_ports state: "{{ var_telepathy_tcp_connect_generic_network_ports }}" persistent: yes tags: - sebool_telepathy_tcp_connect_generic_network_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the rsync_export_all_ro SELinux Boolean By default, the SELinux boolean rsync_export_all_ro is disabled. If this setting is enabled, it should be disabled. To disable the rsync_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P rsync_export_all_ro off var_rsync_export_all_ro="" setsebool -P rsync_export_all_ro $var_rsync_export_all_ro - name: XCCDF Value var_rsync_export_all_ro # promote to variable set_fact: var_rsync_export_all_ro: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_rsync_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean rsync_export_all_ro accordingly seboolean: name: rsync_export_all_ro state: "{{ var_rsync_export_all_ro }}" persistent: yes tags: - sebool_rsync_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xguest_connect_network SELinux Boolean By default, the SELinux boolean xguest_connect_network is enabled. This setting should be disabled as guest users should not be able to configure NetworkManager. To disable the xguest_connect_network SELinux boolean, run the following command: $ sudo setsebool -P xguest_connect_network off var_xguest_connect_network="" setsebool -P xguest_connect_network $var_xguest_connect_network - name: XCCDF Value var_xguest_connect_network # promote to variable set_fact: var_xguest_connect_network: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xguest_connect_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xguest_connect_network accordingly seboolean: name: xguest_connect_network state: "{{ var_xguest_connect_network }}" persistent: yes tags: - sebool_xguest_connect_network - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the samba_enable_home_dirs SELinux Boolean By default, the SELinux boolean samba_enable_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the samba_enable_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P samba_enable_home_dirs off var_samba_enable_home_dirs="" setsebool -P samba_enable_home_dirs $var_samba_enable_home_dirs - name: XCCDF Value var_samba_enable_home_dirs # promote to variable set_fact: var_samba_enable_home_dirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_samba_enable_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean samba_enable_home_dirs accordingly seboolean: name: samba_enable_home_dirs state: "{{ var_samba_enable_home_dirs }}" persistent: yes tags: - sebool_samba_enable_home_dirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_use_sanlock SELinux Boolean By default, the SELinux boolean virt_use_sanlock is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_sanlock SELinux boolean, run the following command: $ sudo setsebool -P virt_use_sanlock off var_virt_use_sanlock="" setsebool -P virt_use_sanlock $var_virt_use_sanlock - name: XCCDF Value var_virt_use_sanlock # promote to variable set_fact: var_virt_use_sanlock: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_use_sanlock - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_use_sanlock accordingly seboolean: name: virt_use_sanlock state: "{{ var_virt_use_sanlock }}" persistent: yes tags: - sebool_virt_use_sanlock - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the saslauthd_read_shadow SELinux Boolean By default, the SELinux boolean saslauthd_read_shadow is disabled. If this setting is enabled, it should be disabled. To disable the saslauthd_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P saslauthd_read_shadow off var_saslauthd_read_shadow="" setsebool -P saslauthd_read_shadow $var_saslauthd_read_shadow - name: XCCDF Value var_saslauthd_read_shadow # promote to variable set_fact: var_saslauthd_read_shadow: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_saslauthd_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean saslauthd_read_shadow accordingly seboolean: name: saslauthd_read_shadow state: "{{ var_saslauthd_read_shadow }}" persistent: yes tags: - sebool_saslauthd_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xdm_write_home SELinux Boolean By default, the SELinux boolean xdm_write_home is disabled. If this setting is enabled, it should be disabled. To disable the xdm_write_home SELinux boolean, run the following command: $ sudo setsebool -P xdm_write_home off var_xdm_write_home="" setsebool -P xdm_write_home $var_xdm_write_home - name: XCCDF Value var_xdm_write_home # promote to variable set_fact: var_xdm_write_home: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xdm_write_home - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xdm_write_home accordingly seboolean: name: xdm_write_home state: "{{ var_xdm_write_home }}" persistent: yes tags: - sebool_xdm_write_home - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the named_write_master_zones SELinux Boolean By default, the SELinux boolean named_write_master_zones is disabled. If this setting is enabled, it should be disabled. To disable the named_write_master_zones SELinux boolean, run the following command: $ sudo setsebool -P named_write_master_zones off var_named_write_master_zones="" setsebool -P named_write_master_zones $var_named_write_master_zones - name: XCCDF Value var_named_write_master_zones # promote to variable set_fact: var_named_write_master_zones: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_named_write_master_zones - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean named_write_master_zones accordingly seboolean: name: named_write_master_zones state: "{{ var_named_write_master_zones }}" persistent: yes tags: - sebool_named_write_master_zones - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the polipo_session_users SELinux Boolean By default, the SELinux boolean polipo_session_users is disabled. If this setting is enabled, it should be disabled. To disable the polipo_session_users SELinux boolean, run the following command: $ sudo setsebool -P polipo_session_users off var_polipo_session_users="" setsebool -P polipo_session_users $var_polipo_session_users - name: XCCDF Value var_polipo_session_users # promote to variable set_fact: var_polipo_session_users: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polipo_session_users - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polipo_session_users accordingly seboolean: name: polipo_session_users state: "{{ var_polipo_session_users }}" persistent: yes tags: - sebool_polipo_session_users - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the sysadm_exec_content SELinux Boolean By default, the SELinux boolean sysadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the sysadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P sysadm_exec_content on var_sysadm_exec_content="" setsebool -P sysadm_exec_content $var_sysadm_exec_content - name: XCCDF Value var_sysadm_exec_content # promote to variable set_fact: var_sysadm_exec_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sysadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sysadm_exec_content accordingly seboolean: name: sysadm_exec_content state: "{{ var_sysadm_exec_content }}" persistent: yes tags: - sebool_sysadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xguest_use_bluetooth SELinux Boolean By default, the SELinux boolean xguest_use_bluetooth is enabled. This setting should be disabled as guests users should not be able to access or use bluetooth. To disable the xguest_use_bluetooth SELinux boolean, run the following command: $ sudo setsebool -P xguest_use_bluetooth off var_xguest_use_bluetooth="" setsebool -P xguest_use_bluetooth $var_xguest_use_bluetooth - name: XCCDF Value var_xguest_use_bluetooth # promote to variable set_fact: var_xguest_use_bluetooth: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xguest_use_bluetooth - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xguest_use_bluetooth accordingly seboolean: name: xguest_use_bluetooth state: "{{ var_xguest_use_bluetooth }}" persistent: yes tags: - sebool_xguest_use_bluetooth - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the unprivuser_use_svirt SELinux Boolean By default, the SELinux boolean unprivuser_use_svirt is disabled. If this setting is enabled, it should be disabled. To disable the unprivuser_use_svirt SELinux boolean, run the following command: $ sudo setsebool -P unprivuser_use_svirt off var_unprivuser_use_svirt="" setsebool -P unprivuser_use_svirt $var_unprivuser_use_svirt - name: XCCDF Value var_unprivuser_use_svirt # promote to variable set_fact: var_unprivuser_use_svirt: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_unprivuser_use_svirt - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean unprivuser_use_svirt accordingly seboolean: name: unprivuser_use_svirt state: "{{ var_unprivuser_use_svirt }}" persistent: yes tags: - sebool_unprivuser_use_svirt - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the kerberos_enabled SELinux Boolean By default, the SELinux boolean kerberos_enabled is enabled. If this setting is disabled, it should be enabled to allow confined applications to run with Kerberos. To enable the kerberos_enabled SELinux boolean, run the following command: $ sudo setsebool -P kerberos_enabled on var_kerberos_enabled="" setsebool -P kerberos_enabled $var_kerberos_enabled - name: XCCDF Value var_kerberos_enabled # promote to variable set_fact: var_kerberos_enabled: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_kerberos_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean kerberos_enabled accordingly seboolean: name: kerberos_enabled state: "{{ var_kerberos_enabled }}" persistent: yes tags: - sebool_kerberos_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the sge_domain_can_network_connect SELinux Boolean By default, the SELinux boolean sge_domain_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the sge_domain_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P sge_domain_can_network_connect off var_sge_domain_can_network_connect="" setsebool -P sge_domain_can_network_connect $var_sge_domain_can_network_connect - name: XCCDF Value var_sge_domain_can_network_connect # promote to variable set_fact: var_sge_domain_can_network_connect: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sge_domain_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sge_domain_can_network_connect accordingly seboolean: name: sge_domain_can_network_connect state: "{{ var_sge_domain_can_network_connect }}" persistent: yes tags: - sebool_sge_domain_can_network_connect - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the sanlock_use_samba SELinux Boolean By default, the SELinux boolean sanlock_use_samba is disabled. If this setting is enabled, it should be disabled. To disable the sanlock_use_samba SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_samba off var_sanlock_use_samba="" setsebool -P sanlock_use_samba $var_sanlock_use_samba - name: XCCDF Value var_sanlock_use_samba # promote to variable set_fact: var_sanlock_use_samba: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_sanlock_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean sanlock_use_samba accordingly seboolean: name: sanlock_use_samba state: "{{ var_sanlock_use_samba }}" persistent: yes tags: - sebool_sanlock_use_samba - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the irc_use_any_tcp_ports SELinux Boolean By default, the SELinux boolean irc_use_any_tcp_ports is disabled. If this setting is enabled, it should be disabled. To disable the irc_use_any_tcp_ports SELinux boolean, run the following command: $ sudo setsebool -P irc_use_any_tcp_ports off var_irc_use_any_tcp_ports="" setsebool -P irc_use_any_tcp_ports $var_irc_use_any_tcp_ports - name: XCCDF Value var_irc_use_any_tcp_ports # promote to variable set_fact: var_irc_use_any_tcp_ports: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_irc_use_any_tcp_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean irc_use_any_tcp_ports accordingly seboolean: name: irc_use_any_tcp_ports state: "{{ var_irc_use_any_tcp_ports }}" persistent: yes tags: - sebool_irc_use_any_tcp_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ftpd_anon_write SELinux Boolean By default, the SELinux boolean ftpd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P ftpd_anon_write off var_ftpd_anon_write="" setsebool -P ftpd_anon_write $var_ftpd_anon_write - name: XCCDF Value var_ftpd_anon_write # promote to variable set_fact: var_ftpd_anon_write: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_anon_write accordingly seboolean: name: ftpd_anon_write state: "{{ var_ftpd_anon_write }}" persistent: yes tags: - sebool_ftpd_anon_write - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the guest_exec_content SELinux Boolean By default, the SELinux boolean guest_exec_content is enabled. This setting should be disabled as no guest accounts should be used. To disable the guest_exec_content SELinux boolean, run the following command: $ sudo setsebool -P guest_exec_content off var_guest_exec_content="" setsebool -P guest_exec_content $var_guest_exec_content - name: XCCDF Value var_guest_exec_content # promote to variable set_fact: var_guest_exec_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_guest_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean guest_exec_content accordingly seboolean: name: guest_exec_content state: "{{ var_guest_exec_content }}" persistent: yes tags: - sebool_guest_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the selinuxuser_execheap SELinux Boolean By default, the SELinux boolean selinuxuser_execheap is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_execheap SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_execheap off 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) var_selinuxuser_execheap="" setsebool -P selinuxuser_execheap $var_selinuxuser_execheap - name: XCCDF Value var_selinuxuser_execheap # promote to variable set_fact: var_selinuxuser_execheap: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_execheap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_execheap accordingly seboolean: name: selinuxuser_execheap state: "{{ var_selinuxuser_execheap }}" persistent: yes tags: - sebool_selinuxuser_execheap - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the secure_mode_policyload SELinux Boolean By default, the SELinux boolean secure_mode_policyload is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode_policyload SELinux boolean, run the following command: $ sudo setsebool -P secure_mode_policyload off var_secure_mode_policyload="" setsebool -P secure_mode_policyload $var_secure_mode_policyload - name: XCCDF Value var_secure_mode_policyload # promote to variable set_fact: var_secure_mode_policyload: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_secure_mode_policyload - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean secure_mode_policyload accordingly seboolean: name: secure_mode_policyload state: "{{ var_secure_mode_policyload }}" persistent: yes tags: - sebool_secure_mode_policyload - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean By default, the SELinux boolean httpd_mod_auth_ntlm_winbind is disabled. If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_ntlm_winbind SELinux boolean, run the following command: $ sudo setsebool -P httpd_mod_auth_ntlm_winbind off var_httpd_mod_auth_ntlm_winbind="" setsebool -P httpd_mod_auth_ntlm_winbind $var_httpd_mod_auth_ntlm_winbind - name: XCCDF Value var_httpd_mod_auth_ntlm_winbind # promote to variable set_fact: var_httpd_mod_auth_ntlm_winbind: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_mod_auth_ntlm_winbind - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_mod_auth_ntlm_winbind accordingly seboolean: name: httpd_mod_auth_ntlm_winbind state: "{{ var_httpd_mod_auth_ntlm_winbind }}" persistent: yes tags: - sebool_httpd_mod_auth_ntlm_winbind - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_use_openstack SELinux Boolean By default, the SELinux boolean httpd_use_openstack is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_openstack SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_openstack off var_httpd_use_openstack="" setsebool -P httpd_use_openstack $var_httpd_use_openstack - name: XCCDF Value var_httpd_use_openstack # promote to variable set_fact: var_httpd_use_openstack: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_openstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_openstack accordingly seboolean: name: httpd_use_openstack state: "{{ var_httpd_use_openstack }}" persistent: yes tags: - sebool_httpd_use_openstack - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_use_cifs SELinux Boolean By default, the SELinux boolean httpd_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_cifs off var_httpd_use_cifs="" setsebool -P httpd_use_cifs $var_httpd_use_cifs - name: XCCDF Value var_httpd_use_cifs # promote to variable set_fact: var_httpd_use_cifs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_use_cifs accordingly seboolean: name: httpd_use_cifs state: "{{ var_httpd_use_cifs }}" persistent: yes tags: - sebool_httpd_use_cifs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the postgresql_selinux_users_ddl SELinux Boolean By default, the SELinux boolean postgresql_selinux_users_ddl is enabled. If this setting is disabled, it should be enabled as it allows Database Administrators to execute Data Definition Language (DDL) statements. To enable the postgresql_selinux_users_ddl SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_users_ddl on var_postgresql_selinux_users_ddl="" setsebool -P postgresql_selinux_users_ddl $var_postgresql_selinux_users_ddl - name: XCCDF Value var_postgresql_selinux_users_ddl # promote to variable set_fact: var_postgresql_selinux_users_ddl: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_postgresql_selinux_users_ddl - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean postgresql_selinux_users_ddl accordingly seboolean: name: postgresql_selinux_users_ddl state: "{{ var_postgresql_selinux_users_ddl }}" persistent: yes tags: - sebool_postgresql_selinux_users_ddl - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the nfs_export_all_ro SELinux Boolean By default, the SELinux boolean nfs_export_all_ro is enabled. If this setting is disabled, it should be enabled as it allows NFS to export read-only mounts. To enable the nfs_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P nfs_export_all_ro on var_nfs_export_all_ro="" setsebool -P nfs_export_all_ro $var_nfs_export_all_ro - name: XCCDF Value var_nfs_export_all_ro # promote to variable set_fact: var_nfs_export_all_ro: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_nfs_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean nfs_export_all_ro accordingly seboolean: name: nfs_export_all_ro state: "{{ var_nfs_export_all_ro }}" persistent: yes tags: - sebool_nfs_export_all_ro - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the daemons_dump_core SELinux Boolean By default, the SELinux boolean daemons_dump_core is disabled. If this setting is enabled, it should be disabled. To disable the daemons_dump_core SELinux boolean, run the following command: $ sudo setsebool -P daemons_dump_core off var_daemons_dump_core="" setsebool -P daemons_dump_core $var_daemons_dump_core - name: XCCDF Value var_daemons_dump_core # promote to variable set_fact: var_daemons_dump_core: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_daemons_dump_core - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean daemons_dump_core accordingly seboolean: name: daemons_dump_core state: "{{ var_daemons_dump_core }}" persistent: yes tags: - sebool_daemons_dump_core - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the postfix_local_write_mail_spool SELinux Boolean By default, the SELinux boolean postfix_local_write_mail_spool is enabled. If this setting is disabled, it should be enabled as it allows Postfix to write to the mail spool directories. To enable the postfix_local_write_mail_spool SELinux boolean, run the following command: $ sudo setsebool -P postfix_local_write_mail_spool on var_postfix_local_write_mail_spool="" setsebool -P postfix_local_write_mail_spool $var_postfix_local_write_mail_spool - name: XCCDF Value var_postfix_local_write_mail_spool # promote to variable set_fact: var_postfix_local_write_mail_spool: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_postfix_local_write_mail_spool - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean postfix_local_write_mail_spool accordingly seboolean: name: postfix_local_write_mail_spool state: "{{ var_postfix_local_write_mail_spool }}" persistent: yes tags: - sebool_postfix_local_write_mail_spool - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the xdm_exec_bootloader SELinux Boolean By default, the SELinux boolean xdm_exec_bootloader is disabled. If this setting is enabled, it should be disabled. To disable the xdm_exec_bootloader SELinux boolean, run the following command: $ sudo setsebool -P xdm_exec_bootloader off var_xdm_exec_bootloader="" setsebool -P xdm_exec_bootloader $var_xdm_exec_bootloader - name: XCCDF Value var_xdm_exec_bootloader # promote to variable set_fact: var_xdm_exec_bootloader: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_xdm_exec_bootloader - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean xdm_exec_bootloader accordingly seboolean: name: xdm_exec_bootloader state: "{{ var_xdm_exec_bootloader }}" persistent: yes tags: - sebool_xdm_exec_bootloader - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_dbus_avahi SELinux Boolean By default, the SELinux boolean httpd_dbus_avahi is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dbus_avahi SELinux boolean, run the following command: $ sudo setsebool -P httpd_dbus_avahi off var_httpd_dbus_avahi="" setsebool -P httpd_dbus_avahi $var_httpd_dbus_avahi - name: XCCDF Value var_httpd_dbus_avahi # promote to variable set_fact: var_httpd_dbus_avahi: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_dbus_avahi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_dbus_avahi accordingly seboolean: name: httpd_dbus_avahi state: "{{ var_httpd_dbus_avahi }}" persistent: yes tags: - sebool_httpd_dbus_avahi - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the exim_read_user_files SELinux Boolean By default, the SELinux boolean exim_read_user_files is disabled. If this setting is enabled, it should be disabled. To disable the exim_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P exim_read_user_files off var_exim_read_user_files="" setsebool -P exim_read_user_files $var_exim_read_user_files - name: XCCDF Value var_exim_read_user_files # promote to variable set_fact: var_exim_read_user_files: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_exim_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean exim_read_user_files accordingly seboolean: name: exim_read_user_files state: "{{ var_exim_read_user_files }}" persistent: yes tags: - sebool_exim_read_user_files - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the cvs_read_shadow SELinux Boolean By default, the SELinux boolean cvs_read_shadow is disabled. If this setting is enabled, it should be disabled. To disable the cvs_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P cvs_read_shadow off var_cvs_read_shadow="" setsebool -P cvs_read_shadow $var_cvs_read_shadow - name: XCCDF Value var_cvs_read_shadow # promote to variable set_fact: var_cvs_read_shadow: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_cvs_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean cvs_read_shadow accordingly seboolean: name: cvs_read_shadow state: "{{ var_cvs_read_shadow }}" persistent: yes tags: - sebool_cvs_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the racoon_read_shadow SELinux Boolean By default, the SELinux boolean racoon_read_shadow is disabled. If this setting is enabled, it should be disabled. To disable the racoon_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P racoon_read_shadow off var_racoon_read_shadow="" setsebool -P racoon_read_shadow $var_racoon_read_shadow - name: XCCDF Value var_racoon_read_shadow # promote to variable set_fact: var_racoon_read_shadow: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_racoon_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean racoon_read_shadow accordingly seboolean: name: racoon_read_shadow state: "{{ var_racoon_read_shadow }}" persistent: yes tags: - sebool_racoon_read_shadow - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the git_system_enable_homedirs SELinux Boolean By default, the SELinux boolean git_system_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the git_system_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P git_system_enable_homedirs off var_git_system_enable_homedirs="" setsebool -P git_system_enable_homedirs $var_git_system_enable_homedirs - name: XCCDF Value var_git_system_enable_homedirs # promote to variable set_fact: var_git_system_enable_homedirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_system_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_system_enable_homedirs accordingly seboolean: name: git_system_enable_homedirs state: "{{ var_git_system_enable_homedirs }}" persistent: yes tags: - sebool_git_system_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the fips_mode SELinux Boolean By default, the SELinux boolean fips_mode is enabled. This allows all SELinux domains to execute in fips_mode. If this setting is disabled, it should be enabled. To enable the fips_mode SELinux boolean, run the following command: $ sudo setsebool -P fips_mode on 13 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.13.11 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-13 SC-39 PR.DS-5 CCE-80418-7 var_fips_mode="" setsebool -P fips_mode $var_fips_mode - name: XCCDF Value var_fips_mode # promote to variable set_fact: var_fips_mode: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_fips_mode - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80418-7 - NIST-800-53-SC-13 - NIST-800-53-SC-39 - NIST-800-171-3.13.11 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean fips_mode accordingly seboolean: name: fips_mode state: "{{ var_fips_mode }}" persistent: yes tags: - sebool_fips_mode - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80418-7 - NIST-800-53-SC-13 - NIST-800-53-SC-39 - NIST-800-171-3.13.11 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the httpd_can_network_connect_cobbler SELinux Boolean By default, the SELinux boolean httpd_can_network_connect_cobbler is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_cobbler SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect_cobbler off var_httpd_can_network_connect_cobbler="" setsebool -P httpd_can_network_connect_cobbler $var_httpd_can_network_connect_cobbler - name: XCCDF Value var_httpd_can_network_connect_cobbler # promote to variable set_fact: var_httpd_can_network_connect_cobbler: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_httpd_can_network_connect_cobbler - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean httpd_can_network_connect_cobbler accordingly seboolean: name: httpd_can_network_connect_cobbler state: "{{ var_httpd_can_network_connect_cobbler }}" persistent: yes tags: - sebool_httpd_can_network_connect_cobbler - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the polyinstantiation_enabled SELinux Boolean By default, the SELinux boolean polyinstantiation_enabled is disabled. If this setting is enabled, it should be disabled. To disable the polyinstantiation_enabled SELinux boolean, run the following command: $ sudo setsebool -P polyinstantiation_enabled off var_polyinstantiation_enabled="" setsebool -P polyinstantiation_enabled $var_polyinstantiation_enabled - name: XCCDF Value var_polyinstantiation_enabled # promote to variable set_fact: var_polyinstantiation_enabled: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_polyinstantiation_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean polyinstantiation_enabled accordingly seboolean: name: polyinstantiation_enabled state: "{{ var_polyinstantiation_enabled }}" persistent: yes tags: - sebool_polyinstantiation_enabled - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the icecast_use_any_tcp_ports SELinux Boolean By default, the SELinux boolean icecast_use_any_tcp_ports is disabled. If this setting is enabled, it should be disabled. To disable the icecast_use_any_tcp_ports SELinux boolean, run the following command: $ sudo setsebool -P icecast_use_any_tcp_ports off var_icecast_use_any_tcp_ports="" setsebool -P icecast_use_any_tcp_ports $var_icecast_use_any_tcp_ports - name: XCCDF Value var_icecast_use_any_tcp_ports # promote to variable set_fact: var_icecast_use_any_tcp_ports: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_icecast_use_any_tcp_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean icecast_use_any_tcp_ports accordingly seboolean: name: icecast_use_any_tcp_ports state: "{{ var_icecast_use_any_tcp_ports }}" persistent: yes tags: - sebool_icecast_use_any_tcp_ports - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the selinuxuser_use_ssh_chroot SELinux Boolean By default, the SELinux boolean selinuxuser_use_ssh_chroot is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_use_ssh_chroot SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_use_ssh_chroot off var_selinuxuser_use_ssh_chroot="" setsebool -P selinuxuser_use_ssh_chroot $var_selinuxuser_use_ssh_chroot - name: XCCDF Value var_selinuxuser_use_ssh_chroot # promote to variable set_fact: var_selinuxuser_use_ssh_chroot: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_use_ssh_chroot - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_use_ssh_chroot accordingly seboolean: name: selinuxuser_use_ssh_chroot state: "{{ var_selinuxuser_use_ssh_chroot }}" persistent: yes tags: - sebool_selinuxuser_use_ssh_chroot - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the authlogin_nsswitch_use_ldap SELinux Boolean By default, the SELinux boolean authlogin_nsswitch_use_ldap is disabled. If this setting is enabled, it should be disabled. To disable the authlogin_nsswitch_use_ldap SELinux boolean, run the following command: $ sudo setsebool -P authlogin_nsswitch_use_ldap off 3.7.2 CCE-80425-2 var_authlogin_nsswitch_use_ldap="" setsebool -P authlogin_nsswitch_use_ldap $var_authlogin_nsswitch_use_ldap - name: XCCDF Value var_authlogin_nsswitch_use_ldap # promote to variable set_fact: var_authlogin_nsswitch_use_ldap: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_authlogin_nsswitch_use_ldap - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80425-2 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean authlogin_nsswitch_use_ldap accordingly seboolean: name: authlogin_nsswitch_use_ldap state: "{{ var_authlogin_nsswitch_use_ldap }}" persistent: yes tags: - sebool_authlogin_nsswitch_use_ldap - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80425-2 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the virt_sandbox_use_mknod SELinux Boolean By default, the SELinux boolean virt_sandbox_use_mknod is disabled. If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_mknod SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_mknod off var_virt_sandbox_use_mknod="" setsebool -P virt_sandbox_use_mknod $var_virt_sandbox_use_mknod - name: XCCDF Value var_virt_sandbox_use_mknod # promote to variable set_fact: var_virt_sandbox_use_mknod: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_virt_sandbox_use_mknod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean virt_sandbox_use_mknod accordingly seboolean: name: virt_sandbox_use_mknod state: "{{ var_virt_sandbox_use_mknod }}" persistent: yes tags: - sebool_virt_sandbox_use_mknod - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the selinuxuser_ping SELinux Boolean By default, the SELinux boolean selinuxuser_ping is enabled. If this setting is disabled, it should be enabled as it allows confined users to use ping and traceroute which is helpful for network troubleshooting. To enable the selinuxuser_ping SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_ping on var_selinuxuser_ping="" setsebool -P selinuxuser_ping $var_selinuxuser_ping - name: XCCDF Value var_selinuxuser_ping # promote to variable set_fact: var_selinuxuser_ping: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_selinuxuser_ping - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean selinuxuser_ping accordingly seboolean: name: selinuxuser_ping state: "{{ var_selinuxuser_ping }}" persistent: yes tags: - sebool_selinuxuser_ping - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the logging_syslogd_run_nagios_plugins SELinux Boolean By default, the SELinux boolean logging_syslogd_run_nagios_plugins is disabled. If this setting is enabled, it should be disabled. To disable the logging_syslogd_run_nagios_plugins SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_run_nagios_plugins off var_logging_syslogd_run_nagios_plugins="" setsebool -P logging_syslogd_run_nagios_plugins $var_logging_syslogd_run_nagios_plugins - name: XCCDF Value var_logging_syslogd_run_nagios_plugins # promote to variable set_fact: var_logging_syslogd_run_nagios_plugins: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_logging_syslogd_run_nagios_plugins - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean logging_syslogd_run_nagios_plugins accordingly seboolean: name: logging_syslogd_run_nagios_plugins state: "{{ var_logging_syslogd_run_nagios_plugins }}" persistent: yes tags: - sebool_logging_syslogd_run_nagios_plugins - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the mpd_enable_homedirs SELinux Boolean By default, the SELinux boolean mpd_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the mpd_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P mpd_enable_homedirs off var_mpd_enable_homedirs="" setsebool -P mpd_enable_homedirs $var_mpd_enable_homedirs - name: XCCDF Value var_mpd_enable_homedirs # promote to variable set_fact: var_mpd_enable_homedirs: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_mpd_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean mpd_enable_homedirs accordingly seboolean: name: mpd_enable_homedirs state: "{{ var_mpd_enable_homedirs }}" persistent: yes tags: - sebool_mpd_enable_homedirs - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the ftpd_use_passive_mode SELinux Boolean By default, the SELinux boolean ftpd_use_passive_mode is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_passive_mode SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_passive_mode off var_ftpd_use_passive_mode="" setsebool -P ftpd_use_passive_mode $var_ftpd_use_passive_mode - name: XCCDF Value var_ftpd_use_passive_mode # promote to variable set_fact: var_ftpd_use_passive_mode: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_ftpd_use_passive_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean ftpd_use_passive_mode accordingly seboolean: name: ftpd_use_passive_mode state: "{{ var_ftpd_use_passive_mode }}" persistent: yes tags: - sebool_ftpd_use_passive_mode - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable the secadm_exec_content SELinux Boolean By default, the SELinux boolean secadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the secadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P secadm_exec_content on var_secadm_exec_content="" setsebool -P secadm_exec_content $var_secadm_exec_content - name: XCCDF Value var_secadm_exec_content # promote to variable set_fact: var_secadm_exec_content: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_secadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean secadm_exec_content accordingly seboolean: name: secadm_exec_content state: "{{ var_secadm_exec_content }}" persistent: yes tags: - sebool_secadm_exec_content - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the postgresql_selinux_transmit_client_label SELinux Boolean By default, the SELinux boolean postgresql_selinux_transmit_client_label is disabled. If this setting is enabled, it should be disabled. To disable the postgresql_selinux_transmit_client_label SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_transmit_client_label off var_postgresql_selinux_transmit_client_label="" setsebool -P postgresql_selinux_transmit_client_label $var_postgresql_selinux_transmit_client_label - name: XCCDF Value var_postgresql_selinux_transmit_client_label # promote to variable set_fact: var_postgresql_selinux_transmit_client_label: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_postgresql_selinux_transmit_client_label - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean postgresql_selinux_transmit_client_label accordingly seboolean: name: postgresql_selinux_transmit_client_label state: "{{ var_postgresql_selinux_transmit_client_label }}" persistent: yes tags: - sebool_postgresql_selinux_transmit_client_label - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the git_session_users SELinux Boolean By default, the SELinux boolean git_session_users is disabled. If this setting is enabled, it should be disabled. To disable the git_session_users SELinux boolean, run the following command: $ sudo setsebool -P git_session_users off var_git_session_users="" setsebool -P git_session_users $var_git_session_users - name: XCCDF Value var_git_session_users # promote to variable set_fact: var_git_session_users: !!str tags: - always - name: Ensure libsemanage-python installed package: name: libsemanage-python state: latest tags: - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice - sebool_git_session_users - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Set SELinux boolean git_session_users accordingly seboolean: name: git_session_users state: "{{ var_git_session_users }}" persistent: yes tags: - sebool_git_session_users - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Uninstall mcstrans Package The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf. The mcstrans package can be removed with the following command: $ sudo yum erase mcstrans 1.6.1.5 Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system. NOTE: This rule was added in support of the CIS RHEL6 v1.2.0 benchmark. Please note that Red Hat does not feel this rule is security relevant. CCE-80445-0 package_remove mcstrans - name: Ensure mcstrans is removed package: name: mcstrans state: absent tags: - package_mcstrans_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80445-0 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include remove_mcstrans class remove_mcstrans { package { 'mcstrans': ensure => 'purged', } } package --remove=mcstrans Ensure SELinux Not Disabled in /etc/default/grub SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot. 1.6.1.1 1 11 12 13 14 15 16 18 3 4 5 6 8 9 APO01.06 APO11.04 APO13.01 BAI03.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 MEA02.01 3.1.2 3.7.2 CCI-000022 CCI-000032 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) 4.2.3.4 4.3.3.2.2 4.3.3.3.9 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-3(3) AC-3(4) AC-4 AC-6 AU-9 SI-6(a) DE.AE-1 ID.AM-3 PR.AC-4 PR.AC-5 PR.AC-6 PR.DS-5 PR.PT-1 PR.PT-3 PR.PT-4 Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. CCE-26961-3 sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* - name: Ensure SELinux Not Disabled in /etc/default/grub replace: dest: /etc/default/grub regexp: selinux=0 tags: - grub2_enable_selinux - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26961-3 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3) - NIST-800-53-AC-3(4) - NIST-800-53-AC-4 - NIST-800-53-AC-6 - NIST-800-53-AU-9 - NIST-800-53-SI-6(a) - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Configure SELinux Policy The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config: SELINUXTYPE= Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases. RHEL-07-020220 SV-86615r4_rule 1.6.1.3 1 11 12 13 14 15 16 18 3 4 5 6 8 9 APO01.06 APO11.04 APO13.01 BAI03.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 MEA02.01 3.1.2 3.7.2 CCI-002696 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) 4.2.3.4 4.3.3.2.2 4.3.3.3.9 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-3(3) AC-3(4) AC-4 AC-6 AU-9 SI-6(a) DE.AE-1 ID.AM-3 PR.AC-4 PR.AC-5 PR.AC-6 PR.DS-5 PR.PT-1 PR.PT-3 PR.PT-4 SRG-OS-000445-GPOS-00199 Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to . CCE-27279-9 var_selinux_policy_name="" replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name 'CCE-27279-9' '%s=%s' - name: XCCDF Value var_selinux_policy_name # promote to variable set_fact: var_selinux_policy_name: !!str tags: - always - name: "Configure SELinux Policy" lineinfile: path: /etc/sysconfig/selinux regexp: '^SELINUXTYPE=' line: "SELINUXTYPE={{ var_selinux_policy_name }}" create: yes tags: - selinux_policytype - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-27279-9 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3) - NIST-800-53-AC-3(4) - NIST-800-53-AC-4 - NIST-800-53-AC-6 - NIST-800-53-AU-9 - NIST-800-53-SI-6(a) - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - DISA-STIG-RHEL-07-020220 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Uninstall setroubleshoot Package The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The setroubleshoot package can be removed with the following command: $ sudo yum erase setroubleshoot 1.6.1.4 The SETroubleshoot service is an unnecessary daemon to have running on a server CCE-80444-3 package_remove setroubleshoot - name: Ensure setroubleshoot is removed package: name: setroubleshoot state: absent tags: - package_setroubleshoot_removed - unknown_severity - disable_strategy - low_complexity - low_disruption - CCE-80444-3 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include remove_setroubleshoot class remove_setroubleshoot { package { 'setroubleshoot': ensure => 'purged', } } package --remove=setroubleshoot Ensure No Daemons are Unconfined by SELinux Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the initrc_t context. To check for unconfined daemons, run the following command: $ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' It should produce no output in a well-configured system. Automatic remediation of this control is not available. Remediation can be achieved by amending SELinux policy or stopping the unconfined daemons as outlined above. 1.6.1.6 1 11 12 13 14 15 16 18 3 5 6 9 APO01.06 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 MEA02.01 3.1.2 3.1.5 3.7.2 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-9 CM-7 SC-39 PR.AC-4 PR.DS-5 PR.IP-1 PR.PT-1 PR.PT-3 Daemons which run with the initrc_t context may cause AVC denials, or allow privileges that the daemon does not require. CCE-27288-0 Ensure No Device Files are Unlabeled by SELinux Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files do not carry the SELinux type device_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it. To check for unlabeled device files, run the following command: $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" It should produce no output in a well-configured system. Automatic remediation of this control is not available. The remediation can be achieved by amending SELinux policy. RHEL-07-020900 SV-86663r2_rule 1 11 12 13 14 15 16 18 2 3 5 6 7 8 9 APO01.06 APO11.04 BAI01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 MEA02.01 3.1.2 3.1.5 3.7.2 CCI-000022 CCI-000032 CCI-000368 CCI-000318 CCI-001812 CCI-001813 CCI-001814 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 5.2 SR 6.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-9 CM-3(f) CM-7 DE.CM-1 DE.CM-7 PR.AC-4 PR.DS-5 PR.IP-1 PR.IP-3 PR.PT-1 PR.PT-3 SRG-OS-000480-GPOS-00227 If a device file carries the SELinux type device_t, then SELinux cannot properly restrict access to the device file. CCE-27326-8 Map System Users To The Appropriate SELinux Role Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t). $ sudo semanage login -m -s sysadm_u USER or $ sudo semanage login -m -s staff_u USER All authorized non-administrative users must be mapped to the user_u role or the appropriate domain (user_t). $ sudo semanage login -m -s user_u USER CCI-002235 SRG-OS-000324-GPOS-00125 RHEL-07-020020 SV-86595r2_rule Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. CCE-80543-2 Ensure SELinux State is Enforcing The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode: SELINUX= RHEL-07-020210 SV-86613r3_rule 1.6.1.2 1 11 12 13 14 15 16 18 3 4 5 6 8 9 APO01.06 APO11.04 APO13.01 BAI03.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 MEA02.01 3.1.2 3.7.2 CCI-002165 CCI-002696 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) 4.2.3.4 4.3.3.2.2 4.3.3.3.9 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-3(3) AC-3(4) AC-4 AC-6 AU-9 SI-6(a) DE.AE-1 ID.AM-3 PR.AC-4 PR.AC-5 PR.AC-6 PR.DS-5 PR.PT-1 PR.PT-3 PR.PT-4 SRG-OS-000445-GPOS-00199 Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. CCE-27334-2 var_selinux_state="" replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state 'CCE-27334-2' '%s=%s' fixfiles onboot fixfiles -f relabel - name: XCCDF Value var_selinux_state # promote to variable set_fact: var_selinux_state: !!str tags: - always - name: "Ensure SELinux State is Enforcing" lineinfile: path: /etc/sysconfig/selinux regexp: '^SELINUX=' line: "SELINUX={{ var_selinux_state }}" create: yes tags: - selinux_state - high_severity - restrict_strategy - low_complexity - low_disruption - CCE-27334-2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3) - NIST-800-53-AC-3(4) - NIST-800-53-AC-4 - NIST-800-53-AC-6 - NIST-800-53-AU-9 - NIST-800-53-SI-6(a) - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - DISA-STIG-RHEL-07-020210 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Set Enterprise Application to travel mode Configure the Enterprise Application to travel mode. The travel mode enables optimizes the application to work outside the intranet, and enables extra security features. mkdir /etc/enterprise_app echo "mode travel" > /etc/enterprise_app/app.conf - name: "Set Enterprise Applicaton to travel mode" lineinfile: dest: /etc/enterprise_app/app.conf state: present line: "mode travel" tags: - enterprise_app_mode_travel - medium_severity Set Password Minimum Length in login.defs To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MIN_LEN The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is . If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements. 1 12 15 16 5 5.6.2.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.7 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. CCE-27123-9 declare var_accounts_password_minlen_login_defs var_accounts_password_minlen_login_defs="" grep -q ^PASS_MIN_LEN /etc/login.defs && \ sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ] then echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs fi - name: XCCDF Value var_accounts_password_minlen_login_defs # promote to variable set_fact: var_accounts_password_minlen_login_defs: !!str tags: - always - name: "Set Password Minimum Length in login.defs" lineinfile: dest: /etc/login.defs regexp: "^PASS_MIN_LEN *[0-9]*" state: present line: "PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}" tags: - accounts_password_minlen_login_defs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27123-9 - NIST-800-53-IA-5(f) - NIST-800-53-IA-5(1)(a) - NIST-800-171-3.5.7 - CJIS-5.6.2.1 Set Password Warning Age To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line: PASS_WARN_AGE The DoD requirement is 7. The profile requirement is . 1 12 13 14 15 16 18 3 5 7 8 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.8 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(2) IA-5(f) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 Setting the password warning age enables users to make the change at a practical time. CCE-26486-1 var_accounts_password_warn_age_login_defs="" grep -q ^PASS_WARN_AGE /etc/login.defs && \ sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_WARN_AGE $var_accounts_password_warn_age_login_defs" >> /etc/login.defs fi - name: XCCDF Value var_accounts_password_warn_age_login_defs # promote to variable set_fact: var_accounts_password_warn_age_login_defs: !!str tags: - always - name: "Set Password Warning Age" lineinfile: dest: /etc/login.defs regexp: "^PASS_WARN_AGE *[0-9]*" state: present line: "PASS_WARN_AGE {{ var_accounts_password_warn_age_login_defs }}" tags: - accounts_password_warn_age_login_defs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26486-1 - NIST-800-53-AC-2(2) - NIST-800-53-IA-5(f) - NIST-800-171-3.5.8 Set Password Minimum Age To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MIN_DAYS A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is . RHEL-07-010230 SV-86549r2_rule 1 12 15 16 5 5.6.2.1.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.8 CCI-000198 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(1)(d) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000075-GPOS-00043 Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. CCE-27002-5 var_accounts_minimum_age_login_defs="" grep -q ^PASS_MIN_DAYS /etc/login.defs && \ sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs fi - name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable set_fact: var_accounts_minimum_age_login_defs: !!str tags: - always - name: Set Password Minimum Age lineinfile: create: yes dest: /etc/login.defs regexp: ^#?PASS_MIN_DAYS line: "PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}" tags: - accounts_minimum_age_login_defs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27002-5 - NIST-800-53-IA-5(f) - NIST-800-53-IA-5(1)(d) - NIST-800-171-3.5.8 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010230 Set Existing Passwords Minimum Age Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: $ sudo chage -m 1 USER CCI-000198 SRG-OS-000075-GPOS-00043 RHEL-07-010240 SV-86551r2_rule Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. CCE-80521-8 Set Existing Passwords Maximum Age Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: $ sudo chage -M 60 USER CCI-000199 SRG-OS-000076-GPOS-00044 RHEL-07-010260 SV-86555r3_rule Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. CCE-80522-6 Restrict Serial Port Root Logins To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty: ttyS0 ttyS1 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.1 3.1.5 CCI-000770 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(2) IA-2 PR.AC-4 PR.DS-5 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. CCE-27268-2 sed -i '/ttyS/d' /etc/securetty - name: "Restrict Serial Port Root Logins" lineinfile: dest: /etc/securetty regexp: 'ttyS[0-9]' state: absent tags: - restrict_serial_port_logins - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27268-2 - NIST-800-53-AC-6(2) - NIST-800-53-IA-2 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 Root Path Must Be Vendor Default Assuming root shell is bash, edit the following files: ~/.profile ~/.bashrc Change any PATH variables to the vendor default for root and remove any empty PATH entries or references to relative paths. 18 APO13.01 BAI03.01 BAI03.02 BAI03.03 4.3.4.3.3 A.14.1.1 A.14.2.1 A.14.2.5 A.6.1.5 SA-8 PR.IP-2 The root account's executable search path must be the vendor default, and must contain only absolute paths. CCE-80210-8 Direct root Logins Not Allowed To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enterprise Linux 7's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: $ sudo echo > /etc/securetty 5.5 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.1 3.1.6 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2 IA-2(1) PR.AC-1 PR.AC-6 PR.AC-7 Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. CCE-27294-8 echo > /etc/securetty - name: Test for existence /etc/cron.allow stat: path: /etc/securetty register: securetty_empty tags: - no_direct_root_logins - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27294-8 - NIST-800-53-IA-2 - NIST-800-53-IA-2(1) - NIST-800-171-3.1.1 - NIST-800-171-3.1.6 - name: "Direct root Logins Not Allowed" shell: echo > /etc/securetty changed_when: securetty_empty.stat.size > 1 tags: - no_direct_root_logins - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27294-8 - NIST-800-53-IA-2 - NIST-800-53-IA-2(1) - NIST-800-171-3.1.1 - NIST-800-171-3.1.6 Restrict Web Browser Use for Administrative Accounts Enforce policy requiring administrative accounts use web browsers only for local service administration. If a browser vulnerability is exploited while running with administrative privileges, the entire system could be compromised. Specific exceptions for local service administration should be documented in site-defined policy. CCE-80209-0 Ensure that System Accounts Are Locked Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. System accounts are those user accounts with a user ID less than UID_MIN, where value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 500, thus system accounts are those user accounts with a user ID less than 500. If any system account SYSACCT (other than root) has an unlocked password, disable it with the command: $ sudo passwd -l SYSACCT IA-2 Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.false CCE-80650-5 Restrict Virtual Console Root Logins To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty: vc/1 vc/2 vc/3 vc/4 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.1 3.1.5 CCI-000770 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(2) IA-2 PR.AC-4 PR.DS-5 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. CCE-27318-5 sed -i '/^vc\//d' /etc/securetty - name: "Restrict Virtual Console Root Logins" lineinfile: dest: /etc/securetty regexp: '^vc' state: absent tags: - securetty_root_login_console_only - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27318-5 - NIST-800-53-AC-6(2) - NIST-800-53-IA-2 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 Ensure that System Accounts Do Not Run a Shell Upon Login Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than UID_MIN, where value of UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000, thus system accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command: $ sudo usermod -s /sbin/nologin SYSACCT Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible. 5.4.2 1 12 13 14 15 16 18 3 5 7 8 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS06.03 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2 DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. CCE-26448-1 Verify Only Root Has UID 0 If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned. RHEL-07-020310 SV-86629r2_rule 6.2.5 1 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.10 3.1.1 3.1.5 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-6 IA-2 IA-2(1) IA-4 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 SRG-OS-000480-GPOS-00227 An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. CCE-27175-9 awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l Use Centralized and Automated Authentication Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. This system should integrate with an existing enterprise user management system, such as one based on Identity Management tools such as Active Directory, Kerberos, Directory Server, etc. A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight. Assign Expiration Date to Temporary Accounts Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately: $ sudo chage -E YYYY-MM-DD USER YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours. 1 12 13 14 15 16 18 3 5 7 8 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS06.03 CCI-000016 CCI-001682 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(2) AC-2(3) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 SRG-OS-000002-GPOS-00153 If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. CCE-81000-2 Verify No netrc Files Exist The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed. 1 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 CCI-000196 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 IA-5(h) AC-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.PT-3 Unencrypted passwords for remote FTP servers may be stored in .netrc files. DoD policy requires passwords be encrypted in storage and not used in access scripts. CCE-80211-6 Install the screen Package To enable console screen locking, install the screen package. The screen package can be installed with the following command: $ sudo yum install screen Instruct users to begin new terminal sessions with the following command: $ screen The console can now be locked with the following key combination: ctrl+a x RHEL-07-010090 SV-86521r2_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000029-GPOS-00010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The screen package allows for a session lock to be implemented and configured. CCE-27351-6 package_install screen - name: Ensure screen is installed package: name: screen state: present tags: - package_screen_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-27351-6 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - DISA-STIG-RHEL-07-010090 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_screen class install_screen { package { 'screen': ensure => 'installed', } } package --add=screen Install Smart Card Packages For Multifactor Authentication Configure the operating system to implement multifactor authentication by installing the required packages with the following command: The esc pam_pkcs11 authconfig-gtk package can be installed with the following command: $ sudo yum install esc pam_pkcs11 authconfig-gtk CCI-001954 SRG-OS-000375-GPOS-00160 RHEL-07-041001 SV-87041r3_rule Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80519-2 package_install esc package_install pam_pkcs11 package_install authconfig-gtk Configure Smart Card Certificate Status Checking Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so: cert_policy = ca, ocsp_on, signature; CCI-001954 SRG-OS-000375-GPOS-00160 RHEL-07-041003 SV-87057r5_rule Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80520-0 # Install required packages if ! rpm --quiet -q pam_pkcs11; then yum -y -d 1 install pam_pkcs11; fi if grep "^\s*cert_policy" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv "ocsp_on"; then sed -i "/^\s*#/! s/cert_policy.*/cert_policy = ca, ocsp_on, signature;/g" /etc/pam_pkcs11/pam_pkcs11.conf fi Install the pcsc-lite package The pcsc-lite package can be installed with the following command: $ sudo yum install pcsc-lite CCI-001954 SRG-OS-000375-GPOS-00160 SRG-OS-000377-VMM-001530 The pcsc-lite package must be installed if it is to be available for multifactor authentication using smartcards. package_install pcsc-lite - name: Ensure pcsc-lite is installed package: name: pcsc-lite state: present tags: - package_pcsc-lite_installed - medium_severity - enable_strategy - low_complexity - low_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_pcsc-lite class install_pcsc-lite { package { 'pcsc-lite': ensure => 'installed', } } package --add=pcsc-lite Enable the pcscd Service The pcscd service can be enabled with the following command: $ sudo systemctl enable pcscd.service CCI-001954 SRG-OS-000375-GPOS-00160 SRG-OS-000377-VMM-001530 Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80569-7 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'pcscd.service' "$SYSTEMCTL_EXEC" enable 'pcscd.service' - name: Enable service pcscd service: name: pcscd enabled: "yes" state: "started" tags: - service_pcscd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80569-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Install the opensc Package For Multifactor Authentication The opensc package can be installed with the following command: $ sudo yum install opensc CCI-001954 SRG-OS-000376-VMM-001520 Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80568-9 package_install opensc - name: Ensure opensc is installed package: name: opensc state: present tags: - package_opensc_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80568-9 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") include install_opensc class install_opensc { package { 'opensc': ensure => 'installed', } } package --add=opensc Require Authentication for Single User Mode Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service. RHEL-07-010481 SV-92519r2_rule 1.4.3 1 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 3.1.1 3.4.5 CCI-000213 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 IA-2 IA-2(1) AC-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.PT-3 FIA_AFL.1 SRG-OS-000080-GPOS-00048 RHEL-07-010481 SV-92519r2_rule This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. CCE-27287-2 service_file="/usr/lib/systemd/system/rescue.service" sulogin="/sbin/sulogin" if grep "^ExecStart=.*" "$service_file" ; then sed -i "s%^ExecStart=.*%ExecStart=-$sulogin rescue%" "$service_file" else echo "ExecStart=-$sulogin rescue" >> "$service_file" fi Disable Ctrl-Alt-Del Burst Action By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf: CtrlAltDelBurstAction=none Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000366 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-80449-2 replace_or_append '/etc/systemd/system.conf' '^CtrlAltDelBurstAction=' 'none' 'CCE-80449-2' '%s=%s' - name: Disable Ctrl-Alt-Del Burst Action lineinfile: dest: /etc/systemd/system.conf state: present regexp: ^CtrlAltDelBurstAction line: "CtrlAltDelBurstAction=none" tags: - disable_ctrlaltdel_burstaction - high_severity - disable_strategy - low_complexity - low_disruption - CCE-80449-2 - NIST-800-53-AC-6 - NIST-800-171-3.4.5 Verify that Interactive Boot is Disabled Red Hat Enterprise Linux 7 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 7 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument in /etc/default/grub. Remove any instance of systemd.confirm_spawn=(1|yes|true|on) from the kernel arguments in that file to disable interactive boot. It is also required to change the runtime configuration, run: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.1.2 3.4.5 CCI-000213 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-2 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 FIA_AFL.1 Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. CCE-27335-9 CONFIRM_SPAWN_YES="systemd.confirm_spawn=\(1\|yes\|true\|on\)" CONFIRM_SPAWN_NO="systemd.confirm_spawn=no" if grep -q "\(GRUB_CMDLINE_LINUX\|GRUB_CMDLINE_LINUX_DEFAULT\)" /etc/default/grub then sed -i "s/${CONFIRM_SPAWN_YES}/${CONFIRM_SPAWN_NO}/" /etc/default/grub fi # Remove 'systemd.confirm_spawn' kernel argument also from runtime settings /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" - name: Verify that Interactive Boot is Disabled in /etc/default/grub replace: dest: /etc/default/grub regexp: systemd.confirm_spawn=(1|yes|true|on) replace: systemd.confirm_spawn=no tags: - grub2_disable_interactive_boot - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27335-9 - NIST-800-53-SC-2 - NIST-800-53-AC-3 - NIST-800-171-3.1.2 - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Verify that Interactive Boot is Disabled (runtime) command: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" tags: - grub2_disable_interactive_boot - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27335-9 - NIST-800-53-SC-2 - NIST-800-53-AC-3 - NIST-800-171-3.1.2 - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Ctrl-Alt-Del Reboot Activation By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed. To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following: ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target or systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates. Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3. RHEL-07-020230 SV-86617r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000366 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-27511-5 # The process to disable ctrl+alt+del has changed in RHEL7. # Reference: https://access.redhat.com/solutions/1123873 systemctl mask ctrl-alt-del.target - name: Disable Ctrl-Alt-Del Reboot Activation systemd: name: ctrl-alt-del.target masked: yes tags: - disable_ctrlaltdel_reboot - high_severity - disable_strategy - low_complexity - low_disruption - CCE-27511-5 - NIST-800-53-AC-6 - NIST-800-171-3.4.5 - DISA-STIG-RHEL-07-020230 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable debug-shell SystemD Service SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled. By default, the debug-shell SystemD service is disabled. The debug-shell service can be disabled with the following command: $ sudo systemctl disable debug-shell.service 3.4.5 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) FIA_AFL.1 This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. CCE-80206-6 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'debug-shell.service' "$SYSTEMCTL_EXEC" disable 'debug-shell.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^debug-shell.socket\>' && "$SYSTEMCTL_EXEC" disable 'debug-shell.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'debug-shell.service' - name: Disable service debug-shell service: name: debug-shell enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_debug-shell_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80206-6 - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service debug-shell if applicable service: name: debug-shell.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_debug-shell_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80206-6 - NIST-800-171-3.4.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure that Root's Path Does Not Include Relative Paths or Null Directories Ensure that none of the directories in root's path is equal to a single . character, or that it contains any instances that lead to relative path traversal, such as .. or beginning a path without the slash (/) character. Also ensure that there are no "empty" elements in the path, such as in these examples: PATH=:/bin PATH=/bin: PATH=/bin::/sbin These empty elements have the same effect as a single . character. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 Including these entries increases the risk that root could execute code from an untrusted location. CCE-80199-3 Ensure that Root's Path Does Not Include World or Group-Writable Directories For each element in root's path, run: # ls -ld DIR and ensure that write permissions are disabled for group and other. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code. CCE-80200-9 - name: "Fail if user is not root" fail: msg: 'Root account required to read root $PATH' when: ansible_user != "root" and True tags: - accounts_root_path_dirs_no_write - medium_severity - restrict_strategy - low_complexity - medium_disruption - CCE-80200-9 - NIST-800-53-CM-6(b) - name: "Get root paths which are not symbolic links" shell: 'tr ":" "\n" <<< "$PATH" | xargs -I% find % -maxdepth 0 -type d' changed_when: False failed_when: False register: root_paths when: ansible_user == "root" and True check_mode: no tags: - accounts_root_path_dirs_no_write - medium_severity - restrict_strategy - low_complexity - medium_disruption - CCE-80200-9 - NIST-800-53-CM-6(b) - name: "Disable writability to root directories" file: path: "{{ item }}" mode: "g-w,o-w" with_items: "{{ root_paths.stdout_lines }}" when: root_paths.stdout_lines is defined and True tags: - accounts_root_path_dirs_no_write - medium_severity - restrict_strategy - low_complexity - medium_disruption - CCE-80200-9 - NIST-800-53-CM-6(b) Ensure the Default Umask is Set Correctly For Interactive Users Remove the UMASK environment variable from all interactive users initialization files. CCI-001814 SRG-OS-000480-GPOS-00227 RHEL-07-021040 SV-86673r2_rule The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. CCE-80536-6 Ensure the Default Umask is Set Correctly in login.defs To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows: UMASK RHEL-07-020240 SV-86619r2_rule 11 18 3 9 APO13.01 BAI03.01 BAI03.02 BAI03.03 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.1.1 A.14.2.1 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.5 A.6.1.5 CM-6(b) SA-8 PR.IP-1 PR.IP-2 SRG-OS-000480-GPOS-00228 The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. CCE-80205-8 var_accounts_user_umask="" replace_or_append '/etc/login.defs' '^UMASK' "$var_accounts_user_umask" 'CCE-80205-8' '%s %s' - name: XCCDF Value var_accounts_user_umask # promote to variable set_fact: var_accounts_user_umask: !!str tags: - always - name: Ensure the Default UMASK is Set Correctly lineinfile: create: yes dest: /etc/login.defs regexp: ^UMASK line: "UMASK {{ var_accounts_user_umask }}" tags: - accounts_umask_etc_login_defs - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80205-8 - NIST-800-53-CM-6(b) - NIST-800-53-SA-8 - DISA-STIG-RHEL-07-020240 Ensure the Default Bash Umask is Set Correctly To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows: umask 5.4.4 18 APO13.01 BAI03.01 BAI03.02 BAI03.03 CCI-000366 4.3.4.3.3 A.14.1.1 A.14.2.1 A.14.2.5 A.6.1.5 SA-8 PR.IP-2 The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. CCE-80202-5 var_accounts_user_umask="" grep -q umask /etc/bashrc && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc if ! [ $? -eq 0 ]; then echo "umask $var_accounts_user_umask" >> /etc/bashrc fi Ensure the Default C Shell Umask is Set Correctly To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows: umask 18 APO13.01 BAI03.01 BAI03.02 BAI03.03 CCI-000366 4.3.4.3.3 A.14.1.1 A.14.2.1 A.14.2.5 A.6.1.5 SA-8 PR.IP-2 The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. CCE-80203-3 var_accounts_user_umask="" grep -q umask /etc/csh.cshrc && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc if ! [ $? -eq 0 ]; then echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc fi Ensure the Default Umask is Set Correctly in /etc/profile To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows: umask 5.4.4 18 APO13.01 BAI03.01 BAI03.02 BAI03.03 CCI-000366 4.3.4.3.3 A.14.1.1 A.14.2.1 A.14.2.5 A.6.1.5 SA-8 PR.IP-2 The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. CCE-80204-1 var_accounts_user_umask="" grep -q umask /etc/profile && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile if ! [ $? -eq 0 ]; then echo "umask $var_accounts_user_umask" >> /etc/profile fi Set Interactive Session Timeout Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile should read as follows: TMOUT= RHEL-07-040160 SV-86847r4_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.11 CCI-001133 CCI-000361 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-12 SC-10 PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000163-GPOS-00072 SRG-OS-000163-VMM-000700 SRG-OS-000279-VMM-001010 Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. CCE-27557-8 var_accounts_tmout="" if grep --silent ^TMOUT /etc/profile ; then sed -i "s/^TMOUT.*/TMOUT=$var_accounts_tmout/g" /etc/profile else echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile echo "TMOUT=$var_accounts_tmout" >> /etc/profile fi - name: XCCDF Value var_accounts_tmout # promote to variable set_fact: var_accounts_tmout: !!str tags: - always - name: Set Interactive Session Timeout lineinfile: create: yes dest: /etc/profile regexp: ^#?TMOUT line: "TMOUT={{ var_accounts_tmout }}" tags: - accounts_tmout - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27557-8 - NIST-800-53-AC-12 - NIST-800-53-SC-10 - NIST-800-171-3.1.11 - DISA-STIG-RHEL-07-040160 Ensure that User Home Directories are not Group-Writable or World-Readable For each human user of the system, view the permissions of the user's home directory: # ls -ld /home/USER Ensure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions: # chmod g-w /home/USER # chmod o-rwx /home/USER This action may involve modifying user home directories. Notify your user community, and solicit input if appropriate, before making this type of change. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000225 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs. CCE-80201-7 User Initialization Files Must Be Owned By the Primary User Set the owner of the user initialization files for interactive users to the primary owner with the following command: $ sudo chown USER /home/USER/.* CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020690 SV-86653r2_rule Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. CCE-80527-5 All Interactive Users Home Directories Must Exist Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd: $ sudo mkdir /home/USER CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020620 SV-86639r2_rule If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. CCE-80529-1 User Initialization Files Must Not Run World-Writable Programs Set the mode on files being executed by the user initialization files with the following command: $ sudo chmod 0755 FILE CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020730 SV-86661r2_rule If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. CCE-80523-4 Ensure Home Directories are Created for New Users All local interactive user accounts, upon creation, should be assigned a home directory. Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows: CREATE_HOME yes RHEL-07-020610 SV-86637r2_rule SRG-OS-000480-GPOS-00227 If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. CCE-80434-4 if ! grep -q ^CREATE_HOME /etc/login.defs; then echo "CREATE_HOME yes" >> /etc/login.defs else sed -i "s/^\(CREATE_HOME\).*/\1 yes/g" /etc/login.defs fi Ensure the Logon Failure Delay is Set Correctly in login.defs To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows: FAIL_DELAY RHEL-07-010430 SV-86575r2_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-7(b) CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00226 Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. CCE-80352-8 # Set variables var_accounts_fail_delay="" replace_or_append '/etc/login.defs' '^FAIL_DELAY' "$var_accounts_fail_delay" 'CCE-80352-8' '%s %s' - name: XCCDF Value var_accounts_fail_delay # promote to variable set_fact: var_accounts_fail_delay: !!str tags: - always - name: Set accounts logon fail delay lineinfile: dest: /etc/login.defs regexp: ^FAIL_DELAY line: "FAIL_DELAY {{ var_accounts_fail_delay }}" tags: - accounts_logon_fail_delay - low_severity - CCE-80352-8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(b) - DISA-STIG-RHEL-07-010430 All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command: $ sudo chgrp USER_GROUP /home/USER/FILE_DIR CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020670 SV-86649r2_rule If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. CCE-80534-1 Ensure that Users Path Contains Only Local Directories Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020720 SV-86659r4_rule The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). CCE-80524-2 All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive Set the mode on files and directories in the local interactive user home directory with the following command: $ sudo chmod 0750 /home/USER/FILE_DIR CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020680 SV-86651r2_rule If a local interactive user files have excessive permissions, unintended users may be able to access or modify them. CCE-80535-8 Limit the Number of Concurrent Login Sessions Allowed Per User Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf: * hard maxlogins RHEL-07-040000 SV-86841r2_rule 14 15 18 9 5.5.2.2 DSS01.05 DSS05.02 CCI-000054 4.3.3.4 SR 3.1 SR 3.8 A.13.1.1 A.13.1.3 A.13.2.1 A.14.1.2 A.14.1.3 AC-10 PR.AC-5 SRG-OS-000027-GPOS-00008 SRG-OS-000027-VMM-000080 Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. CCE-27081-9 var_accounts_max_concurrent_login_sessions="" if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf else echo "* hard maxlogins $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf fi - name: XCCDF Value var_accounts_max_concurrent_login_sessions # promote to variable set_fact: var_accounts_max_concurrent_login_sessions: !!str tags: - always - name: "Limit the Number of Concurrent Login Sessions Allowed Per User" lineinfile: state: present dest: /etc/security/limits.conf insertbefore: "^# End of file" regexp: "^#?\\*.*maxlogins" line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}" tags: - accounts_max_concurrent_login_sessions - low_severity - restrict_strategy - low_complexity - low_disruption - CCE-27081-9 - NIST-800-53-AC-10 - CJIS-5.5.2.2 - DISA-STIG-RHEL-07-040000 All Interactive User Home Directories Must Be Group-Owned By The Primary User Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020650 SV-86645r5_rule If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. CCE-80532-5 All Interactive Users Must Have A Home Directory Defined Assign home directories to all interactive users that currently do not have a home directory assigned. CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020600 SV-86635r2_rule If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. CCE-80528-3 Ensure All User Initialization Files Have Mode 0740 Or Less Permissive Set the mode of the user initialization files to 0740 with the following command: $ sudo chmod 0740 /home/USER/.INIT_FILE CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020710 SV-86657r2_rule Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. CCE-80525-9 All Interactive User Home Directories Must Be Owned By The Primary User Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command: $ sudo chown USER /home/USER CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020640 SV-86643r5_rule If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files. CCE-80531-7 All User Files and Directories In The Home Directory Must Be Owned By The Primary User Change the owner of a interactive users files and directories to that owner. To change the of a local interactive users files and directories, use the following command: $ sudo chown -R USER /home/USER CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020660 SV-86647r2_rule If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise. CCE-80533-3 User Initialization Files Must Be Group-Owned By The Primary User Change the group owner of interactive users files to the group found in /etc/passwd for the user. To change the group owner of a local interactive user home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER/.INIT_FILE CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020700 SV-86655r3_rule Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. CCE-80526-7 All Interactive User Home Directories Must Have mode 0750 Or Less Permissive Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command: $ sudo chmod 0750 /home/USER CCI-000366 SRG-OS-000480-GPOS-00227 RHEL-07-020630 SV-86641r3_rule Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. CCE-80530-9 Enable GNOME3 Login Warning Banner In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true. To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-enable=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-enable After the settings have been set, run dconf update. The banner text must also be set. RHEL-07-010030 SV-86483r4_rule 1.7.2 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) PR.AC-7 FMT_MOF_EXT.1 OS-SRG-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. CCE-26970-4 include_dconf_settings dconf_settings 'org/gnome/login-screen' 'banner-message-enable' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'banner-message-enable' 'gdm.d' '00-security-settings-lock' - name: "Enable GNOME3 Login Warning Banner" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/login-screen" option: banner-message-enable value: "true" create: yes tags: - dconf_gnome_banner_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26970-4 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c)(1) - NIST-800-53-AC-8(c)(2) - NIST-800-53-AC-8(c)(3) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010030 - name: "Prevent user modification of GNOME banner-message-enabled" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/banner-message-enable' line: '/org/gnome/login-screen/banner-message-enable' create: yes tags: - dconf_gnome_banner_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26970-4 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c)(1) - NIST-800-53-AC-8(c)(2) - NIST-800-53-AC-8(c)(3) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010030 Set the GNOME3 Login Warning Banner Text In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to string 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment. To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-text='APPROVED_BANNER' Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-text After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines. RHEL-07-010040 SV-86485r4_rule 1.7.2 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. CCE-26892-0 login_banner_text="" include_dconf_settings expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') dconf_settings 'org/gnome/login-screen' 'banner-message-text' "string '${expanded}'" 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'banner-message-text' 'gdm.d' '00-security-settings-lock' - name: XCCDF Value login_banner_text # promote to variable set_fact: login_banner_text: !!str tags: - always - name: "Set the GNOME3 Login Warning Banner Text" file: path: "/etc/dconf/db/{{ item }}" owner: root group: root mode: 0755 state: directory with_items: - gdm.d - gdm.d/locks tags: - dconf_gnome_login_banner_text - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26892-0 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010040 - name: "Set the GNOME3 Login Warning Banner Text" file: path: "/etc/dconf/db/gdm.d/{{ item }}" owner: root group: root mode: 0644 state: touch with_items: - 00-security-settings - locks/00-security-settings-lock tags: - dconf_gnome_login_banner_text - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26892-0 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010040 - name: "Set the GNOME3 Login Warning Banner Text" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: banner-message-text value: string '{{ login_banner_text }}' create: yes tags: - dconf_gnome_login_banner_text - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26892-0 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010040 - name: "Prevent user modification of the GNOME3 Login Warning Banner Text" lineinfile: path: '/etc/dconf/db/gdm.d/locks/00-security-settings-lock' regexp: '^org/gnome/login-screen/banner-message-text$' line: 'org/gnome/login-screen/banner-message-text' create: yes state: present tags: - dconf_gnome_login_banner_text - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26892-0 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c) - NIST-800-171-3.1.9 - DISA-STIG-RHEL-07-010040 Enable GUI Warning Banner To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable true To display a banner, this setting must be enabled and then banner text must also be set. 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c) PR.AC-7 An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. Set GUI Warning Banner Text To set the text shown by the GNOME Display Manager in the login screen, run the following command: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gdm/simple-greeter/banner_message_text \ "Text of the warning banner here" When entering a warning banner that spans several lines, remember to begin and end the string with ". This command writes directly either to the /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml if it exists or to the file /etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml. Either of these files can later be edited directly if necessary. 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c) PR.AC-7 An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. Modify the System Login Banner To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: I've read & consent to terms in IS user agreem't. RHEL-07-010050 SV-86487r3_rule 1.7.1.2 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000023-VMM-000060 SRG-OS-000024-VMM-000070 Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. CCE-27303-7 login_banner_text="" # There was a regular-expression matching various banners, needs to be expanded expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') formatted=$(echo "$expanded" | fold -sw 80) cat <<EOF >/etc/issue $formatted EOF printf "\n" >> /etc/issue Configure the root Account for Failed Password Attempts To configure the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: Modify the following line in the AUTH section to add even_deny_root: auth required pam_faillock.so preauth silent even_deny_root deny= unlock_time= fail_interval=Modify the following line in the AUTH section to add even_deny_root: auth [default=die] pam_faillock.so authfail even_deny_root deny= unlock_time= fail_interval= RHEL-07-010330 SV-86569r4_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 CCI-002238 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-7(b) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. CCE-80353-6 AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" # This script fixes absence of pam_faillock.so in PAM stack or the # absense of even_deny_root in pam_faillock.so arguments # When inserting auth pam_faillock.so entries, # the entry with preauth argument will be added before pam_unix.so module # and entry with authfail argument will be added before pam_deny.so module. # The placement of pam_faillock.so entries will not be changed # if they are already present for pamFile in "${AUTH_FILES[@]}" do # if PAM file is missing, system is not using PAM or broken if [ ! -f $pamFile ]; then continue fi # is 'auth required' here? if grep -q "^auth.*required.*pam_faillock.so.*" $pamFile; then # has 'auth required' even_deny_root option? if ! grep -q "^auth.*required.*pam_faillock.so.*preauth.*even_deny_root" $pamFile; then # even_deny_root is not present sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*\).*/\1 even_deny_root/" $pamFile fi else # no 'auth required', add it sed -i --follow-symlinks "/^auth.*pam_unix.so.*/i auth required pam_faillock.so preauth silent even_deny_root" $pamFile fi # is 'auth [default=die]' here? if grep -q "^auth.*\[default=die\].*pam_faillock.so.*" $pamFile; then # has 'auth [default=die]' even_deny_root option? if ! grep -q "^auth.*\[default=die\].*pam_faillock.so.*authfail.*even_deny_root" $pamFile; then # even_deny_root is not present sed -i --follow-symlinks "s/\(^auth.*\[default=die\].*pam_faillock.so.*authfail.*\).*/\1 even_deny_root/" $pamFile fi else # no 'auth [default=die]', add it sed -i --follow-symlinks "/^auth.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail silent even_deny_root" $pamFile fi done - name: Add auth pam_faillock preauth even_deny_root before pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: required new_module_path: pam_faillock.so module_arguments: 'preauth silent even_deny_root' state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny_root - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80353-6 - NIST-800-53-AC-7(b) - DISA-STIG-RHEL-07-010330 - name: Add even_deny_root argument to auth pam_faillock preauth pamd: name: "{{ item }}" type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent even_deny_root' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny_root - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80353-6 - NIST-800-53-AC-7(b) - DISA-STIG-RHEL-07-010330 - name: Add auth pam_faillock authfail even_deny_root after pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: '[default=die]' new_module_path: pam_faillock.so module_arguments: 'authfail even_deny_root' state: after loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny_root - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80353-6 - NIST-800-53-AC-7(b) - DISA-STIG-RHEL-07-010330 - name: Add even_deny_root argument to auth pam_faillock authfail pamd: name: "{{ item }}" type: auth control: '[default=die]' module_path: pam_faillock.so module_arguments: 'authfail even_deny_root' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny_root - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80353-6 - NIST-800-53-AC-7(b) - DISA-STIG-RHEL-07-010330 - name: Add account pam_faillock before pam_unix.so pamd: name: "{{ item }}" type: account control: required module_path: pam_unix.so new_type: account new_control: required new_module_path: pam_faillock.so state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_deny_root - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-80353-6 - NIST-800-53-AC-7(b) - DISA-STIG-RHEL-07-010330 Set Interval For Counting Failed Password Attempts Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: Add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= Add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= Add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so RHEL-07-010320 SV-86567r4_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 CCI-002238 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-7(a) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. CCE-27297-1 include_set_faillock_option var_accounts_passwords_pam_faillock_fail_interval="" AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pam_file in "${AUTH_FILES[@]}" do set_faillock_option "$pam_file" "fail_interval" "$var_accounts_passwords_pam_faillock_fail_interval" done - name: XCCDF Value var_accounts_passwords_pam_faillock_fail_interval # promote to variable set_fact: var_accounts_passwords_pam_faillock_fail_interval: !!str tags: - always - name: Add auth pam_faillock preauth fail_interval before pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: required new_module_path: pam_faillock.so module_arguments: 'preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_interval - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27297-1 - NIST-800-53-AC-7(a) - DISA-STIG-RHEL-07-010320 - name: Add fail_interval argument to auth pam_faillock preauth pamd: name: "{{ item }}" type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_interval - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27297-1 - NIST-800-53-AC-7(a) - DISA-STIG-RHEL-07-010320 - name: Add auth pam_faillock aufthfail fail_interval after pam_unix.so pamd: name: "{{ item }}" type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: '[default=die]' new_module_path: pam_faillock.so module_arguments: 'authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: after loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_interval - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27297-1 - NIST-800-53-AC-7(a) - DISA-STIG-RHEL-07-010320 - name: Add fail_interval argument to auth pam_faillock authfail pamd: name: "{{ item }}" type: auth control: '[default=die]' module_path: pam_faillock.so module_arguments: 'authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: args_present loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_interval - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27297-1 - NIST-800-53-AC-7(a) - DISA-STIG-RHEL-07-010320 - name: Add account pam_faillock before pam_unix.so pamd: name: "{{ item }}" type: account control: required module_path: pam_unix.so new_type: account new_control: required new_module_path: pam_faillock.so state: before loop: - system-auth - password-auth tags: - accounts_passwords_pam_faillock_interval - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27297-1 - NIST-800-53-AC-7(a) - DISA-STIG-RHEL-07-010320 Set Password to Maximum of Consecutive Repeating Characters from Same Character Class The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters. RHEL-07-010190 SV-86541r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000195 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5 IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000072-GPOS-00040 Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised. CCE-27512-3 var_password_pam_maxclassrepeat="" replace_or_append '/etc/security/pwquality.conf' '^maxclassrepeat' $var_password_pam_maxclassrepeat 'CCE-27512-3' '%s = %s' - name: XCCDF Value var_password_pam_maxclassrepeat # promote to variable set_fact: var_password_pam_maxclassrepeat: !!str tags: - always - name: Ensure PAM variable maxclassrepeat is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*maxclassrepeat' line: "maxclassrepeat = {{ var_password_pam_maxclassrepeat }}" tags: - accounts_password_pam_maxclassrepeat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27512-3 - NIST-800-53-IA-5 - NIST-800-53-IA-5(c) - DISA-STIG-RHEL-07-010190 Set Password Maximum Consecutive Repeating Characters The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters. RHEL-07-010180 SV-86539r3_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000195 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5 IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000072-GPOS-00040 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. CCE-27333-4 var_password_pam_maxrepeat="" replace_or_append '/etc/security/pwquality.conf' '^maxrepeat' $var_password_pam_maxrepeat 'CCE-27333-4' '%s = %s' - name: XCCDF Value var_password_pam_maxrepeat # promote to variable set_fact: var_password_pam_maxrepeat: !!str tags: - always - name: Ensure PAM variable maxrepeat is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*maxrepeat' line: "maxrepeat = {{ var_password_pam_maxrepeat }}" tags: - accounts_password_pam_maxrepeat - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27333-4 - NIST-800-53-IA-5 - NIST-800-53-IA-5(c) - DISA-STIG-RHEL-07-010180 Set Password Strength Minimum Different Categories The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available: * Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation) Modify the minclass setting in /etc/security/pwquality.conf entry to require differing categories of characters when changing passwords. RHEL-07-010170 SV-86537r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000195 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5 PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000072-GPOS-00040 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space. CCE-27115-5 var_password_pam_minclass="" replace_or_append '/etc/security/pwquality.conf' '^minclass' $var_password_pam_minclass 'CCE-27115-5' '%s = %s' - name: XCCDF Value var_password_pam_minclass # promote to variable set_fact: var_password_pam_minclass: !!str tags: - always - name: Ensure PAM variable minclass is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*minclass' line: "minclass = {{ var_password_pam_minclass }}" tags: - accounts_password_pam_minclass - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27115-5 - NIST-800-53-IA-5 - DISA-STIG-RHEL-07-010170 Set Password Strength Minimum Different Characters The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change. Modify the difok setting in /etc/security/pwquality.conf to equal to require differing characters when changing passwords. RHEL-07-010160 SV-86535r2_rule 1 12 15 16 5 5.6.2.1.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000195 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(b) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000072-GPOS-00040 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. CCE-26631-2 var_password_pam_difok="" replace_or_append '/etc/security/pwquality.conf' '^difok' $var_password_pam_difok 'CCE-26631-2' '%s = %s' - name: XCCDF Value var_password_pam_difok # promote to variable set_fact: var_password_pam_difok: !!str tags: - always - name: Ensure PAM variable difok is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*difok' line: "difok = {{ var_password_pam_difok }}" tags: - accounts_password_pam_difok - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-26631-2 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(b) - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-07-010160 Set Password Strength Minimum Special Characters The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal to require use of a special character in passwords. RHEL-07-010150 SV-86533r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-001619 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000266-GPOS-00101 SRG-OS-000266-VMM-000940 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. CCE-27360-7 var_password_pam_ocredit="" replace_or_append '/etc/security/pwquality.conf' '^ocredit' $var_password_pam_ocredit 'CCE-27360-7' '%s = %s' - name: XCCDF Value var_password_pam_ocredit # promote to variable set_fact: var_password_pam_ocredit: !!str tags: - always - name: Ensure PAM variable ocredit is set accordingly lineinfile: create: yes dest: "/etc/security/pwquality.conf" regexp: '^#?\s*ocredit' line: "ocredit = {{ var_password_pam_ocredit }}" tags: - accounts_password_pam_ocredit - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27360-7 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(a) - DISA-STIG-RHEL-07-010150 Set Password Retry Prompts Permitted Per-Session To configure the number of retry prompts that are permitted per-session: Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to show retry=, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. RHEL-07-010119 SV-87811r4_rule 6.3.2 1 11 12 15 16 3 5 9 5.5.3 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 CM-6(b) IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 PR.IP-1 FMT_MOF_EXT.1 SRG-OS-000480-GPOS-00225 Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. CCE-27160-1 var_password_pam_retry="" if grep -q "retry=" /etc/pam.d/system-auth ; then sed -i --follow-symlinks "s/\(retry *= *\).*/\1$var_password_pam_retry/" /etc/pam.d/system-auth else sed -i --follow-symlinks "/pam_pwquality.so/ s/$/ retry=$var_password_pam_retry/" /etc/pam.d/system-auth fi - name: XCCDF Value var_password_pam_retry # promote to variable set_fact: var_password_pam_retry: !!str tags: - always - name: "Set Password Retry Prompts Permitted Per-Session - system-auth (change)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '(^.*\spam_pwquality.so\s.*retry\s*=\s*)(\S+)(.*$)' replace: '\g<1>{{ var_password_pam_retry }}\g<3>' tags: - accounts_password_pam_retry - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-27160-1 - NIST-800-53-CM-6(b) - NIST-800-53-IA-5(c) - CJIS-5.5.3 - DISA-STIG-RHEL-07-010119 - name: "Set Password Retry Prompts Permitted Per-Session - system-auth (add)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '^.*\spam_pwquality.so\s(?!.*retry\s*=\s*).*$' replace: '\g<0> retry={{ var_password_pam_retry }}' tags: - accounts_password_pam_retry - medium_severity - configure_strategy - low_complexity - medium_disruption - CCE-27160-1 - NIST-800-53-CM-6(b) - NIST-800-53-IA-5(c) - CJIS-5.5.3 - DISA-STIG-RHEL-07-010119 Set Password Retry Prompts Permitted Per-Session To configure the number of retry prompts that are permitted per-session: Edit the pam_cracklib.so statement in /etc/pam.d/system-auth to show retry=, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. Set Password Strength Minimum Special Characters The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add ocredit= after pam_cracklib.so to require use of a special character in passwords. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. Set Password Strength Minimum Different Categories The pam_cracklib module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available: * Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation) Add minclass= after pam_cracklib.so entry into the /etc/pam.d/system-auth file in order to require differing categories of characters when changing passwords. For example to require at least three character classes to be used in password, use minclass=3. Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space. Set Password to Maximum of Three Consecutive Repeating Characters The pam_cracklib module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Add maxrepeat= after pam_cracklib.so to prevent a run of ( + 1) or more identical characters: password required pam_cracklib.so maxrepeat= 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. Set Password Strength Minimum Different Characters The pam_cracklib module's difok parameter controls requirements for usage of different characters during a password change. Add difok= after pam_cracklib.so to require differing characters when changing passwords. The DoD requirement is 4. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(b) PR.AC-1 PR.AC-6 PR.AC-7 Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool For each solid-state drive on the system, run: # echo 0 > /sys/block/DRIVE/queue/add_random In contrast to traditional electromechanical magnetic disks, containing spinning disks and / or movable read / write heads, the solid-state storage devices (SSDs) do not contain moving / mechanical components. Therefore the I/O operation completion times are much more predictable for them. Encrypt Partitions Red Hat Enterprise Linux 7 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled. Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 7 Documentation web site: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html. 13 14 APO01.06 BAI02.01 BAI06.01 DSS04.07 DSS05.03 DSS05.04 DSS05.07 DSS06.02 DSS06.06 3.13.16 CCI-001199 CCI-002476 164.308(a)(1)(ii)(D) 164.308(b)(1) 164.310(d) 164.312(a)(1) 164.312(a)(2)(iii) 164.312(a)(2)(iv) 164.312(b) 164.312(c) 164.314(b)(2)(i) 164.312(d) SR 3.4 SR 4.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-13 SC-28(1) PR.DS-1 PR.DS-5 SRG-OS-000405-GPOS-00184 SRG-OS-000185-GPOS-00079 The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. CCE-27128-8 Ensure /home Located On Separate Partition If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. RHEL-07-021310 SV-86683r2_rule 1.1.13 12 15 8 APO13.01 DSS05.02 CCI-000366 CCI-001208 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32(1) PR.PT-4 SRG-OS-000480-GPOS-00227 Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. CCE-80144-9 part /home Ensure /srv Located On Separate Partition If a file server (FTP, TFTP...) is hosted locally, create a separate partition for /srv at installation time (or migrate it later using LVM). If /srv will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. NT28(R12) Srv deserves files for local network file server such as FTP. Ensuring that /srv is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. Ensure /var/tmp Located On Separate Partition The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. 1.1.7 The /var/tmp partition is used as temporary storage by many programs. Placing /var/tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. part /var/tmp Ensure /tmp Located On Separate Partition The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. RHEL-07-021340 SV-86689r2_rule 1.1.2 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32(1) PR.PT-4 SRG-OS-000480-GPOS-00227 The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. CCE-27173-4 part /tmp Ensure /var Located On Separate Partition The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. RHEL-07-021320 SV-86685r2_rule 1.1.6 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32(1) PR.PT-4 SRG-OS-000480-GPOS-00227 SRG-OS-000341-VMM-001220 Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. CCE-26404-4 part /var Ensure /var/log/audit Located On Separate Partition Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. RHEL-07-021330 SV-86687r6_rule 1.1.12 1 12 13 14 15 16 2 3 5 6 8 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS05.02 DSS05.04 DSS05.07 MEA02.01 CCI-000366 164.312(a)(2)(ii) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.2 SR 7.6 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.17.2.1 AU-4 AU-9 SC-32(1) PR.DS-4 PR.PT-1 PR.PT-4 SRG-OS-000480-GPOS-00227 SRG-OS-000341-VMM-001220 Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. CCE-26971-2 part /var/log/audit Ensure /var/log Located On Separate Partition System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. 1.1.11 1 12 14 15 16 3 5 6 8 APO11.04 APO13.01 BAI03.05 DSS05.02 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 AU-9 SC-32 PR.PT-1 PR.PT-4 Placing /var/log in its own partition enables better separation between log files and other files in /var/. CCE-26967-0 part /var/log Ensure Users Re-Authenticate for Privilege Escalation - sudo The sudo NOPASSWD and !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that NOPASSWD and/or !authenticate do not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/." 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 PR.AC-1 PR.AC-7 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. Only the VDSM User Can Use sudo NOPASSWD The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the vdsm user should have this capability in any sudo configuration snippets in /etc/sudoers.d/. Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. RHEL-07-010350 SV-86573r3_rule NT28(R5) 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 CCI-002038 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 PR.AC-1 PR.AC-7 SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. CCE-80350-2 Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. RHEL-07-010340 SV-86571r3_rule NT28(R5) 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 CCI-002038 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 PR.AC-1 PR.AC-7 SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. CCE-80351-0 The Installed Operating System Is Vendor Supported The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches. There is no remediation besides switching to a different operating system. RHEL-07-020250 SV-86621r3_rule 18 20 4 APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02 CCI-000366 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3 SI-2(c) ID.RA-1 PR.IP-12 SRG-OS-000480-GPOS-00227 An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. The Installed Operating System Is FIPS 140-2 Certified To enable processing of sensitive information the operating system must provide certified cryptographic modules compliant with FIPS 140-2 standard. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for maintaining government certifications and standards. There is no remediation besides switching to a different operating system. IA-5 SC-13 The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2) is a computer security standard. The standard specifies security requirements for cryptographic modules used to protect sensitive unclassified information. Refer to the full FIPS 140-2 standard at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf for further details on the requirements. FIPS 140-2 validation is required by U.S. law when information systems use cryptography to protect sensitive government information. In order to achieve FIPS 140-2 certification, cryptographic modules are subject to extensive testing by independent laboratories, accredited by National Institute of Standards and Technology (NIST). CCE-80657-0 Install the dracut-fips Package To enable FIPS, the system requires that the dracut-fips package be installed. The dracut-fips package can be installed with the following command: $ sudo yum install dracut-fips 12 15 8 5.10.1.2 APO13.01 DSS01.04 DSS05.02 DSS05.03 3.13.11 3.13.8 CCI-000068 CCI-002450 4.3.3.6.6 SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.6.2.1 A.6.2.2 AC-17(2) PR.AC-3 PR.PT-4 SRG-OS-000033-GPOS-00014 SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. CCE-80358-5 package_install dracut-fips - name: Ensure dracut-fips is installed package: name: dracut-fips state: present when: ansible_distribution == 'Red Hat Enterprise Linux' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - package_dracut-fips_installed - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80358-5 - NIST-800-53-AC-17(2) - NIST-800-171-3.13.11 - NIST-800-171-3.13.8 - CJIS-5.10.1.2 package --add=dracut-fips Enable FIPS Mode in GRUB2 To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands: $ sudo yum install dracut-fips dracut -f After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1" Finally, rebuild the grub.cfg file by using the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg Running dracut -f will overwrite the existing initramfs file. The system needs to be rebooted for these changes to take effect. The ability to enable FIPS does not denote FIPS compliancy or certification. Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm for a list of FIPS certified vendors. RHEL-07-021350 SV-86691r4_rule 12 15 8 5.10.1.2 APO13.01 DSS01.04 DSS05.02 DSS05.03 3.13.8 3.13.11 CCI-000068 CCI-002450 4.3.3.6.6 SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.6.2.1 A.6.2.2 IA-5 SC-13 AC-17(2) PR.AC-3 PR.PT-4 SRG-OS-000033-GPOS-00014 SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. CCE-80359-3 disable_prelink package_install dracut-fips dracut -f # Correct the form of default kernel command line in grub if grep -q '^GRUB_CMDLINE_LINUX=.*fips=.*"' /etc/default/grub; then # modify the GRUB command-line if a fips= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)fips=[^[:space:]]*\(.*"\)/\1 fips=1 \2/' /etc/default/grub else # no existing fips=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 fips=1"/' /etc/default/grub fi # Get the UUID of the device mounted at /boot. BOOT_UUID=$(findmnt --noheadings --output uuid --target /boot) if grep -q '^GRUB_CMDLINE_LINUX=".*boot=.*"' /etc/default/grub; then # modify the GRUB command-line if a boot= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)boot=[^[:space:]]*\(.*"\)/\1 boot=UUID='"${BOOT_UUID} \2/" /etc/default/ grub else # no existing boot=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 boot=UUID='${BOOT_UUID}'"/' /etc/default/grub fi # Correct the form of kernel command line for each installed kernel in the bootloader /sbin/grubby --update-kernel=ALL --args="fips=1 boot=UUID=${BOOT_UUID}" package --add=dracut-fips Enable nails Service The nails service is used to run McAfee VirusScan Enterprise for Linux and McAfee Host-based Security System (HBSS) services. The nails service can be enabled with the following command: $ sudo systemctl enable nails.service 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-000366 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 SC-28 SI-3 SI-3(1)(ii) DE.CM-4 DE.DP-3 PR.DS-1 SRG-OS-000480-GPOS-00227 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. CCE-80128-2 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'nails.service' "$SYSTEMCTL_EXEC" enable 'nails.service' - name: Enable service nails service: name: nails enabled: "yes" state: "started" tags: - service_nails_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80128-2 - NIST-800-53-SC-28 - NIST-800-53-SI-3 - NIST-800-53-SI-3(1)(ii) when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Install McAfee Virus Scanning Software Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. Due to McAfee HIPS being 3rd party software, automated remediation is not available for this configuration check. RHEL-07-032000 SV-86837r3_rule 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-000366 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 SC-28 SI-3 SI-3(1)(ii) DE.CM-4 DE.DP-3 PR.DS-1 SRG-OS-000480-GPOS-00227 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. CCE-80127-4 Virus Scanning Software Definitions Are Updated Ensure virus definition files are no older than 7 days or their last release. RHEL-07-032010 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-000366 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 SC-28 SI-3 SI-3(1)(ii) DE.CM-4 DE.DP-3 PR.DS-1 SRG-OS-000480-GPOS-00227 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. CCE-80129-0 Install the McAfee Runtime Libraries and Linux Agent Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma). The McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) are dependencies for VirusScan Enterprise for Linux (VSEL) and Host-based Security System (HBSS) to run. CCE-80367-6 Configure Backups of User Data The operating system must conduct backups of user data contained in the operating system. The operating system provides utilities for automating backups of user data. Commercial and open-source products are also available. Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.false Install Virus Scanning Software Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail. 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 SC-28 SI-3 DE.CM-4 DE.DP-3 PR.DS-1 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. CCE-27140-3 Configure AIDE to Verify Extended Attributes By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. RHEL-07-021610 SV-86695r3_rule 2 3 APO01.06 BAI03.05 BAI06.01 DSS06.02 CCI-000366 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 A.11.2.4 A.12.2.1 A.12.5.1 A.14.1.2 A.14.1.3 A.14.2.4 SI-7.1 PR.DS-6 PR.DS-8 SRG-OS-000480-GPOS-00227 Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. CCE-80376-7 package_install aide aide_conf="/etc/aide.conf" groups=$(LC_ALL=C grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *xattrs* ]] then if [[ -z $config ]] then config="xattrs" else config=$config"+xattrs" fi fi sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done Configure AIDE to Verify Access Control Lists (ACLs) By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. RHEL-07-021600 SV-86693r3_rule 2 3 APO01.06 BAI03.05 BAI06.01 DSS06.02 CCI-000366 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 A.11.2.4 A.12.2.1 A.12.5.1 A.14.1.2 A.14.1.3 A.14.2.4 SI-7.1 PR.DS-6 PR.DS-8 SRG-OS-000480-GPOS-00227 ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. CCE-80375-9 package_install aide aide_conf="/etc/aide.conf" groups=$(LC_ALL=C grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *acl* ]] then if [[ -z $config ]] then config="acl" else config=$config"+acl" fi fi sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done Configure AIDE to Use FIPS 140-2 for Validating Hashes By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf: NORMAL = FIPSR+sha512 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. RHEL-07-021620 SV-86697r3_rule 2 3 APO01.06 BAI03.05 BAI06.01 DSS06.02 3.13.11 CCI-000366 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 A.11.2.4 A.12.2.1 A.12.5.1 A.14.1.2 A.14.1.3 A.14.2.4 SI-7(1) PR.DS-6 PR.DS-8 SRG-OS-000480-GPOS-00227 File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. CCE-80377-5 package_install aide aide_conf="/etc/aide.conf" forbidden_hashes=(sha1 rmd160 sha256 whirlpool tiger haval gost crc32) groups=$(LC_ALL=C grep "^[A-Z]\+" $aide_conf | cut -f1 -d ' ' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *sha512* ]] then config=$config"+sha512" fi for hash in ${forbidden_hashes[@]} do config=$(echo $config | sed "s/$hash//") done config=$(echo $config | sed "s/^\+*//") config=$(echo $config | sed "s/\+\++/+/") config=$(echo $config | sed "s/\+$//") sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done Configure Notification of Post-AIDE Scan Details AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line: | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost Otherwise, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost AIDE can be executed periodically through other means; this is merely one example. RHEL-07-020040 SV-86599r2_rule 1 11 12 13 15 16 2 3 5 7 8 9 BAI01.06 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 CCI-001744 4.3.4.3.2 4.3.4.3.3 SR 6.2 SR 7.6 A.12.1.2 A.12.4.1 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 CM-3(5) DE.CM-1 DE.CM-7 PR.IP-1 PR.IP-3 SRG-OS-000363-GPOS-00150 Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. CCE-80374-2 package_install aide CRONTAB=/etc/crontab CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' if [ -f /var/spool/cron/root ]; then VARSPOOL=/var/spool/cron/root fi if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB fi Ensure gpgcheck Enabled for Local Packages yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. RHEL-07-020060 SV-86603r2_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) CM-11 PR.IP-1 FAU_GEN.1.1.c SRG-OS-000366-GPOS-00153 SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. CCE-80347-8 replace_or_append '/etc/yum.conf' '^localpkg_gpgcheck' '1' 'CCE-80347-8' - name: Check existence of yum on Fedora stat: path: /etc/yum.conf register: yum_config_file check_mode: no when: ansible_distribution == "Fedora" and True tags: - ensure_gpgcheck_local_packages - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80347-8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-171-3.4.8 - DISA-STIG-RHEL-07-020060 # Old versions of Fedora use yum - name: Ensure GPG check Enabled for Local Packages (Yum) ini_file: dest: /etc/yum.conf section: main option: localpkg_gpgcheck value: 1 create: True when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists) and True tags: - ensure_gpgcheck_local_packages - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80347-8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-171-3.4.8 - DISA-STIG-RHEL-07-020060 - name: Ensure GPG check Enabled for Local Packages (DNF) ini_file: dest: /etc/dnf/dnf.conf section: main option: localpkg_gpgcheck value: 1 create: True when: ansible_distribution == "Fedora" and True tags: - ensure_gpgcheck_local_packages - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80347-8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-11 - NIST-800-171-3.4.8 - DISA-STIG-RHEL-07-020060 Ensure gpgcheck Enabled for Repository Metadata Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. Check that yum verifies the repository metadata prior to install with the following command. This should be configured by setting repo_gpgcheck to 1 in /etc/yum.conf. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) PR.IP-1 SRG-OS-000366-GPOS-00153 Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. NOTE: For U.S. Military systems, this requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority. CCE-80348-6 Ensure yum Removes Previous Package Versions yum should be configured to remove previous software components after new versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf. RHEL-07-020200 SV-86611r2_rule 18 20 4 APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02 3.4.8 CCI-002617 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3 SI-2(6) CM-11 ID.RA-1 PR.IP-12 SRG-OS-000437-GPOS-00194 Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. CCE-80346-0 if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf else echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf echo "clean_requirements_on_remove=1" >> /etc/yum.conf fi - name: "Ensure YUM Removes Previous Package Versions" lineinfile: dest: /etc/yum.conf regexp: ^#?clean_requirements_on_remove line: clean_requirements_on_remove=1 insertafter: '\[main\]' tags: - clean_components_post_updating - low_severity - restrict_strategy - low_complexity - low_disruption - CCE-80346-0 - NIST-800-53-SI-2(6) - NIST-800-53-CM-11 - NIST-800-171-3.4.8 - DISA-STIG-RHEL-07-020200 Set GNOME Screen Locking Keybindings Run the following command to prevent changes to the screensaver lock keybindings: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome_settings_daemon/keybindings/screensaver "<Control><Alt>l" 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily. Ensure Users Cannot Change GNOME3 Session Idle Settings If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/session/idle-delay After the settings have been set, run dconf update. RHEL-07-010082 SV-87809r4_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-00029-GPOS-0010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. CCE-80544-0 include_dconf_settings dconf_lock 'org/gnome/desktop/session' 'idle-delay' 'local.d' '00-security-settings-lock' - name: "Prevent user modification of GNOME Session idle-delay" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/session/idle-delay' line: '/org/gnome/desktop/session/idle-delay' create: yes tags: - dconf_gnome_session_idle_user_locks - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80544-0 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - DISA-STIG-RHEL-07-010082 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Full User Name on Splash Shield By default when the screen is locked, the splash shield will show the user's full name. This should be disabled to prevent casual observers from seeing who has access to the system. This can be disabled by adding or setting show-full-name-in-top-bar to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] show-full-name-in-top-bar=false Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/show-full-name-in-top-bar After the settings have been set, run dconf update. FMT_MOF_EXT.1 Setting the splash screen to not reveal the logged in user's name conceals who has access to the system from passersby. CCE-80114-2 include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'show-full-name-in-top-bar' 'false' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'show-full-name-in-top-bar' 'local.d' '00-security-settings-lock' - name: "Disable Full Username on Splash Screen" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: show-full-name-in-top-bar value: "false" create: yes tags: - dconf_gnome_screensaver_user_info - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80114-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME show-full-name-in-top-bar" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/show-full-name-in-top-bar' line: '/org/gnome/desktop/screensaver/show-full-name-in-top-bar' create: yes tags: - dconf_gnome_screensaver_user_info - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80114-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Ensure Users Cannot Change GNOME3 Screensaver Settings If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-delay After the settings have been set, run dconf update. RHEL-07-010081 SV-87807r4_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-00029-GPOS-0010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. CCE-80371-8 include_dconf_settings dconf_lock 'org/gnome/desktop/screensaver' 'lock-delay' 'local.d' '00-security-settings-lock' - name: "Prevent user modification of GNOME lock-delay" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/lock-delay' line: '/org/gnome/desktop/screensaver/lock-delay' create: yes tags: - dconf_gnome_screensaver_user_locks - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80371-8 - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - DISA-STIG-RHEL-07-010081 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Set GNOME Login Maximum Allowed Inactivity Action Run the following command to set force logout an inactive user when the maximum allowed inactivity period has expired: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /desktop/gnome/session/max_idle_action "forced-logout" Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session and will also free up resources utilized by an idle session. Set GNOME Login Maximum Allowed Inactivity Run the following command to set the maximum allowed period of inactivity for an inactive user in the GNOME desktop to minutes: $ sudo gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /desktop/gnome/session/max_idle_time Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session and will also free up resources utilized by an idle session. Disable GNOME Automounting The system's default desktop environment, GNOME, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount and autorun within GNOME by running the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nautilus/preferences/media_automount false $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nautilus/preferences/media_autorun_never true 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) PR.AC-3 PR.AC-6 Disabling automatic mounting in GNOME can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. Disable All GNOME Thumbnailers The system's default desktop environment, GNOME, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. The following command can disable the execution of these thumbnail applications: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /desktop/gnome/thumbnailers/disable_all true This effectively prevents an attacker from gaining access to a system through a flaw in GNOME's Nautilus thumbnail creators. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An attacker with knowledge of a flaw in a GNOME thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. Disable All GNOME3 Thumbnailers The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. To disable the execution of these thumbnail applications, add or set disable-all to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/thumbnailers] disable-all=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/thumbnailers/disable-all After the settings have been set, run dconf update. This effectively prevents an attacker from gaining access to a system through a flaw in GNOME3's Nautilus thumbnail creators. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. CCE-80123-3 include_dconf_settings dconf_settings 'org/gnome/desktop/thumbnailers' 'disable-all' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/thumbnailers' 'disable-all' 'local.d' '00-security-settings-lock' - name: "Disable All GNOME3 Thumbnailers" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/thumbnailers option: disable-all value: "true" create: yes tags: - dconf_gnome_disable_thumbnailers - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80123-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Thumbnailers" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/thumbnailers/disable-all' line: '/org/gnome/desktop/thumbnailers/disable-all' create: yes tags: - dconf_gnome_disable_thumbnailers - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80123-3 - NIST-800-53-CM-7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable GNOME3 Automounting The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount and autorun within GNOME3, add or set automount to false, automount-open to false, and autorun-never to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/media-handling] automount=false automount-open=false autorun-never=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/media-handling/automount /org/gnome/desktop/media-handling/automount-open /org/gnome/desktop/media-handling/autorun-never After the settings have been set, run dconf update. 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 3.1.7 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) PR.AC-3 PR.AC-6 Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. CCE-80122-5 include_dconf_settings dconf_settings 'org/gnome/desktop/media-handling' 'automount' 'false' 'local.d' '00-security-settings' dconf_settings 'org/gnome/desktop/media-handling' 'automount-open' 'false' 'local.d' '00-security-settings' dconf_settings 'org/gnome/desktop/media-handling' 'autorun-never' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/media-handling' 'automount' 'local.d' '00-security-settings-lock' dconf_lock 'org/gnome/desktop/media-handling' 'automount-open' 'local.d' '00-security-settings-lock' dconf_lock 'org/gnome/desktop/media-handling' 'autorun-never' 'local.d' '00-security-settings-lock' - name: "Disable GNOME3 Automounting - automount" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount value: "false" create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Automounting - automount" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/media-handling/automount' line: '/org/gnome/desktop/media-handling/automount' create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Disable GNOME3 Automounting - automount-open" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount-open value: "false" create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Automounting - automount-open" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/media-handling/automount-open' line: '/org/gnome/desktop/media-handling/automount-open' create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Disable GNOME3 Automounting - autorun-never" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: autorun-never value: "true" create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Automounting - autorun-never" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/media-handling/autorun-never' line: '/org/gnome/desktop/media-handling/autorun-never' create: yes tags: - dconf_gnome_disable_automount - unknown_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80122-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-171-3.1.7 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Geolocation in GNOME3 GNOME allows the clock and applications to track and access location information. This setting should be disabled as applications should not track system location. To configure the system to disable location tracking, add or set enabled to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/system/location] enabled=false To configure the clock to disable location tracking, add or set geolocation to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/clocks] geolocation=false Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/system/location/enabled /org/gnome/clocks/geolocation After the settings have been set, run dconf update. Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. CCE-80117-5 include_dconf_settings dconf_settings 'org/gnome/system/location' 'enabled' 'false' 'local.d' '00-security-settings' dconf_settings 'org/gnome/clocks' 'geolocation' 'false' 'local.d' '00-security-settings' dconf_lock 'org/gnome/system/location' 'enabled' 'local.d' '00-security-settings-lock' dconf_lock 'org/gnome/clocks' 'geolocation' 'local.d' '00-security-settings-lock' - name: "Disable Geolocation in GNOME3 - location tracking" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/system/location option: enabled value: "false" create: yes tags: - dconf_gnome_disable_geolocation - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80117-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Disable Geolocation in GNOME3 - clock location tracking" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/clocks option: gelocation value: "false" create: yes tags: - dconf_gnome_disable_geolocation - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80117-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME geolocation - location tracking" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/system/location/enabled' line: '/org/gnome/system/location/enabled' create: yes tags: - dconf_gnome_disable_geolocation - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80117-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME geolocation - clock location tracking" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/clocks/geolocation' line: '/org/gnome/clocks/geolocation' create: yes tags: - dconf_gnome_disable_geolocation - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80117-5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed. To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, run the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome_settings_daemon/keybindings/power "" 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. Disable the GNOME Clock Weather Feature Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/panel/applets/clock/prefs/show_weather false Disabling the weather feature in the GNOME clock prevents the system from connecting to the internet and diclosing the system location when set by a user. Disable the GNOME Clock Temperature Feature Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/panel/applets/clock/prefs/show_temperature false Disabling the temperature feature in the GNOME clock prevents the system from connecting to the internet and diclosing the system location when set by a user. Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed. To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to string '' in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/settings-daemon/plugins/media-keys] logout='' Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/settings-daemon/plugins/media-keys/logout After the settings have been set, run dconf update. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.2 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-80124-1 include_dconf_settings dconf_settings 'org/gnome/settings-daemon/plugins/media-keys' 'logout' "string ''" 'local.d' '00-security-settings' dconf_lock 'org/gnome/settings-daemon/plugins/media-keys' 'logout' 'local.d' '00-security-settings-lock' - name: "Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/settings-daemon/plugins/media-keys option: logout value: string '' create: yes tags: - dconf_gnome_disable_ctrlaltdel_reboot - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80124-1 - NIST-800-53-AC-6 - NIST-800-171-3.1.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME disablement of Ctrl-Alt-Del" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/settings-daemon/plugins/media-keys/logout' line: '/org/gnome/settings-daemon/plugins/media-keys/logout' create: yes tags: - dconf_gnome_disable_ctrlaltdel_reboot - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80124-1 - NIST-800-53-AC-6 - NIST-800-171-3.1.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Power Settings in GNOME3 By default, GNOME enables a power profile designed for mobile devices with battery usage. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the power setting, add or set active to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/settings-daemon/plugins/power] active=false Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/settings-daemon/plugins/power After the settings have been set, run dconf update. Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. CCE-80116-7 Disable User Administration in GNOME3 By default, GNOME will allow all users to have some administratrion capability. This should be disabled so that non-administrative users are not making configuration changes. To configure the system to disable user administration capability in the Graphical User Interface (GUI), add or set user-administration-disabled to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/lockdown] user-administration-disabled=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/lockdown/user-administration-disabled After the settings have been set, run dconf update. 3.1.5 FMT_MOD_EXT.1 Allowing all users to have some administratrive capabilities to the system through the Graphical User Interface (GUI) when they would not have them otherwise could allow unintended configuration changes as well as a nefarious user the capability to make system changes such as adding new accounts, etc. CCE-80115-9 include_dconf_settings dconf_settings 'org/gnome/desktop/lockdown' 'user-administration-disabled' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/lockdown' 'user-administration-disabled' 'local.d' '00-security-settings-lock' - name: "Disable User Administration in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/lockdown option: user-administration-disabled value: "true" create: yes tags: - dconf_gnome_disable_user_admin - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80115-9 - NIST-800-171-3.1.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Thumbnailers" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/lockdown/user-administration-disabled' line: '/org/gnome/desktop/lockdown/user-administration-disabled' create: yes tags: - dconf_gnome_disable_user_admin - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80115-9 - NIST-800-171-3.1.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the GNOME3 Login Restart and Shutdown Buttons In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown, the ability the ability to shutdown or restart the system. This functionality should be disabled by setting disable-restart-buttons to true. To disable, add or edit disable-restart-buttons to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] disable-restart-buttons=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/disable-restart-buttons After the settings have been set, run dconf update. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.2 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. CCE-80107-6 include_dconf_settings dconf_settings 'org/gnome/login-screen' 'disable-restart-buttons' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'disable-restart-buttons' 'gdm.d' '00-security-settings-lock' - name: "Disable the GNOME3 Login Restart and Shutdown Buttons" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: disable-restart-buttons value: "true" create: yes tags: - dconf_gnome_disable_restart_shutdown - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80107-6 - NIST-800-53-AC-6 - NIST-800-171-3.1.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME disablement of Login Restart and Shutdown Buttons" lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/disable-restart-buttons' line: '/org/gnome/login-screen/disable-restart-buttons' create: yes tags: - dconf_gnome_disable_restart_shutdown - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80107-6 - NIST-800-53-AC-6 - NIST-800-171-3.1.2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the GNOME Login Restart and Shutdown Buttons In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown, the ability shutdown or restart the system. This functionality should be disabled by running the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/disable_restart_buttons true 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. Disable GDM Automatic Login The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: [daemon] AutomaticLoginEnable=false RHEL-07-010440 SV-86577r2_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.1 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 FIA_AFL.1 SRG-OS-000480-GPOS-00229 Failure to restrict system access to authenticated users negatively impacts operating system security. CCE-80104-3 if rpm --quiet -q gdm then if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf then sed -i "/^\[daemon\]/a \ AutomaticLoginEnable=False" /etc/gdm/custom.conf else sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf fi fi - name: "Disable GDM Automatic Login" ini_file: dest: /etc/gdm/custom.conf section: daemon option: AutomaticLoginEnable value: "false" no_extra_spaces: yes create: yes tags: - gnome_gdm_disable_automatic_login - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80104-3 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.1 - DISA-STIG-RHEL-07-010440 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Set the GNOME3 Login Number of Failures In the default graphical environment, the GNOME3 login screen and be configured to restart the authentication process after a configured number of attempts. This can be configured by setting allowed-failures to 3 or less. To enable, add or edit allowed-failures to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] allowed-failures=3 Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/allowed-failures After the settings have been set, run dconf update. 3.1.8 FMT_MOF_EXT.1 Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. CCE-80109-2 include_dconf_settings dconf_settings 'org/gnome/login-screen' 'allowed-failures' "3" 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'allowed-failures' 'gdm.d' '00-security-settings-lock' - name: "Enable the GNOME3 Login Number of Failures" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: allowed-failures value: "3" create: yes tags: - dconf_gnome_login_retries - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80109-2 - NIST-800-171-3.1.8 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Login Number of Failures" lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/allowed-failures' line: '/org/gnome/login-screen/allowed-failures' create: yes tags: - dconf_gnome_login_retries - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80109-2 - NIST-800-171-3.1.8 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the GNOME3 Login User List In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting disable-user-list to true. To disable, add or edit disable-user-list to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] disable-user-list=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/disable-user-list After the settings have been set, run dconf update. AC-23 Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. CCE-80106-8 include_dconf_settings dconf_settings 'org/gnome/login-screen' 'disable-user-list' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'disable-user-list' 'gdm.d' '00-security-settings-lock' - name: "Disable the GNOME3 Login User List" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: disable-user-list value: "true" create: yes tags: - dconf_gnome_disable_user_list - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80106-8 - NIST-800-53-AC-23 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 disablement of Login User List" lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/disable-user-list' line: '/org/gnome/login-screen/disable-user-list' create: yes tags: - dconf_gnome_disable_user_list - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80106-8 - NIST-800-53-AC-23 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the User List In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. Run the following command to disable the user list: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/disable_user_list true AC-23 Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. Disable GDM Guest Login The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access has inherent security risks and should be disabled. To do disable timed logins or guest account access, set the TimedLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: [daemon] TimedLoginEnable=false RHEL-07-010450 SV-86579r3_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.1 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 FIA_AFL.1 SRG-OS-000480-GPOS-00229 Failure to restrict system access to authenticated users negatively impacts operating system security. CCE-80105-0 if rpm --quiet -q gdm then if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf then sed -i "/^\[daemon\]/a \ TimedLoginEnable=False" /etc/gdm/custom.conf else sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=False/g" /etc/gdm/custom.conf fi fi - name: "Disable GDM Guest Login" ini_file: dest: /etc/gdm/custom.conf section: daemon option: TimedLoginEnable value: "false" no_extra_spaces: yes create: yes tags: - gnome_gdm_disable_guest_login - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80105-0 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.1 - DISA-STIG-RHEL-07-010450 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable WIFI Network Connection Creation in GNOME GNOME allows users to create ad-hoc wireless connections through the NetworkManager applet. Wireless connections should be disabled by running the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nm-applet/disable-wifi-create true Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. Disable WIFI Network Connection Creation in GNOME3 GNOME allows users to create ad-hoc wireless connections through the NetworkManager applet. Wireless connections should be disabled by adding or setting disable-wifi-create to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/nm-applet] disable-wifi-create=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/nm-applet/disable-wifi-create After the settings have been set, run dconf update. 3.1.16 Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. CCE-80118-3 include_dconf_settings dconf_settings 'org/gnome/nm-applet' 'disable-wifi-create' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/nm-applet' 'disable-wifi-create' 'local.d' '00-security-settings-lock' - name: "Disable WiFi Network Connection Creation in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/nm-applet option: disable-wifi-create value: "true" create: yes tags: - dconf_gnome_disable_wifi_create - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80118-3 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 disablement of WiFi" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/nm-applet/disable-wifi-create' line: '/org/gnome/nm-applet/disable-wifi-create' create: yes tags: - dconf_gnome_disable_wifi_create - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80118-3 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable WIFI Network Notification in GNOME3 By default, GNOME disables WIFI notification. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, add or set suppress-wireless-networks-available to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/nm-applet] suppress-wireless-networks-available=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/nm-applet/suppress-wireless-networks-available After the settings have been set, run dconf update. 3.1.16 Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. CCE-80119-1 include_dconf_settings dconf_settings 'org/gnome/nm-applet' 'suppress-wireless-networks-available' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/nm-applet' 'suppress-wireless-networks-available' 'local.d' '00-security-settings-lock' - name: "Disable WiFi Network Notification in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/nm-applet option: suppress-wireless-networks-available value: "true" create: yes tags: - dconf_gnome_disable_wifi_notification - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80119-1 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 disablement of WiFi" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/nm-applet/suppress-wireless-networks-available' line: '/org/gnome/nm-applet/suppress-wireless-networks-available' create: yes tags: - dconf_gnome_disable_wifi_notification - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80119-1 - NIST-800-171-3.1.16 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable WIFI Network Connection Notification in GNOME By default, GNOME disables WIFI notification when connecting to a wireless network. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, run the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nm-applet/disable-connected-notifications true Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. Disable WIFI Network Disconnect Notification in GNOME By default, GNOME disables WIFI notification when disconnecting from a wireless network. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, run the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nm-applet/disable-disconnected-notifications true Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. Require Encryption for Remote Access in GNOME3 By default, GNOME requires encryption when using Vino for remote access. To prevent remote access encryption from being disabled, add or set require-encryption to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/Vino] require-encryption=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/Vino/require-encryption After the settings have been set, run dconf update. 1 11 12 13 15 16 18 20 3 4 6 9 BAI03.08 BAI07.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS03.01 3.1.13 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 7.6 A.12.1.1 A.12.1.2 A.12.1.4 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-2(1)(b) DE.AE-1 PR.DS-7 PR.IP-1 SRG-OS-000480-GPOS-00227 Open X displays allow an attacker to capture keystrokes and to execute commands remotely. CCE-80121-7 include_dconf_settings dconf_settings 'org/gnome/Vino' 'require-encryption' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/Vino' 'require-encryption' 'local.d' '00-security-settings-lock' - name: "Require Encryption for Remote Access in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/Vino option: require-encryption value: "true" create: yes tags: - dconf_gnome_remote_access_encryption - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80121-7 - NIST-800-53-CM-2(1)(b) - NIST-800-171-3.1.13 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Encryption for Remote Access" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/Vino/require-encryption' line: '/org/gnome/Vino/require-encryption' create: yes tags: - dconf_gnome_remote_access_encryption - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80121-7 - NIST-800-53-CM-2(1)(b) - NIST-800-171-3.1.13 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Require Credential Prompting for Remote Access in GNOME3 By default, GNOME does not require credentials when using Vino for remote access. To configure the system to require remote credentials, add or set authentication-methods to ['vnc'] in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/Vino] authentication-methods=['vnc'] Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/Vino/authentication-methods After the settings have been set, run dconf update. 3.1.12 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely. CCE-80120-9 include_dconf_settings dconf_settings 'org/gnome/Vino' 'authentication-methods' "['vnc']" 'local.d' '00-security-settings' dconf_lock 'org/gnome/Vino' 'authentication-methods' 'local.d' '00-security-settings-lock' - name: "Require Credential Prompting for Remote Access in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/Vino option: authentication-methods value: "['vnc']" create: yes tags: - dconf_gnome_remote_access_credential_prompt - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80120-9 - NIST-800-171-3.1.12 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Prevent user modification of GNOME3 Credential Prompting for Remote Access" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/Vino/authentication-methods' line: '/org/gnome/Vino/authentication-methods' create: yes tags: - dconf_gnome_remote_access_credential_prompt - medium_severity - unknown_strategy - low_complexity - medium_disruption - CCE-80120-9 - NIST-800-171-3.1.12 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Remove the GDM Package Group By removing the gdm package, the system no longer has GNOME installed installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command: $ sudo yum remove gdm AC-17(8).1(ii) SRG-OS-000480-GPOS-00227 Unnecessary service packages must not be installed to decrease the attack surface of the system. A graphical environment is unnecessary for certain types of systems including a virtualization hypervisor. package_remove gdm - name: Ensure gdm is removed package: name: gdm state: absent tags: - package_gdm_removed - medium_severity - disable_strategy - low_complexity - low_disruption - NIST-800-53-AC-17(8).1(ii) include remove_gdm class remove_gdm { package { 'gdm': ensure => 'purged', } } package --remove=gdm Force dconf to use the textfiles instead of a binary DB By default, DConf uses a binary database as a data backend. The database is compiled from config files by the dconf update command. dconf can be configured to look into those text files directly by inserting the service-db:keyfile/user directive at the beginning of the /etc/dconf/profile/user file. Unlike text config files, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and dconf has to be forced to use them as the primary settings storage. mkdir -p /etc/dconf/profile if test -f /etc/dconf/profile/user then sed -i '1s|^|service-db:keyfile/user\n|' /etc/dconf/profile/user else echo 'service-db:keyfile/user' > /etc/dconf/profile/user fi - name: "Remove the existing \"use textfile backend\" directive from the config - it may not be at the file's very top" lineinfile: path: '/etc/dconf/profile/user' regexp: '^service-db:keyfile/user.*' state: 'absent' check_mode: no tags: - dconf_use_text_backend - high_severity - unknown_strategy - low_complexity - medium_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: "Insert the \" use textfiles backend\" directive at the top of the config file" lineinfile: path: '/etc/dconf/profile/user' regexp: '^service-db:keyfile/user$' line: 'service-db:keyfile/user' insertbefore: 'BOF' create: yes check_mode: no tags: - dconf_use_text_backend - high_severity - unknown_strategy - low_complexity - medium_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Make sure that the dconf databases are up-to-date with regards to respective keyfiles By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf update command. Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them. CCE-81004-4 dconf update Configure GNOME3 DConf User Profile By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf User profile should always exist and be configured correctly. To make sure that the user profile is configured correctly, the /etc/dconf/profile/user should be set as follows: user-db:user system-db:local system-db:site system-db:distro Failure to have a functional DConf profile prevents GNOME3 configuration settings from being enforced for all users and allows various security risks. CCE-27446-4 Verify User Who Owns gshadow File To properly set the owner of /etc/gshadow, run the command: $ sudo chown root /etc/gshadow 6.1.5 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-27161-9 chown 0 /etc/gshadow - name: Test for existence /etc/gshadow stat: path: /etc/gshadow register: file_exists tags: - file_owner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27161-9 - NIST-800-53-AC-6 - name: Ensure owner 0 on /etc/gshadow file: path: /etc/gshadow owner: 0 when: file_exists.stat.exists and True tags: - file_owner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27161-9 - NIST-800-53-AC-6 Verify Group Who Owns gshadow File To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp root /etc/gshadow 6.1.5 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-26840-9 chgrp 0 /etc/gshadow - name: Test for existence /etc/gshadow stat: path: /etc/gshadow register: file_exists tags: - file_groupowner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26840-9 - NIST-800-53-AC-6 - name: Ensure group owner 0 on /etc/gshadow file: path: /etc/gshadow group: 0 when: file_exists.stat.exists and True tags: - file_groupowner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-26840-9 - NIST-800-53-AC-6 Verify Permissions on gshadow File To properly set the permissions of /etc/gshadow, run the command: $ sudo chmod 0000 /etc/gshadow 6.1.5 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-27162-7 chmod 0000 /etc/gshadow - name: Test for existence /etc/gshadow stat: path: /etc/gshadow register: file_exists tags: - file_permissions_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27162-7 - NIST-800-53-AC-6 - name: Ensure permission 0000 on /etc/gshadow file: path: /etc/gshadow mode: 0000 when: file_exists.stat.exists and True tags: - file_permissions_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27162-7 - NIST-800-53-AC-6 Verify that System Executables Have Restrictive Permissions System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. CCE-27075-1 DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" for dirPath in $DIRS; do find "$dirPath" -perm /022 -exec chmod go-w '{}' \; done - name: "Read list of world and group writable system executables" shell: "find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec -perm /022 -type f" register: world_writable_library_files changed_when: False failed_when: False check_mode: no tags: - file_permissions_binary_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-27075-1 - NIST-800-53-AC-6 - name: "Remove world/group writability of system executables" file: path: "{{ item }}" mode: "go-w" with_items: "{{ world_writable_library_files.stdout_lines }}" when: world_writable_library_files.stdout_lines | length > 0 and True tags: - file_permissions_binary_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-27075-1 - NIST-800-53-AC-6 Verify that Shared Library Files Have Root Ownership System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chown root FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. CCE-26648-6 for LIBDIR in /usr/lib /usr/lib64 /lib /lib64 do if [ -d $LIBDIR ] then find -L $LIBDIR \! -user root -exec chown root {} \; fi done - name: "Read list libraries without root ownership" shell: "find -L /usr/lib /usr/lib64 /lib /lib64 \\! -user root" register: libraries_not_owned_by_root changed_when: False failed_when: False check_mode: no tags: - file_ownership_library_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26648-6 - NIST-800-53-AC-6 - name: "Set ownership of system libraries to root" file: path: "{{ item }}" owner: "root" with_items: "{{ libraries_not_owned_by_root.stdout_lines }}" when: libraries_not_owned_by_root | length > 0 and True tags: - file_ownership_library_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-26648-6 - NIST-800-53-AC-6 Verify that System Executables Have Root Ownership System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: $ sudo chown root FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. CCE-27119-7 find /bin/ \ /usr/bin/ \ /usr/local/bin/ \ /sbin/ \ /usr/sbin/ \ /usr/local/sbin/ \ /usr/libexec \ \! -user root -execdir chown root {} \; - name: "Read list of system executables without root ownership" shell: "find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/ /usr/libexec \\! -user root" register: no_root_system_executables changed_when: False failed_when: False check_mode: no tags: - file_ownership_binary_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-27119-7 - NIST-800-53-AC-6 - name: "Set ownership to root of system executables" file: path: "{{ item }}" owner: "root" with_items: "{{ no_root_system_executables.stdout_lines }}" when: no_root_system_executables.stdout_lines | length > 0 and True tags: - file_ownership_binary_dirs - medium_severity - restrict_strategy - medium_complexity - medium_disruption - CCE-27119-7 - NIST-800-53-AC-6 Verify that Shared Library Files Have Restrictive Permissions System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. CCE-26966-2 DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do find "$dirPath" -perm /022 -type f -exec chmod go-w '{}' \; done - name: "Read list of world and group writable files in libraries directories" shell: "find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f" register: world_writable_library_files changed_when: False failed_when: False check_mode: no tags: - file_permissions_library_dirs - medium_severity - restrict_strategy - high_complexity - medium_disruption - CCE-26966-2 - NIST-800-53-AC-6 - name: "Disable world/group writability to library files" file: path: "{{ item }}" mode: "go-w" with_items: "{{ world_writable_library_files.stdout_lines }}" when: world_writable_library_files.stdout_lines | length > 0 and True tags: - file_permissions_library_dirs - medium_severity - restrict_strategy - high_complexity - medium_disruption - CCE-26966-2 - NIST-800-53-AC-6 Ensure All SGID Executables Are Authorized The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. 6.1.14 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(1) PR.AC-4 PR.DS-5 Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. CCE-80132-4 Disallow creating symlinks to a file you not own To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 NT28(R23) 1.6.1 SI-11 Disallowing such symlink mitigate vulnerabilities based on insecure file system accessed by privilegied programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). Ensure All World-Writable Directories Are Owned by a System Account All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. RHEL-07-021030 SV-86671r4_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. CCE-80136-5 Ensure All Files Are Owned by a Group If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. RHEL-07-020330 SV-86633r3_rule 6.1.12 1 11 12 13 14 15 16 18 3 5 APO01.06 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.06 DSS06.10 CCI-002165 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-3(4) AC-6 IA-2 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 PR.PT-3 SRG-OS-000480-GPOS-00227 Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. CCE-80135-7 Ensure All Files Are Owned by a User If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. RHEL-07-020320 SV-86631r3_rule 6.1.11 11 12 13 14 15 16 18 3 5 9 APO01.06 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 CCI-002165 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3(4) AC-6 CM-6(b) PR.AC-4 PR.AC-6 PR.DS-5 PR.IP-1 PR.PT-3 SRG-OS-000480-GPOS-00227 Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. CCE-80134-0 Disallow creating symlinks to a file you not own To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1 NT28(R23) 1.6.1 SI-11 Disallowing such hardlink mitigate vulnerabilities based on insecure file system accessed by privilegied programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). Ensure No World-Writable Files Exist It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as sysfs or procfs. 6.1.10 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files. CCE-80131-6 Verify that All World-Writable Directories Have Sticky Bits Set When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory DIR, run the following command: $ sudo chmod +t DIR 1.1.21 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access. CCE-80130-8 df --local -P | awk {'if (NR!=1) print $6'} \ | xargs -I '{}' find '{}' -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ | xargs chmod a+t Verify that local System.map file (if exists) is readable only by root Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of /boot/System.map-*, run the command: $ sudo chmod 0600 /boot/System.map-* NT28(R13) The System.map file contains information about kernel symbols and can give some hints to generate local exploitation. Ensure All SUID Executables Are Authorized The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. 6.1.13 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(1) PR.AC-4 PR.DS-5 Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. CCE-80133-2 Disable Modprobe Loading of USB Storage Driver To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install usb-storage /bin/true This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually. RHEL-07-020100 SV-86607r3_rule 1 12 15 16 5 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.21 CCI-000366 CCI-000778 CCI-001958 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.310(d)(1) 164.310(d)(2) 164.312(a)(1) 164.312(a)(2)(iv) 164.312(b) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-19(a) AC-19(d) AC-19(e) IA-3 MP-7 PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-0016 SRG-OS-000480-GPOS-00227 USB storage devices such as thumb drives can be used to introduce malicious software. CCE-27277-3 if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then sed -i 's/^install usb-storage.*/install usb-storage /bin/true/g' /etc/modprobe.d/usb-storage.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf fi - name: Ensure kernel module 'usb-storage' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/usb-storage.conf" regexp: 'usb-storage' line: "install usb-storage /bin/true" tags: - kernel_module_usb-storage_disabled - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27277-3 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-IA-3 - NIST-800-53-MP-7 - NIST-800-171-3.1.21 - DISA-STIG-RHEL-07-020100 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Assign Password to Prevent Changes to Boot Firmware Configuration Assign a password to the system boot firmware (historically called BIOS on PC systems) to require a password for any configuration changes. Assigning a password to the system boot firmware prevents anyone with physical access from configuring the system to boot from local media and circumvent the operating system's access controls. For systems in physically secure locations, such as a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed against the risk of administrative personnel being unable to conduct recovery operations in a timely fashion. CCE-27194-0 Disable Booting from USB Devices in Boot Firmware Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives. 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 CCI-001250 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) PR.AC-3 PR.AC-6 Booting a system from a USB device would allow an attacker to circumvent any security measures provided by the operating system. Attackers could mount partitions and modify the configuration of the OS. CCE-26960-5 Disable Mounting of freevxfs To configure the system to prevent the freevxfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install freevxfs /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.2 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80138-1 if LC_ALL=C grep -q -m 1 "^install freevxfs" /etc/modprobe.d/freevxfs.conf ; then sed -i 's/^install freevxfs.*/install freevxfs /bin/true/g' /etc/modprobe.d/freevxfs.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/freevxfs.conf echo "install freevxfs /bin/true" >> /etc/modprobe.d/freevxfs.conf fi - name: Ensure kernel module 'freevxfs' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/freevxfs.conf" regexp: 'freevxfs' line: "install freevxfs /bin/true" tags: - kernel_module_freevxfs_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80138-1 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Mounting of udf To configure the system to prevent the udf kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install udf /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.7 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80143-1 if LC_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then sed -i 's/^install udf.*/install udf /bin/true/g' /etc/modprobe.d/udf.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/udf.conf echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf fi - name: Ensure kernel module 'udf' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/udf.conf" regexp: 'udf' line: "install udf /bin/true" tags: - kernel_module_udf_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80143-1 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Mounting of squashfs To configure the system to prevent the squashfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install squashfs /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.6 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80142-3 if LC_ALL=C grep -q -m 1 "^install squashfs" /etc/modprobe.d/squashfs.conf ; then sed -i 's/^install squashfs.*/install squashfs /bin/true/g' /etc/modprobe.d/squashfs.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/squashfs.conf echo "install squashfs /bin/true" >> /etc/modprobe.d/squashfs.conf fi - name: Ensure kernel module 'squashfs' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/squashfs.conf" regexp: 'squashfs' line: "install squashfs /bin/true" tags: - kernel_module_squashfs_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80142-3 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable the Automounter The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter. The autofs service can be disabled with the following command: $ sudo systemctl disable autofs.service RHEL-07-020110 SV-86609r2_rule 1.1.22 1 12 15 16 5 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.4.6 CCI-000366 CCI-000778 CCI-001958 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.310(d)(1) 164.310(d)(2) 164.312(a)(1) 164.312(a)(2)(iv) 164.312(b) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-19(a) AC-19(d) AC-19(e) IA-3 PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163 SRG-OS-000480-GPOS-00227 Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab. Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity. CCE-27498-5 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'autofs.service' "$SYSTEMCTL_EXEC" disable 'autofs.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^autofs.socket\>' && "$SYSTEMCTL_EXEC" disable 'autofs.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'autofs.service' - name: Disable service autofs service: name: autofs enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" tags: - service_autofs_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27498-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-IA-3 - NIST-800-171-3.4.6 - DISA-STIG-RHEL-07-020110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - name: Disable socket of service autofs if applicable service: name: autofs.socket enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" tags: - service_autofs_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-27498-5 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-IA-3 - NIST-800-171-3.4.6 - DISA-STIG-RHEL-07-020110 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Mounting of jffs2 To configure the system to prevent the jffs2 kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install jffs2 /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.3 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80139-9 if LC_ALL=C grep -q -m 1 "^install jffs2" /etc/modprobe.d/jffs2.conf ; then sed -i 's/^install jffs2.*/install jffs2 /bin/true/g' /etc/modprobe.d/jffs2.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/jffs2.conf echo "install jffs2 /bin/true" >> /etc/modprobe.d/jffs2.conf fi - name: Ensure kernel module 'jffs2' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/jffs2.conf" regexp: 'jffs2' line: "install jffs2 /bin/true" tags: - kernel_module_jffs2_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80139-9 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Kernel Support for USB via Bootloader Configuration All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, append "nousb" to the kernel line in /etc/default/grub as shown: kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb Disabling all kernel support for USB will cause problems for systems with USB-based keyboards, mice, or printers. This configuration is infeasible for systems which require USB devices, which is common. 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 CCI-001250 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.310(d)(1) 164.310(d)(2) 164.312(a)(1) 164.312(a)(2)(iv) 164.312(b) 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) PR.AC-3 PR.AC-6 Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems. CCE-26548-8 # Correct the form of default kernel command line in /etc/default/grub if ! grep -q ^GRUB_CMDLINE_LINUX=\".*nousb.*\" /etc/default/grub; then # Edit configuration setting # Append 'nousb' argument to /etc/default/grub (if not present yet) sed -i "s/\(GRUB_CMDLINE_LINUX=\)\"\(.*\)\"/\1\"\2 nousb\"/" /etc/default/grub # Edit runtime setting # Correct the form of kernel command line for each installed kernel in the bootloader /sbin/grubby --update-kernel=ALL --args="nousb" fi Disable Mounting of hfs To configure the system to prevent the hfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install hfs /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.4 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80140-7 if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then sed -i 's/^install hfs.*/install hfs /bin/true/g' /etc/modprobe.d/hfs.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfs.conf echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf fi - name: Ensure kernel module 'hfs' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/hfs.conf" regexp: 'hfs' line: "install hfs /bin/true" tags: - kernel_module_hfs_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80140-7 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Mounting of cramfs To configure the system to prevent the cramfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install cramfs /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.1 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80137-3 if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then sed -i 's/^install cramfs.*/install cramfs /bin/true/g' /etc/modprobe.d/cramfs.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf fi - name: Ensure kernel module 'cramfs' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/cramfs.conf" regexp: 'cramfs' line: "install cramfs /bin/true" tags: - kernel_module_cramfs_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80137-3 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Mounting of hfsplus To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install hfsplus /bin/true This effectively prevents usage of this uncommon filesystem. 1.1.1.5 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.4.6 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. CCE-80141-5 if LC_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then sed -i 's/^install hfsplus.*/install hfsplus /bin/true/g' /etc/modprobe.d/hfsplus.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf fi - name: Ensure kernel module 'hfsplus' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/hfsplus.conf" regexp: 'hfsplus' line: "install hfsplus /bin/true" tags: - kernel_module_hfsplus_disabled - low_severity - disable_strategy - low_complexity - medium_disruption - CCE-80141-5 - NIST-800-53-CM-7 - NIST-800-171-3.4.6 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Add nosuid Option to /dev/shm The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. 1.1.16 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. CCE-80154-8 include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/dev/shm" "nosuid" ensure_partition_is_mounted "/dev/shm" } perform_remediation - name: get back device associated to mountpoint shell: mount | grep ' /dev/shm ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_dev_shm_nosuid - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80154-8 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /dev/shm ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /dev/shm ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nosuid are set on /dev/shm mount: path: "/dev/shm" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nosuid" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_dev_shm_nosuid - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80154-8 - NIST-800-53-CM-7 - NIST-800-53-MP-2 Add noexec Option to /dev/shm The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. 1.1.17 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise. CCE-80153-0 include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/dev/shm" "noexec" ensure_partition_is_mounted "/dev/shm" } perform_remediation - name: get back device associated to mountpoint shell: mount | grep ' /dev/shm ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_dev_shm_noexec - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80153-0 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /dev/shm ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /dev/shm ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission noexec are set on /dev/shm mount: path: "/dev/shm" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},noexec" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_dev_shm_noexec - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80153-0 - NIST-800-53-CM-7 - NIST-800-53-MP-2 Add nodev Option to /tmp The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp. 1.1.3 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. CCE-80149-8 include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/tmp" "nodev" ensure_partition_is_mounted "/tmp" } perform_remediation - name: get back device associated to mountpoint shell: mount | grep ' /tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_tmp_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80149-8 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nodev are set on /tmp mount: path: "/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nodev" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_tmp_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80149-8 - NIST-800-53-CM-7 - NIST-800-53-MP-2 part /tmp --mountoptions="nodev" Add noexec Option to /tmp The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp. 1.1.5 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise. CCE-80150-6 include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/tmp" "noexec" ensure_partition_is_mounted "/tmp" } perform_remediation - name: get back device associated to mountpoint shell: mount | grep ' /tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_tmp_noexec - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80150-6 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission noexec are set on /tmp mount: path: "/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},noexec" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_tmp_noexec - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80150-6 - NIST-800-53-CM-7 - NIST-800-53-MP-2 part /tmp --mountoptions="noexec" Add nosuid Option to /home The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home. RHEL-07-021000 SV-86665r4_rule 1.1.3 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. CCE-81153-9 include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /home || { echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/home" "nosuid" ensure_partition_is_mounted "/home" } perform_remediation - name: get back device associated to mountpoint shell: mount | grep ' /home ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_home_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-81153-9 - NIST-800-53-CM-7 - NIST-800-53-MP-2 - DISA-STIG-RHEL-07-021000 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /home ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /home ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nosuid are set on /home mount: path: "/home" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nosuid" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_home_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-81153-9 - NIST-800-53-CM-7 - NIST-800-53-MP-2 - DISA-STIG-RHEL-07-021000 part /home --mountoptions="nosuid" Add nosuid Option to /tmp The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp. 1.1.4 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. CCE-80151-4 include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/tmp" "nosuid" ensure_partition_is_mounted "/tmp" } perform_remediation - name: get back device associated to mountpoint shell: mount | grep ' /tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_tmp_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80151-4 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nosuid are set on /tmp mount: path: "/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nosuid" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_tmp_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80151-4 - NIST-800-53-CM-7 - NIST-800-53-MP-2 part /tmp --mountoptions="nosuid" Add nodev Option to /var/tmp The nodev mount option can be used to prevent device files from being created in /var/tmp. Legitimate character and block devices should not exist within temporary directories like /var/tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp. 1.1.8 The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/var/tmp" "nodev" ensure_partition_is_mounted "/var/tmp" } perform_remediation - name: get back device associated to mountpoint shell: mount | grep ' /var/tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_var_tmp_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /var/tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /var/tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nodev are set on /var/tmp mount: path: "/var/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nodev" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_var_tmp_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption part /var/tmp --mountoptions="nodev" Add nosuid Option to Removable Media Partitions The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. RHEL-07-021010 SV-86667r2_rule 1.1.19 11 12 13 14 15 16 18 3 5 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.06 DSS05.07 DSS06.02 DSS06.03 DSS06.06 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.11.2.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-19(a) AC-19(d) AC-19(e) CM-7 MP-2 PR.AC-3 PR.AC-4 PR.AC-6 PR.DS-5 PR.IP-1 PR.PT-2 PR.PT-3 SRG-OS-000480-GPOS-00227 The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. CCE-80148-0 var_removable_partition="" include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab "$var_removable_partition" || { echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "$var_removable_partition" "nosuid" ensure_partition_is_mounted "$var_removable_partition" } perform_remediation - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str tags: - always - name: get back device associated to mountpoint shell: mount | grep ' {{ var_removable_partition }} ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_nosuid_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80148-0 - NIST-800-53-AC-6 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 - DISA-STIG-RHEL-07-021010 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' {{ var_removable_partition }} ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' {{ var_removable_partition }} ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nosuid are set on var_removable_partition mount: path: "{{ var_removable_partition }}" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nosuid" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_nosuid_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80148-0 - NIST-800-53-AC-6 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 - DISA-STIG-RHEL-07-021010 Add nodev Option to Non-Root Local Partitions The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any non-root local partitions. 1.1.11 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems. CCE-80145-6 Add nodev Option to Removable Media Partitions The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. 1.1.18 11 12 13 14 16 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.06 DSS05.07 DSS06.03 DSS06.06 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.7.1.1 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) CM-7 MP-2 PR.AC-3 PR.AC-6 PR.IP-1 PR.PT-2 PR.PT-3 The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems. CCE-80146-4 var_removable_partition="" include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab "$var_removable_partition" || { echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "$var_removable_partition" "nodev" ensure_partition_is_mounted "$var_removable_partition" } perform_remediation - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str tags: - always - name: get back device associated to mountpoint shell: mount | grep ' {{ var_removable_partition }} ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_nodev_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80146-4 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' {{ var_removable_partition }} ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' {{ var_removable_partition }} ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nodev are set on var_removable_partition mount: path: "{{ var_removable_partition }}" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nodev" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_nodev_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80146-4 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 Add noexec Option to Removable Media Partitions The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. 1.1.20 11 12 13 14 16 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.06 DSS05.07 DSS06.03 DSS06.06 CCI-000087 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.7.1.1 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) CM-7 MP-2 PR.AC-3 PR.AC-6 PR.IP-1 PR.PT-2 PR.PT-3 Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. CCE-80147-2 var_removable_partition="" include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab "$var_removable_partition" || { echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "$var_removable_partition" "noexec" ensure_partition_is_mounted "$var_removable_partition" } perform_remediation - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str tags: - always - name: get back device associated to mountpoint shell: mount | grep ' {{ var_removable_partition }} ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_noexec_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80147-2 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' {{ var_removable_partition }} ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' {{ var_removable_partition }} ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission noexec are set on var_removable_partition mount: path: "{{ var_removable_partition }}" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},noexec" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_noexec_removable_partitions - unknown_severity - configure_strategy - low_complexity - high_disruption - CCE-80147-2 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 Add noexec Option to /var/tmp The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp. 1.1.10 Allowing users to execute binaries from world-writable directories such as /var/tmp should never be necessary in normal operation and can expose the system to potential compromise. include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/var/tmp" "noexec" ensure_partition_is_mounted "/var/tmp" } perform_remediation - name: get back device associated to mountpoint shell: mount | grep ' /var/tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_var_tmp_noexec - unknown_severity - configure_strategy - low_complexity - high_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /var/tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /var/tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission noexec are set on /var/tmp mount: path: "/var/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},noexec" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_var_tmp_noexec - unknown_severity - configure_strategy - low_complexity - high_disruption part /var/tmp --mountoptions="noexec" Bind Mount /var/tmp To /tmp The /var/tmp directory is a world-writable directory. Bind-mount it to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp. To do so, edit /etc/fstab and add the following line: /tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0 See the mount(8) man page for further explanation of bind mounting. 1.1.6 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Having multiple locations for temporary storage is not required. Unless absolutely necessary to meet requirements, the storage location /var/tmp should be bind mounted to /tmp and thus share the same protections. CCE-80155-5 # Delete particular /etc/fstab's row if /var/tmp is already configured to # represent a mount point (for some device or filesystem other than /tmp) if grep -q -P '.*\/var\/tmp.*' /etc/fstab then sed -i '/.*\/var\/tmp.*/d' /etc/fstab fi umount /var/tmp # Bind-mount /var/tmp to /tmp via /etc/fstab (preserving the /etc/fstab form) printf "%-24s%-24s%-8s%-32s%-3s\n" "/tmp" "/var/tmp" "none" "rw,nodev,noexec,nosuid,bind" "0 0" >> /etc/fstab mkdir -p /var/tmp mount -B /tmp /var/tmp Add nodev Option to /home The nodev mount option can be used to prevent device files from being created in /home. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /home. 1.1.14 The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /home || { echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/home" "nodev" ensure_partition_is_mounted "/home" } perform_remediation - name: get back device associated to mountpoint shell: mount | grep ' /home ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_home_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /home ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /home ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nodev are set on /home mount: path: "/home" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nodev" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_home_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption part /home --mountoptions="nodev" Add nosuid Option to /var/tmp The nosuid mount option can be used to prevent execution of setuid programs in /var/tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp. 1.1.9 The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/var/tmp" "nosuid" ensure_partition_is_mounted "/var/tmp" } perform_remediation - name: get back device associated to mountpoint shell: mount | grep ' /var/tmp ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_var_tmp_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /var/tmp ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /var/tmp ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nosuid are set on /var/tmp mount: path: "/var/tmp" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nosuid" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_var_tmp_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption part /var/tmp --mountoptions="nosuid" Add nodev Option to /dev/shm The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. 1.1.15 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. CCE-80152-2 include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "no" = 'yes'; then assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/dev/shm" "nodev" ensure_partition_is_mounted "/dev/shm" } perform_remediation - name: get back device associated to mountpoint shell: mount | grep ' /dev/shm ' |cut -d ' ' -f 1 args: warn: False # Ignore ANSIBLE0006, we can't fetch device name with mount module register: device_name check_mode: no changed_when: False tags: - mount_option_dev_shm_nodev - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80152-2 - NIST-800-53-CM-7 - NIST-800-53-MP-2 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") - block: - name: get back device previous mount option shell: mount | grep ' /dev/shm ' | sed -re 's:.*\((.*)\):\1:' args: warn: False # Ignore ANSIBLE0006, we can't fetch current mount options with mount module register: device_cur_mountoption check_mode: no - name: get back device fstype shell: mount | grep ' /dev/shm ' | cut -d ' ' -f 5 args: warn: False # Ignore ANSIBLE0006, we can't fetch fstype with mount module register: device_fstype check_mode: no - name: Ensure permission nodev are set on /dev/shm mount: path: "/dev/shm" src: "{{ device_name.stdout }}" opts: "{{ device_cur_mountoption.stdout }},nodev" state: "mounted" fstype: "{{ device_fstype.stdout }}" when: (device_name.stdout | length > 0) and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - mount_option_dev_shm_nodev - medium_severity - configure_strategy - low_complexity - high_disruption - CCE-80152-2 - NIST-800-53-CM-7 - NIST-800-53-MP-2 Set Daemon Umask The file /etc/init.d/functions includes initialization parameters for most or all daemons started at boot time. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts. By default, the umask of 022 is set which prevents creation of group- or world-writable files. To set the umask for daemons expected by the profile, edit the following line: umask Setting the umask to too restrictive a setting can cause serious errors at runtime. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions. CCE-27068-6 var_umask_for_daemons="" grep -q ^umask /etc/init.d/functions && \ sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions if ! [ $? -eq 0 ]; then echo "umask $var_umask_for_daemons" >> /etc/init.d/functions fi Enable SLUB/SLAB allocator poisoning To enable poisoning of SLUB/SLAB objects, add the argument slub_debug=P to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="slub_debug=P" The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. # Correct the form of default kernel command line in GRUB if grep -q '^GRUB_CMDLINE_LINUX=.*slub_debug=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an slub_debug= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)slub_debug=[^[:space:]]*\(.*"\)/\1 slub_debug=P \2/' '/etc/default/grub' else # no slub_debug=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 slub_debug=P"/' '/etc/default/grub' fi # Correct the form of kernel command line for each installed kernel in the bootloader grubby --update-kernel=ALL --args="slub_debug=P" Enable page allocator poisoning To enable poisoning of free pages, add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="page_poison=1" The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. # Correct the form of default kernel command line in GRUB if grep -q '^GRUB_CMDLINE_LINUX=.*page_poison=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an page_poison= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)page_poison=[^[:space:]]*\(.*"\)/\1 page_poison=1 \2/' '/etc/default/grub' else # no page_poison=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 page_poison=1"/' '/etc/default/grub' fi # Correct the form of kernel command line for each installed kernel in the bootloader grubby --update-kernel=ALL --args="page_poison=1" Disable Core Dumps for SUID programs To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.suid_dumpable = 0 1.5.1 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) SI-11 The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. CCE-26900-1 # # Set runtime for fs.suid_dumpable # /sbin/sysctl -q -n -w fs.suid_dumpable=0 # # If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" # else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^fs.suid_dumpable' "0" 'CCE-26900-1' - name: Ensure sysctl fs.suid_dumpable is set to 0 sysctl: name: fs.suid_dumpable value: 0 state: present reload: yes tags: - sysctl_fs_suid_dumpable - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-26900-1 - NIST-800-53-SI-11 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable Core Dumps for All Users To disable core dumps for all users, add the following line to /etc/security/limits.conf: * hard core 0 1.5.1 1 12 13 15 16 2 7 8 APO13.01 BAI04.04 DSS01.03 DSS03.05 DSS05.07 SR 6.2 SR 7.1 SR 7.2 A.12.1.3 A.17.2.1 DE.CM-1 PR.DS-4 A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. CCE-80169-6 echo "* hard core 0" >> /etc/security/limits.conf Install PAE Kernel on Supported 32-bit x86 Systems Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support. The kernel-PAE package can be installed with the following command: $ sudo yum install kernel-PAE The installation process should also have configured the bootloader to load the new kernel at boot. Verify this after reboot and modify /etc/default/grub if necessary. The kernel-PAE package should not be installed on older systems that do not support the XD or NX bit, as 8this may prevent them from booting.8 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.7 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support. CCE-27116-3 Enable NX or XD Support in the BIOS Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.7 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. CCE-27099-1 Restrict Exposed Kernel Pointer Addresses Access To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1 NT28(R23) SC-39 Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures that can contain functions pointers. If a write vulnereability occurs in the kernel allowing a write access to any of this structure, the kernel can be compromise. This option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, replacing them with 0. CCE-80659-6 # # Set runtime for kernel.kptr_restrict # /sbin/sysctl -q -n -w kernel.kptr_restrict=1 # # If kernel.kptr_restrict present in /etc/sysctl.conf, change value to "1" # else, add "kernel.kptr_restrict = 1" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^kernel.kptr_restrict' "1" 'CCE-80659-6' - name: Ensure sysctl kernel.kptr_restrict is set to 1 sysctl: name: kernel.kptr_restrict value: 1 state: present reload: yes tags: - sysctl_kernel_kptr_restrict - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-80659-6 - NIST-800-53-SC-39 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Enable ExecShield via sysctl By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub. For Red Hat Enterprise Linux 7 32-bit systems, sysctl can be used to enable ExecShield. 1.5.2 12 15 8 APO13.01 DSS05.02 3.1.7 CCI-002530 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-39 PR.PT-4 ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. CCE-27211-2 if [ $(getconf LONG_BIT) = "32" ] ; then # # Set runtime for kernel.exec-shield # sysctl -q -n -w kernel.exec-shield=1 # # If kernel.exec-shield present in /etc/sysctl.conf, change value to "1" # else, add "kernel.exec-shield = 1" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^kernel.exec-shield' '1' 'CCE-27211-2' fi if [ $(getconf LONG_BIT) = "64" ] ; then if grep --silent noexec /boot/grub2/grub*.cfg ; then sed -i "s/noexec.*//g" /etc/default/grub sed -i "s/noexec.*//g" /etc/grub.d/* GRUBCFG=`ls | grep '.cfg$'` grub2-mkconfig -o /boot/grub2/$GRUBCFG fi fi Enable Randomized Layout of Virtual Address Space To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 1.5.1 3.1.7 CCI-000366 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) SC-30(2) SC-39 SRG-OS-000480-GPOS-00227 RHEL-07-040201 SV-92521r2_rule Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. CCE-27127-0 # # Set runtime for kernel.randomize_va_space # /sbin/sysctl -q -n -w kernel.randomize_va_space=2 # # If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2" # else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' "2" 'CCE-27127-0' - name: Ensure sysctl kernel.randomize_va_space is set to 2 sysctl: name: kernel.randomize_va_space value: 2 state: present reload: yes tags: - sysctl_kernel_randomize_va_space - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27127-0 - NIST-800-53-SC-30(2) - NIST-800-53-SC-39 - NIST-800-171-3.1.7 - DISA-STIG-RHEL-07-040201 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable kernel image loading To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1 Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled. # # Set runtime for kernel.kexec_load_disabled # /sbin/sysctl -q -n -w kernel.kexec_load_disabled=1 # # If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1" # else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^kernel.kexec_load_disabled' "1" '' - name: Ensure sysctl kernel.kexec_load_disabled is set to 1 sysctl: name: kernel.kexec_load_disabled value: 1 state: present reload: yes tags: - sysctl_kernel_kexec_load_disabled - medium_severity - disable_strategy - low_complexity - medium_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Disable vsyscalls To disable use of virtual syscalls, add the argument vsyscall=none to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="vsyscall=none" The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. # Correct the form of default kernel command line in GRUB if grep -q '^GRUB_CMDLINE_LINUX=.*vsyscall=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an vsyscall= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)vsyscall=[^[:space:]]*\(.*"\)/\1 vsyscall=none \2/' '/etc/default/grub' else # no vsyscall=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 vsyscall=none"/' '/etc/default/grub' fi # Correct the form of kernel command line for each installed kernel in the bootloader grubby --update-kernel=ALL --args="vsyscall=none" Restrict usage of ptrace to descendant processes To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1 Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing). # # Set runtime for kernel.yama.ptrace_scope # /sbin/sysctl -q -n -w kernel.yama.ptrace_scope=1 # # If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1" # else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^kernel.yama.ptrace_scope' "1" '' - name: Ensure sysctl kernel.yama.ptrace_scope is set to 1 sysctl: name: kernel.yama.ptrace_scope value: 1 state: present reload: yes tags: - sysctl_kernel_yama_ptrace_scope - medium_severity - disable_strategy - low_complexity - medium_disruption when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") Restrict Access to Kernel Message Buffer To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 3.1.5 CCI-001314 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) SI-11 Unprivileged access to the kernel syslog can expose sensitive kernel address information. CCE-27050-4 # # Set runtime for kernel.dmesg_restrict # /sbin/sysctl -q -n -w kernel.dmesg_restrict=1 # # If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1" # else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^kernel.dmesg_restrict' "1" 'CCE-27050-4' - name: Ensure sysctl kernel.dmesg_restrict is set to 1 sysctl: name: kernel.dmesg_restrict value: 1 state: present reload: yes tags: - sysctl_kernel_dmesg_restrict - medium_severity - disable_strategy - low_complexity - medium_disruption - CCE-27050-4 - NIST-800-53-SI-11 - NIST-800-171-3.1.5 when: # Bare-metal/VM task, not applicable for containers - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker")